bobbyb1980 Posted May 22, 2012 Share Posted May 22, 2012 Hey guys. Having a problem adding a new user for an experiment I'm doing. I'm using a Windows XP SP2 vmware machine for the victim and everything is being done via meterpreter. Once I get the shell opened, I can successfully run the getsystem command and getsystem privs. I then want to drop into a system shell and run the following commands: C:\ net user pwned pwned /add C:\ net localgroup admin pwned /add The goal is to start from a limited user account, escalate the privs, then drop into a system shell to add a new administrator account. The problem is that whenever I drop into a system shell it's still giving me the shell but only with limited user privs. Can't add any admin's with limited user privs. I've also tried this by adding users via various meterpreter scripts (edited getgui.rb to only add a user and add it to the admin group) but I think the same thing is happening and it's ultimately failing. Any ideas what's going on here? Quote Link to comment Share on other sites More sharing options...
digininja Posted May 22, 2012 Share Posted May 22, 2012 what level of access are you getting through your exploit? In meterpreter run getuid to find out. If you aren't system you can use getsystem to promote yourself to system, from there what you are trying should work as I do it all the time on tests. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 22, 2012 Author Share Posted May 22, 2012 msf exploit(handler) > sessions -i 5 [*] Starting interaction with 5... meterpreter > getuid Server username: PYTH0N-AC2CB74D\LIMITED meterpreter > getsystem ...got system (via technique 4). meterpreter > shell Process 224 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\Mozilla Firefox>net user pwned /add System error 5 has occurred. Access is denied. C:\Program Files\Mozilla Firefox> Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 22, 2012 Author Share Posted May 22, 2012 Maybe I somehow need to spawn a new shell as system? Quote Link to comment Share on other sites More sharing options...
digip Posted May 22, 2012 Share Posted May 22, 2012 Could be something as stupid as a time synchronization issue with the XP VM. Try stopping and starting the windows time service and make sure windows can connect to the internet to sync. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 Solved. The problem had to do with migration. Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with. After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs. Quote Link to comment Share on other sites More sharing options...
digip Posted May 23, 2012 Share Posted May 23, 2012 Solved. The problem had to do with migration. Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with. After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs. That makes sense now. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted May 24, 2012 Share Posted May 24, 2012 Solved. The problem had to do with migration. Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with. Aer the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs. Without proper privelege you won't go very far. Glad you got it sorted. Quote Link to comment Share on other sites More sharing options...
vdub Posted May 29, 2012 Share Posted May 29, 2012 Solved. The problem had to do with migration. Before meterpreter will drop into a shell with system privileges, it first has to migrate to a process with system privs. If you drop directly in like I was doing you'll have whatever privs the browser was running with. After the migration to a process with sys/admin privs, if you drop into a shell you'll have sys privs. That's what I was going to say. It's always a good idea to migrate anyway since your connection is relying on the user not closing the process your attached to. Once your in jump over to lsass and you should be golden unless they shut the system down. I believe lsass will even work if the user logs out. I use to use explorer but that depends on the uid of the logged on user and if they log out your screwed. Or explorer crashes. That never happens in Windows does it :-). Just don't use winlogon. For some reason half of the times I try it crashes and when you loose that process the system blue screens. Unless that’s what your going for ;-) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.