meterpeter icon indicating copy to clipboard operation
meterpeter copied to clipboard

Published 20 hours ago verified publisher icon r00t-3xp10it

Escalation of privileges

Open d0ubl3puls4r opened this issue 4 years ago • 5 comments

Hello, I would like to know how it works to escalate privileges in the system. I even went to the postexploit -> escalate -> getsystem options ..

and it looks like the process was OK, but how to access the session with those elevated privileges, from now on I don't know what else to do. Thanks in advance.

d0ubl3puls4r avatar Mar 19 '20 19:03 d0ubl3puls4r


This Link (wiki) explains all the steps required to elevate current session ... https://github.com/r00t-3xp10it/meterpeter/wiki/WSReset.exe-Privilege-Escalation-(Client.ps1)

The follow screenshot shows how the priv escal works ( manual test ) ... "How from a non-priviliged PS console we can call one elevated cmd prompt (test)" manual

Final notes:

WStore.vbs script its uploaded to target machine to execute the delay time required for attacker to be abble to EXIT and RESTART the meterpeter console prompt and recive the elevated connection back .. kjh WStore.vbs will execute WSReset.exe (Windows Store process) at the end of the delay time chosen by attacker, then WSReset.exe process will exec the Client.ps1 stored in target $env:tmp folder (elevated). bug

  • C:\Windows\System32\WSReset.exe binary its only available in Windows '8|8.1|10' versions.

r00t-3xp10it avatar Mar 20 '20 04:03 r00t-3xp10it

Thanks, I managed to understand and it worked perfectly here, now my question is about the persistent mode, I activated the option, I left the program, restarted the windows machine and I was unable to return to the system access.

d0ubl3puls4r avatar Mar 21 '20 12:03 d0ubl3puls4r

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

r00t-3xp10it avatar Mar 22 '20 04:03 r00t-3xp10it

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

what persistence did you have pick up ?? meterpeter as 5 available persistence mechanisms ...

Remark: persistence does not give you SYSTEM accesss by its own ..

I used almost all the options but I did not get a reverse access from the remote system, my question is whether the persistent mode serves as a Backdoor allowing to return to the system how does this access work? does it happen reversely? do I have to put the tool back into listening mode on the same IP and port?

d0ubl3puls4r avatar Mar 24 '20 02:03 d0ubl3puls4r

yes... you have to put meterpeter in listening mode to wait for connection .. and.. Restart target system .. because most persistence modules of meterpeter use the startup folder/registry RUN keys (schtasks does not required to restart system)..

Remmenber to use the same port number|IP addr|obfuscation type of the persisted client

Please Read this 'WIKI' that explains the all 'persistence' mechanism.

r00t-3xp10it avatar Mar 24 '20 16:03 r00t-3xp10it