Metasploit mailing list archives
Re: framework Digest, Vol 46, Issue 15
From: Jeff Piquette <trcx528 () gmail com>
Date: Sat, 26 Nov 2011 12:24:35 -0600
Try taking a look at kon-boot. Boot from the cd and it will modify the kernel on the fly to allow to log in as any user, just supply any password (odd I know) ant it will log you in as that user. My personal use of it has given me a 75% success rate, otherwise I just us ophcrack to crack the admin pass. ~Jeff Sent from my iPod On Nov 26, 2011, at 12:00 PM, "framework-request () spool metasploit com" <framework-request () spool metasploit com> wrote:
Send framework mailing list submissions to framework () spool metasploit com To subscribe or unsubscribe via the World Wide Web, visit https://mail.metasploit.com/mailman/listinfo/framework or, via email, send a message with subject or body 'help' to framework-request () spool metasploit com You can reach the person managing the list at framework-owner () spool metasploit com When replying, please edit your Subject line so it is more specific than "Re: Contents of framework digest..." Today's Topics: 1. Re: Privilege escalation on an isolated system (Brahim Sakka) 2. Re: Privilege escalation on an isolated system (5.K1dd) 3. Re: Privilege escalation on an isolated system (Lukas Kuzmiak) 4. Re: Privilege escalation on an isolated system (Kevin Shaw) ---------------------------------------------------------------------- Message: 1 Date: Fri, 25 Nov 2011 22:39:03 +0100 From: Brahim Sakka <brahim.sakka () gmail com> To: Roberto Espreto <robertoespreto () gmail com>, hazard0us.pt () gmail com Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CAHLWfDRYMPe=fERPDy-ve11ggVk=0u31aSSaYdTt0A5DawJ1hA () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?------------------------------ Message: 2 Date: Fri, 25 Nov 2011 16:26:29 -0600 From: "5.K1dd" <5.k1dd () austinhackers org> To: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <4ED01615.20301 () austinhackers org> Content-Type: text/plain; charset=ISO-8859-1 Metasploit really isn't designed for such a scenario. You could generate meterpreter as an exe and run it locally, but you'd need a handler to interact with the session. I'm not sure its possible to have the handler and meterpreter running on the same box since they would both be trying to use the same port to communicate. Some of the aux modules come in standalone form on the websites of the various authors. That might be a possible avenue.Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ Message: 3 Date: Fri, 25 Nov 2011 23:29:15 +0100 From: Lukas Kuzmiak <lukash () backstep net> To: Brahim Sakka <brahim.sakka () gmail com> Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CABV5EtFs_9gUmARs3tnh0uLJV8bP-aU2yyDfO-5RFAvhjn7Bhg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Hey man, I would simply try to break down the getsystem from meterpreter and use its single parts to gain the system privileges. external/source/meterpreter/source/extensions/priv/server/elevate: elevate.c - handler for 4 privilege escalation exploits/techniques there (other 4 .c files) you might either play with those (they were ported for metasploit, so it won't be enough to just compile and run, you'd have to get rid of the meterpreter structures) or (perhaps an easier path) just use those as an inspiration and look on the internet for local implementations of those. from elevate.c: // firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights) // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system) // thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege) // fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights) that's what getsystem basically does, so you can just follow the same path manually and see where you can get. hope i helped at least a little. or just look for other local windows exploits on the internet :) cheers, lukash On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ Message: 4 Date: Fri, 25 Nov 2011 17:46:32 -0500 From: Kevin Shaw <kevin.lee.shaw () gmail com> To: Lukas Kuzmiak <lukash () backstep net> Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CAG7+V37nF3C7VkJqzNZMYLV2bLFDS0h+g0Ht-VfD00T+MzVNag () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" I wouldn't bother with meterpreter, just find a local privilege escalation exploit. You have access to the system, you don't need much in the way of sparkle. On Nov 25, 2011 5:30 PM, "Lukas Kuzmiak" <lukash () backstep net> wrote:Hey man, I would simply try to break down the getsystem from meterpreter and use its single parts to gain the system privileges. external/source/meterpreter/source/extensions/priv/server/elevate: elevate.c - handler for 4 privilege escalation exploits/techniques there (other 4 .c files) you might either play with those (they were ported for metasploit, so it won't be enough to just compile and run, you'd have to get rid of the meterpreter structures) or (perhaps an easier path) just use those as an inspiration and look on the internet for local implementations of those. from elevate.c: // firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights) // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system) // thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege) // fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights) that's what getsystem basically does, so you can just follow the same path manually and see where you can get. hope i helped at least a little. or just look for other local windows exploits on the internet :) cheers, lukash On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonatetheone you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20111125/f9c52701/attachment-0001.html> ------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 46, Issue 15 *****************************************
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: framework Digest, Vol 46, Issue 15 Jeff Piquette (Nov 26)
- <Possible follow-ups>
- Re: framework Digest, Vol 46, Issue 15 TomblinTech (Nov 26)