- Slide1 1024x576 - Practical Privilege Escalation Using Meterpreter

 

 

A is a big challenge when you have a session opened with your victim machine. In this tutorial, I will show you a way to elevate your privileges and become admin accurately without hesitation.

So, let’s see what this tutorial lab will look like.

 

- Slide2 - Practical Privilege Escalation Using Meterpreter

My attacker host will be a Kali of course, then I will use the Social Engineer toolkit to generate a Meterpreter payload. Probably you’re asking yourself, why Am I using the social engineer toolkit and not using Metasploit directly. Well, the social engineer toolkit will use Metasploit anyway and it will automate everything for you.

Next, we will send the payload to the windows 7 machine and infect it by executing the malicious file. At this stage, we will have a Meterpreter session opened and from there I will show you how to elevate your privileges to be an admin on the victim machine remotely.

Let’s start.

Demo

Open your terminal window and execute the social engineer toolkit, using the setoolkit command.

SEToolkit  - 0001 04 setoolkit - Practical Privilege Escalation Using Meterpreter

Next, choose option number one, for the social engineering attacks.

Social Engineering Attacks  - 0001 05 setoolkit - Practical Privilege Escalation Using Meterpreter

To create a Meterpreter payload you will choose option number 4 which is to create a payload and listener, the name is pretty clear and it’s self-explanatory.

Create a Payload and a Listener  - 0001 06 setoolkit - Practical Privilege Escalation Using Meterpreter

In this area, I will be using the Windows Reverse TCP Meterpreter, which is option number 2.

Reverse TCP Meterpreter  - 0001 07 setoolkit - Practical Privilege Escalation Using Meterpreter

 

Next, I need to write my Kali IP address which is 192.168.0.102

Enter IP Address  - 0001 08 setoolkit - Practical Privilege Escalation Using Meterpreter

Next, SET is asking me for the port that I will be listening on my Kali machine.

I will choose the port number 443. I like this port because it’s https and firewalls will not block it in a real-life scenario.

Enter Port Number  - 0001 09 setoolkit - Practical Privilege Escalation Using Meterpreter

Check this out, the payload is saved in this directory.

Payload directory  - 0001 10 setoolkit - Practical Privilege Escalation Using Meterpreter

Next, I will say yes to start the listener now using Metasploit.

Start Listener  - 0001 11 setoolkit - Practical Privilege Escalation Using Meterpreter

Wait for few seconds and the social engineer toolkit will start the Metasploit framework. After that, Metasploit will execute few commands to start the listener.

Metasploit Listening  - 0001 12 setoolkit - Practical Privilege Escalation Using Meterpreter

Do you how easy this is! I will open a new terminal window to show you the location of this file. First, in my home root directory, I will list its contents. I will use the -a option to show the hidden files as well.

list files in Linux  - 0001 13 setoolkit - Practical Privilege Escalation Using Meterpreter

And somewhere down here I have the set folder, it starts with a dot which means that this folder is hidden by default.

list hidden files on Kali  - 0001 14 setoolkit - Practical Privilege Escalation Using Meterpreter

Let’s open it and check its contents, and voila this is the payload file that we need to copy over the windows 7 host.

Payload.exe  - 0001 15 setoolkit - Practical Privilege Escalation Using Meterpreter

On the victim machine, all I need is to double click on this file to infect it (execute it).

Payload on windows  - 0001 16 setoolkit - Practical Privilege Escalation Using Meterpreter

 

 

Let’s go back to the Kali host, here you go we have a Meterpreter session opened.

Meterpreter Session  - 0001 17 setoolkit - Practical Privilege Escalation Using Meterpreter

To interact with this session type sessions -i followed by its ID number. I know it’s 1 because we only have one session opened so logically speaking the ID will be one.

 

Meterpreter session interaction  - 0001 18 setoolkit - Practical Privilege Escalation Using Meterpreter

Let me show you the workflow of Meterpreter Escalation Privilege before we proceed.

First, you will need to list the processes on the windows machine and pick one to migrate to that process.

After this, I will check the user I’m logged on with to have an idea about who I am.

Finally, we will execute the getsystem command to elevate our privilege, let’s see if this is going to work.

Meterpreter Privilege Escalation Workflow  - Slide3 - Practical Privilege Escalation Using Meterpreter

Let’s go back to Kali. To list all the processes on the windows 7 machine I will use the PS command.

show processes using Meterpreter  - 0001 19 setoolkit - Practical Privilege Escalation Using Meterpreter

Next, I will locate the explorer.exe process and note its ID. Let’s migrate to this process:

Meterpreter Migration  - 0001 20 setoolkit - Practical Privilege Escalation Using Meterpreter

 

Let’s take a look at the user that we’re using to log on by executing the getuid command.

getuid  - 0001 21 setoolkit - Practical Privilege Escalation Using Meterpreter

I will switch to the command prompt using the shell command to get more information about this user.

more user info using Meterpreter  - 0001 22 setoolkit - Practical Privilege Escalation Using Meterpreter

It looks like that it is a member of the local administrator’s group.

