Meterpreter getsystem

When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques. To see the

The command can only be run after a target has been exploited and a session is opened.

ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE

One elevation technique is the Named Pipe Impersonation (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c. Pipes are part of Windows OS to help communication between processes. In this technique, Meterpreter creates a named pipe. Then a cmd.exe is created under the local system that connects to the Meterpreter named pipe. Meterpreter can then impersonate the local security privileges, in this case SYSTEM. This makes you the SYSTEM administrator.

There are a few things to keep in mind when using this technique:

  • ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE only works on native Windows Meterpreter.
  • The account type used must be an administrator.
  • The session can’t be a user account control or it will fail, even if you are using an administrator account.

To learn more about Impersonation in Windows, see Impersonating a Named Pipe Client on Microsoft:https://docs.microsoft.com/en-us/windows/win32/ipc/impersonating-a-named-pipe-client?redirectedfrom=MSDN.

ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2

Another elevation technique is Named Pipe Impersonation (Dropper/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/service.c. This works like Named Pipe Impersonation (In Memory/Admin), But, instead of using a cmd.exe to create the SYSTEM user, it uses a DLL file written to the disk, then runs rundll32.exe to run the DLL file as SYSTEM. The DLL file connects to Meterpreter and now you have SYSTEM permissions.

ELEVATE_TECHNIQUE_SERVICE_TOKENDUP

The last elevation technique is Token Duplication (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/tokendup.c. This works differently than the other elevation techniques. For it to work, it assumes that you have SeDebugPrivilege. Using the priv extension before attempting privilege escalation will help with having SeDebugPrivilege. Token duplication goes through all running services to find one that is using SYSTEM. Then it uses reflective DLL injection to run the elevator.dll in the memory of the running service using SYSTEM. Then it passes the thread from Meterpreter to elevator.dll. elevator.dll gets the SYSTEM token then it tries to apply that token to Meterpreter.

This only works on x86 systems for now.

Use getsystem

To access getsystem, use the command getsystem. If you run getsystem without arguments it assumes you want to attempt all three services.

bash
1
meterpreter > getsystem -h
2
Usage: getsystem [options]
3
Attempt to elevate your privilege to that of local system.
4
OPTIONS:
5
6
-h Help Banner.
7
-t The technique to use. (Default to '0').
8
0 : All techniques available
9
1 : Service - Named Pipe Impersonation (In Memory/Admin)
10
2 : Service - Named Pipe Impersonation (Dropper/Admin)
11
3 : Service - Token Duplication (In Memory/Admin)

Troubleshooting Operation Failed

If you get the following error, it may be caused by the Meterpreter session injecting a 32-bit payload when the target is 64-bit:

bash
1
[*] Started reverse handler
2
[*] Starting the payload handler...
3
[*] Sending stage (971264 bytes)
4
[*] Meterpreter session 1 opened
5
6
meterpreter > getuid
7
Server username: User-PC\User
8
meterpreter > getsystem
9
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.

You can resolve this issue by updating your version of Metasploit Pro or using a payload for target OS.