Metasploit mailing list archives
Re: framework Digest, Vol 46, Issue 15
From: TomblinTech <tomblintech () gmail com>
Date: Sat, 26 Nov 2011 11:22:30 -0800
Depending on what your privs. You could run cmd and put in the 'at' command. Take a look at the time on your system and set the 'at' command to run a minute or two later and have it open a new cmd or taskmgr. When the new cmd opens it will be running at system. Example: If the time is 11:30am run the command like this at 11:31 /i "cmd.exe" So when the system clock hits 11:31 the new cmd will open. Also, the at command runs on a 24 hour clock. Aka 2:00pm = 14:00pm. If you don't have the priv to run the 'at' command. Navigate to c:\windows\system32 and make a copy of sethc.exe (for a backup) then copy cmd.exe and rename it to sethc.exe Replace the original sethc.exe with the new cmd version. Then logout and at the login screen hit shift five times. It will now open a system level cmd for you. Hope this helps! Bret Sent from my iPad On Nov 26, 2011, at 10:00 AM, framework-request () spool metasploit com wrote:
Send framework mailing list submissions to framework () spool metasploit com To subscribe or unsubscribe via the World Wide Web, visit https://mail.metasploit.com/mailman/listinfo/framework or, via email, send a message with subject or body 'help' to framework-request () spool metasploit com You can reach the person managing the list at framework-owner () spool metasploit com When replying, please edit your Subject line so it is more specific than "Re: Contents of framework digest..." Today's Topics: 1. Re: Privilege escalation on an isolated system (Brahim Sakka) 2. Re: Privilege escalation on an isolated system (5.K1dd) 3. Re: Privilege escalation on an isolated system (Lukas Kuzmiak) 4. Re: Privilege escalation on an isolated system (Kevin Shaw) ---------------------------------------------------------------------- Message: 1 Date: Fri, 25 Nov 2011 22:39:03 +0100 From: Brahim Sakka <brahim.sakka () gmail com> To: Roberto Espreto <robertoespreto () gmail com>, hazard0us.pt () gmail com Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CAHLWfDRYMPe=fERPDy-ve11ggVk=0u31aSSaYdTt0A5DawJ1hA () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?------------------------------ Message: 2 Date: Fri, 25 Nov 2011 16:26:29 -0600 From: "5.K1dd" <5.k1dd () austinhackers org> To: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <4ED01615.20301 () austinhackers org> Content-Type: text/plain; charset=ISO-8859-1 Metasploit really isn't designed for such a scenario. You could generate meterpreter as an exe and run it locally, but you'd need a handler to interact with the session. I'm not sure its possible to have the handler and meterpreter running on the same box since they would both be trying to use the same port to communicate. Some of the aux modules come in standalone form on the websites of the various authors. That might be a possible avenue.Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ Message: 3 Date: Fri, 25 Nov 2011 23:29:15 +0100 From: Lukas Kuzmiak <lukash () backstep net> To: Brahim Sakka <brahim.sakka () gmail com> Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CABV5EtFs_9gUmARs3tnh0uLJV8bP-aU2yyDfO-5RFAvhjn7Bhg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Hey man, I would simply try to break down the getsystem from meterpreter and use its single parts to gain the system privileges. external/source/meterpreter/source/extensions/priv/server/elevate: elevate.c - handler for 4 privilege escalation exploits/techniques there (other 4 .c files) you might either play with those (they were ported for metasploit, so it won't be enough to just compile and run, you'd have to get rid of the meterpreter structures) or (perhaps an easier path) just use those as an inspiration and look on the internet for local implementations of those. from elevate.c: // firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights) // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system) // thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege) // fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights) that's what getsystem basically does, so you can just follow the same path manually and see where you can get. hope i helped at least a little. or just look for other local windows exploits on the internet :) cheers, lukash On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonate the one you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework------------------------------ Message: 4 Date: Fri, 25 Nov 2011 17:46:32 -0500 From: Kevin Shaw <kevin.lee.shaw () gmail com> To: Lukas Kuzmiak <lukash () backstep net> Cc: framework () spool metasploit com Subject: Re: [framework] Privilege escalation on an isolated system Message-ID: <CAG7+V37nF3C7VkJqzNZMYLV2bLFDS0h+g0Ht-VfD00T+MzVNag () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" I wouldn't bother with meterpreter, just find a local privilege escalation exploit. You have access to the system, you don't need much in the way of sparkle. On Nov 25, 2011 5:30 PM, "Lukas Kuzmiak" <lukash () backstep net> wrote:Hey man, I would simply try to break down the getsystem from meterpreter and use its single parts to gain the system privileges. external/source/meterpreter/source/extensions/priv/server/elevate: elevate.c - handler for 4 privilege escalation exploits/techniques there (other 4 .c files) you might either play with those (they were ported for metasploit, so it won't be enough to just compile and run, you'd have to get rid of the meterpreter structures) or (perhaps an easier path) just use those as an inspiration and look on the internet for local implementations of those. from elevate.c: // firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights) // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system) // thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege) // fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights) that's what getsystem basically does, so you can just follow the same path manually and see where you can get. hope i helped at least a little. or just look for other local windows exploits on the internet :) cheers, lukash On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonatetheone you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ?_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20111125/f9c52701/attachment-0001.html> ------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 46, Issue 15 *****************************************
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: framework Digest, Vol 46, Issue 15 Jeff Piquette (Nov 26)
- <Possible follow-ups>
- Re: framework Digest, Vol 46, Issue 15 TomblinTech (Nov 26)