Practical Privilege Escalation Using Meterpreter

 

 

A privilege escalation is a big challenge when you have a Meterpreter session opened with your victim machine. In this tutorial, I will show you a practical way to elevate your privileges and become admin accurately without hesitation.

So, let’s see what this tutorial lab will look like.

 

My attacker host will be a Kali Linux of course, then I will use the Social Engineer toolkit to generate a Meterpreter payload. Probably you’re asking yourself, why Am I using the social engineer toolkit and not using Metasploit directly. Well, the social engineer toolkit will use Metasploit anyway and it will automate everything for you.

Next, we will send the payload to the windows 7 machine and infect it by executing the malicious file. At this stage, we will have a Meterpreter session opened and from there I will show you how to elevate your privileges to be an admin on the victim machine remotely.

Let’s start.

Demo

Open your terminal window and execute the social engineer toolkit, using the setoolkit command.

SEToolkit

Next, choose option number one, for the social engineering attacks.

Social Engineering Attacks

To create a Meterpreter payload you will choose option number 4 which is to create a payload and listener, the name is pretty clear and it’s self-explanatory.

Create a Payload and a Listener

In this area, I will be using the Windows Reverse TCP Meterpreter, which is option number 2.

Reverse TCP Meterpreter

 

Next, I need to write my Kali IP address which is 192.168.0.102

Enter IP Address

Next, SET is asking me for the port that I will be listening on my Kali machine.

I will choose the port number 443. I like this port because it’s https and firewalls will not block it in a real-life scenario.

Enter Port Number

Check this out, the payload is saved in this directory.

Payload directory

Next, I will say yes to start the listener now using Metasploit.

Start Listener

Wait for few seconds and the social engineer toolkit will start the Metasploit framework. After that, Metasploit will execute few commands to start the listener.

Metasploit Listening

Do you how easy this is! I will open a new terminal window to show you the location of this file. First, in my home root directory, I will list its contents. I will use the -a option to show the hidden files as well.

list files in Linux

And somewhere down here I have the set folder, it starts with a dot which means that this folder is hidden by default.

list hidden files on Kali

Let’s open it and check its contents, and voila this is the payload file that we need to copy over the windows 7 host.

Payload.exe

On the victim machine, all I need is to double click on this file to infect it (execute it).

Payload on windows

 

 

Let’s go back to the Kali host, here you go we have a Meterpreter session opened.

Meterpreter Session

To interact with this session type sessions -i followed by its ID number. I know it’s 1 because we only have one session opened so logically speaking the ID will be one.

 

Meterpreter session interaction

Let me show you the workflow of Meterpreter Escalation Privilege before we proceed.

First, you will need to list the processes on the windows machine and pick one to migrate to that process.

After this, I will check the user I’m logged on with to have an idea about who I am.

Finally, we will execute the getsystem command to elevate our privilege, let’s see if this is going to work.

Meterpreter Privilege Escalation Workflow

Let’s go back to Kali. To list all the processes on the windows 7 machine I will use the PS command.

show processes using Meterpreter

Next, I will locate the explorer.exe process and note its ID. Let’s migrate to this process:

Meterpreter Migration

 

Let’s take a look at the user that we’re using to log on by executing the getuid command.

getuid

I will switch to the command prompt using the shell command to get more information about this user.

more user info using Meterpreter

It looks like that it is a member of the local administrator’s group.

Wait don’t party yet, this doesn’t mean that we’re there yet.

Let’s go back to the Meterpreter prompt and try to see if we can elevate our privileges, first I will execute the use priv command and then the getsystem command.

Check this out, the operation has failed to execute. What now, right? After all these hassles and now we’re stuck.

Don’t worry I have a solution for you and it’s not Meterpreter, in fact, you need a powerful post-exploitation technique because Meterpreter is probably good for windows XP but now this operating system is a history. So, what is the solution, Gus? Well! You need PowerShell and there is a tool that offers post exploitation using PowerShell and it’s called EMPIRE! I already have a dedicated tutorial about this tool, check it out.

So, I’ll open my terminal window and browse to the empire folder located at my home root directory.

Empire PowerShell directory

If I list its contents I will see that the executable is here and waiting for my commands. Let’s execute this monster!

Since this is a fresh copy and I have 0 listeners and 0 agents active at this moment.

Empire PowerShell

Not a problem, let’s start! First, Type listeners to switch to the listeners mode.

Empire PowerShell Listener

Second, I will use the http listener (using the uselistener command then the execute command) and I will type listeners one more time to list my active listeners.

 

Here you go we have a listener active at this stage. Now, I need to generate my PowerShell script that I need to infect the window seven machine.

Type Launcher then the language name PowerShell and the listener name is HTTP.

Awesome, all I need to do now is to copy this fancy script and then go back to the Meterpreter session and paste there but first let’s switch into the command prompt (using the Shell command).

Meterpreter and Empire PowerShell

And we’re done! Close this useless Meterpreter session because we don’t need it anymore.

On the Empire side, we can see that we have an agent active:

Next, press enter and type agents to list the active agents. Let’s rename the agent to something more meaningful, and start interacting with the Non-Admin Agent.

If I show the options using the info command you will realize that the High Integrity is set to 0 and this means that we’re not admin.

To elevate our privileges at this moment all I need is to execute the magical command bypassuac followed by the listener name. Pay close attention to this message, we have a second agent active, let’s see the information about this new guy. Check this out we have an asterisk before the user name and that means it’s an admin!

Let’s rename the new agent and interact with it.

I will double check to see if it’s really an admin (using the info command), and you bet I’m right because the High Integrity is set to one.

Let’s have some fun and extract the accounts credentials using Mimikatz.

Be patient for few seconds before Mimikatz executes and finishes extracting all the passwords. Exciting! When you see the bye here it means we’re done, so press enter on your keyboard,

Mimikatz and Empire PowerShell

let’s see the credentials using the creds command.

clear text passwords using Mimikatz

What a beautiful piece of art, check out these cleartext passwords.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn