Meterpreter getsystem
When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques. To see the
The command can only be run after a target has been exploited and a session is opened.
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE
One elevation technique is the Named Pipe Impersonation (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/namedpipe.c. Pipes are part of Windows OS to help communication between processes. In this technique, Meterpreter creates a named pipe. Then a cmd.exe is created under the local system that connects to the Meterpreter named pipe. Meterpreter can then impersonate the local security privileges, in this case SYSTEM. This makes you the SYSTEM administrator.
There are a few things to keep in mind when using this technique:
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPEonly works on native Windows Meterpreter.- The account type used must be an administrator.
- The session can’t be a user account control or it will fail, even if you are using an administrator account.
To learn more about Impersonation in Windows, see Impersonating a Named Pipe Client on Microsoft:https://docs.microsoft.com/en-us/windows/win32/ipc/impersonating-a-named-pipe-client?redirectedfrom=MSDN.
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2
Another elevation technique is Named Pipe Impersonation (Dropper/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/service.c. This works like Named Pipe Impersonation (In Memory/Admin), But, instead of using a cmd.exe to create the SYSTEM user, it uses a DLL file written to the disk, then runs rundll32.exe to run the DLL file as SYSTEM. The DLL file connects to Meterpreter and now you have SYSTEM permissions.
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP
The last elevation technique is Token Duplication (In Memory/Admin), https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/tokendup.c. This works differently than the other elevation techniques. For it to work, it assumes that you have SeDebugPrivilege. Using the priv extension before attempting privilege escalation will help with having SeDebugPrivilege. Token duplication goes through all running services to find one that is using SYSTEM. Then it uses reflective DLL injection to run the elevator.dll in the memory of the running service using SYSTEM. Then it passes the thread from Meterpreter to elevator.dll. elevator.dll gets the SYSTEM token then it tries to apply that token to Meterpreter.
This only works on x86 systems for now.
Use getsystem
To access getsystem, use the command getsystem. If you run getsystem without arguments it assumes you want to attempt all three services.
bash
Troubleshooting Operation Failed
If you get the following error, it may be caused by the Meterpreter session injecting a 32-bit payload when the target is 64-bit:
bash
You can resolve this issue by updating your version of Metasploit Pro or using a payload for target OS.