Escalation of privileges

r00t-3xp10it / meterpeter

C2 Powershell Command & Control Framework with BuiltIn Commands

483 stars 102 forks source link

Escalation of privileges #2

Open d0ubl3puls4r opened 4 years ago

d0ubl3puls4r commented 4 years ago

Hello, I would like to know how it works to escalate privileges in the system. I even went to the postexploit -> escalate -> getsystem options ..

and it looks like the process was OK, but how to access the session with those elevated privileges, from now on I don't know what else to do. Thanks in advance.

r00t-3xp10it commented 4 years ago

This Link (wiki) explains all the steps required to elevate current session ... https://github.com/r00t-3xp10it/meterpeter/wiki/WSReset.exe-Privilege-Escalation-(Client.ps1)

The follow screenshot shows how the priv escal works ( manual test ) ... "How from a non-priviliged PS console we can call one elevated cmd prompt (test)" manual

Final notes:

WStore.vbs script its uploaded to target machine to execute the delay time required for attacker to be abble to EXIT and RESTART the meterpeter console prompt and recive the elevated connection back .. kjh WStore.vbs will execute WSReset.exe (Windows Store process) at the end of the delay time chosen by attacker, then WSReset.exe process will exec the Client.ps1 stored in target $env:tmp folder (elevated). bug

C:\Windows\System32\WSReset.exe binary its only available in Windows '8|8.1|10' versions.

d0ubl3puls4r commented 4 years ago

Thanks, I managed to understand and it worked perfectly here, now my question is about the persistent mode, I activated the option, I left the program, restarted the windows machine and I was unable to return to the system access.

r00t-3xp10it commented 4 years ago

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

d0ubl3puls4r commented 4 years ago

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

I used almost all the options but I did not get a reverse access from the remote system, my question is whether the persistent mode serves as a Backdoor allowing to return to the system how does this access work? does it happen reversely? do I have to put the tool back into listening mode on the same IP and port?

r00t-3xp10it commented 4 years ago

yes... you have to put meterpeter in listening mode to wait for connection .. and.. Restart target system .. because most persistence modules of meterpeter use the startup folder/registry RUN keys (schtasks does not required to restart system)..

Remmenber to use the same port number|IP addr|obfuscation type of the persisted client

Please Read this 'WIKI' that explains the all 'persistence' mechanism.