background image

86

Chapter 6

The 

LHOST

 and 

LPORT

 options tell Metasploit that when it creates our 

Meterpreter payload it should connect back to our attacker machine on 
port 443. We then call the 

msfcli

 interface to start a listener handler for us. 

This listener handler will wait for connections, and when one is received, it 
will spawn a Meterpreter shell.

On the attacker machine, we create a new Meterpreter stand-alone exe-

cutable at  , copy the executable to the Windows XP machine, and run it 
under the user account 

bob

.

We then set up a listener at   to listen for the Meterpreter connection. 

After the target executes the payload on the system (

payload.exe

), we see a lim-

ited user Meterpreter console  . We can, for example, generate a 

payload.exe

 

on a Back|Track machine, copy the executable to a Windows XP machine, and 
set up a listener to get a Meterpreter session.

As shown in the next listing, we drop to a Meterpreter shell at   and 

enter 

net user bob

; we can see that user 

bob

 is a member of the 

Users

 group, 

is not an administrator, and has limited rights. We have a limited footprint 
from which to attack this device, and we can’t perform certain attacks, such 
as dumping the SAM database to extract usernames and passwords. (Luckily, 
Meterpreter has us covered, as you’ll see in a moment.) Our query complete, 
we press 

CTRL

-Z, which saves our Meterpreter session and keeps us in the 

exploited system.

meterpreter > 

shell

 

Process 2896 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>

net user bob

. . . SNIP . . .

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.
C:\>

^Z

Background channel 1? [y/N]  

y

NOTE

Here’s another Meterpreter trick: While you’re in the Meterpreter console, enter 

background

 

to jump back into 

msfconsole

 and leave the session running. Then enter 

sessions -l

 

and 

sessions -i

 sessionid

 to return to your Meterpreter console.

Now let’s get administrative or SYSTEM rights. As shown in the next list-

ing, we enter 

use priv

 to load the 

priv

 extensions, which gets us access to the 

privileged module (which may already be loaded). Next, we enter 

getsystem

 

in an attempt to elevate our privilege to that of local system, or administra-
tor. We then verify that we have admin privileges with the 

getuid

 command. 

The server username returned is 

NT AUTHORITY\SYSTEM

, which tells us 

that we’ve succeeded at gaining administrator access.