TryHackMe-Walkthroughs-by-Aby

Room : Windows Local Persistence - Backdooring RDP

With Sticky keys

We get the annoying sticky keys by pressing shift 5times.

To establish persistence using Sticky Keys, we will abuse a shortcut enabled by default in any Windows installation.

After pressing SHIFT 5 times, Windows will execute the binary in C:\Windows\System32\sethc.exe.

We will replace sethc.exe with a copy of cmd.exe

takeown /f c:\Windows\System32\sethc.exe

WLP45

WLP46

With Utilman

Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen. Bottom right of the screen beside the Power Button. It executes C:\Windows\System32\Utilman.exe with SYSTEM privileges. We will replace Utilman.exe with a copy of our cmd.exe

takeown /f c:\Windows\System32\utilman.exe

WLP47

WLP48