- 0001 23 setoolkit - Practical Privilege Escalation Using Meterpreter

Wait don’t party yet, this doesn’t mean that we’re there yet.

Let’s go back to the Meterpreter prompt and try to see if we can elevate our privileges, first I will execute the use priv command and then the getsystem command.

- 0001 24 setoolkit - Practical Privilege Escalation Using Meterpreter

Check this out, the operation has failed to execute. What now, right? After all these hassles and now we’re stuck.

Don’t worry I have a solution for you and it’s not Meterpreter, in fact, you need a powerful post-exploitation technique because Meterpreter is probably good for windows XP but now this operating system is a history. So, what is the solution, Gus? Well! You need PowerShell and there is a tool that offers post exploitation using PowerShell and it’s called EMPIRE! I already have a dedicated tutorial about this tool, check it out.

So, I’ll open my terminal window and browse to the empire folder located at my home root directory.

Empire PowerShell directory  - 0001 25 setoolkit - Practical Privilege Escalation Using Meterpreter

If I list its contents I will see that the executable is here and waiting for my commands. Let’s execute this monster!

- 0001 26 setoolkit - Practical Privilege Escalation Using Meterpreter

Since this is a fresh copy and I have 0 listeners and 0 agents active at this moment.

Empire PowerShell  - 07 home screen - Practical Privilege Escalation Using Meterpreter

Not a problem, let’s start! First, Type listeners to switch to the listeners mode.

Empire PowerShell Listener  - 08 listeners - Practical Privilege Escalation Using Meterpreter

Second, I will use the http listener (using the uselistener command then the execute command) and I will type listeners one more time to list my active listeners.

- 09 listeners info - Practical Privilege Escalation Using Meterpreter

 

Here you go we have a listener active at this stage. Now, I need to generate my PowerShell script that I need to infect the window seven machine.

Type Launcher then the language name PowerShell and the listener name is HTTP.

- 011 launcher powershell - Practical Privilege Escalation Using Meterpreter

Awesome, all I need to do now is to copy this fancy script and then go back to the Meterpreter session and paste there but first let’s switch into the command prompt (using the Shell command).

Meterpreter and Empire PowerShell  - 0001 27 setoolkit - Practical Privilege Escalation Using Meterpreter

And we’re done! Close this useless Meterpreter session because we don’t need it anymore.

On the Empire side, we can see that we have an agent active:

- 0001 28 setoolkit - Practical Privilege Escalation Using Meterpreter

Next, press enter and type agents to list the active agents. Let’s rename the agent to something more meaningful, and start interacting with the Non-Admin Agent.

- 0001 29 setoolkit - Practical Privilege Escalation Using Meterpreter

If I show the options using the info command you will realize that the High Integrity is set to 0 and this means that we’re not admin.

- 0001 30 setoolkit - Practical Privilege Escalation Using Meterpreter

- 019 info agent1 - Practical Privilege Escalation Using Meterpreter

To elevate our privileges at this moment all I need is to execute the magical command bypassuac followed by the listener name. Pay close attention to this message, we have a second agent active, let’s see the information about this new guy. Check this out we have an asterisk before the user name and that means it’s an admin!

- 0001 31 setoolkit - Practical Privilege Escalation Using Meterpreter

Let’s rename the new agent and interact with it.

- 0001 32 setoolkit - Practical Privilege Escalation Using Meterpreter

I will double check to see if it’s really an admin (using the info command), and you bet I’m right because the High Integrity is set to one.

- 023 highintegrity - Practical Privilege Escalation Using Meterpreter

Let’s have some fun and extract the accounts credentials using Mimikatz.

- 025 mimikatz - Practical Privilege Escalation Using Meterpreter

Be patient for few seconds before Mimikatz executes and finishes extracting all the passwords. Exciting! When you see the bye here it means we’re done, so press enter on your keyboard,

Mimikatz and Empire PowerShell  - 0001 33 setoolkit - Practical Privilege Escalation Using Meterpreter

let’s see the credentials using the creds command.

clear text passwords using Mimikatz  - 0001 34 setoolkit - Practical Privilege Escalation Using Meterpreter

What a beautiful piece of art, check out these cleartext passwords.

It’s only fair to share…Share on Facebook  - facebook - Practical Privilege Escalation Using MeterpreterShare on Google+  - google - Practical Privilege Escalation Using MeterpreterTweet about this on Twitter  - twitter - Practical Privilege Escalation Using MeterpreterShare on LinkedIn  - linkedin - Practical Privilege Escalation Using Meterpreter





Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here