The “sticky keys” backdoor method has been a favorite for hackers for years and it’s been gaining popularity as a malware-free persistence method. This backdoor method gives an attacker pre-authentication, SYSTEM-level access to a target remotely over RDP or locally via the console.

The backdoor can be installed in one of two ways:

1. Copy cmd.exe over sethc.exe or utilman.exe
2. Set cmd.exe as the debugger for sethc.exe or utilman.exe

The sethc.exe backdoor can be triggered by pressing the shift key five times in rapid succession. The utilman.exe backdoor can be triggered by pressing windows+u.

Here’s a quick writeup of exploiting MS14-068 using PyKEK and Kali.

Kali Prepwork

Install and Configure Kerberos

Install kerberos:

apt-get install krb5-user krb5-config

Create relevant kerberos config changes in /etc/krb5.conf:

[libdefaults]
  default_realm = pwn3d.local
[realms]
  pwn3d.local = {
    kdc = dc1.pwn3d.local
    admin_server = dc1.pwn3d.local
    default_domain = pwn3d.local
}

Point DNS to the DNS Server/domain controller so SRV records (e.g. _kerberos._tcp.*) will resolve correctly in /etc/resolv.conf.

According to the TrustedSec blog, you’ll need to sync time with the domain controller. During my testing I didn’t perform any syncing and had no issues.