When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques. To see the
The command can only be run after a target has been exploited and a session is opened.
One elevation technique is the
Named Pipe Impersonation (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c. Pipes are part of Windows OS to help communication between processes. In this technique, Meterpreter creates a named pipe. Then a cmd.exe is created under the local system that connects to the Meterpreter named pipe. Meterpreter can then impersonate the local security privileges, in this case SYSTEM. This makes you the SYSTEM administrator.
There are a few things to keep in mind when using this technique:
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPEonly works on native Windows Meterpreter.
- The account type used must be an administrator.
- The session can’t be a user account control or it will fail, even if you are using an administrator account.
To learn more about Impersonation in Windows, see Impersonating a Named Pipe Client on Microsoft:https://docs.microsoft.com/en-us/windows/win32/ipc/impersonating-a-named-pipe-client?redirectedfrom=MSDN.
Another elevation technique is
Named Pipe Impersonation (Dropper/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/service.c. This works like
Named Pipe Impersonation (In Memory/Admin), But, instead of using a
cmd.exe to create the SYSTEM user, it uses a DLL file written to the disk, then runs rundll32.exe to run the DLL file as SYSTEM. The DLL file connects to Meterpreter and now you have SYSTEM permissions.
The last elevation technique is
Token Duplication (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/tokendup.c. This works differently than the other elevation techniques. For it to work, it assumes that you have
SeDebugPrivilege. Using the
priv extension before attempting privilege escalation will help with having
SeDebugPrivilege. Token duplication goes through all running services to find one that is using SYSTEM. Then it uses
reflective DLL injection to run the
elevator.dll in the memory of the running service using SYSTEM. Then it passes the thread from Meterpreter to
elevator.dll gets the SYSTEM token then it tries to apply that token to Meterpreter.
This only works on x86 systems for now.
To access getsystem, use the command
getsystem. If you run
getsystem without arguments it assumes you want to attempt all three services.
1meterpreter > getsystem -h2Usage: getsystem [options]3Attempt to elevate your privilege to that of local system.4OPTIONS:56-h Help Banner.7-t The technique to use. (Default to '0').80 : All techniques available91 : Service - Named Pipe Impersonation (In Memory/Admin)102 : Service - Named Pipe Impersonation (Dropper/Admin)113 : Service - Token Duplication (In Memory/Admin)
Troubleshooting Operation Failed
If you get the following error, it may be caused by the Meterpreter session injecting a 32-bit payload when the target is 64-bit:
1[*] Started reverse handler2[*] Starting the payload handler...3[*] Sending stage (971264 bytes)4[*] Meterpreter session 1 opened56meterpreter > getuid7Server username: User-PC\User8meterpreter > getsystem9[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.
You can resolve this issue by updating your version of Metasploit Pro or using a payload for target OS.