86
Chapter 6
The
LHOST
and
LPORT
options tell Metasploit that when it creates our
Meterpreter payload it should connect back to our attacker machine on
port 443. We then call the
msfcli
interface to start a listener handler for us.
This listener handler will wait for connections, and when one is received, it
will spawn a Meterpreter shell.
On the attacker machine, we create a new Meterpreter stand-alone exe-
cutable at , copy the executable to the Windows XP machine, and run it
under the user account
bob
.
We then set up a listener at to listen for the Meterpreter connection.
After the target executes the payload on the system (
payload.exe
), we see a lim-
ited user Meterpreter console . We can, for example, generate a
payload.exe
on a Back|Track machine, copy the executable to a Windows XP machine, and
set up a listener to get a Meterpreter session.
As shown in the next listing, we drop to a Meterpreter shell at and
enter
net user bob
; we can see that user
bob
is a member of the
Users
group,
is not an administrator, and has limited rights. We have a limited footprint
from which to attack this device, and we can’t perform certain attacks, such
as dumping the SAM database to extract usernames and passwords. (Luckily,
Meterpreter has us covered, as you’ll see in a moment.) Our query complete,
we press
CTRL
-Z, which saves our Meterpreter session and keeps us in the
exploited system.
meterpreter >
shell
Process 2896 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>
net user bob
. . . SNIP . . .
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
C:\>
^Z
Background channel 1? [y/N]
y
NOTE
Here’s another Meterpreter trick: While you’re in the Meterpreter console, enter
background
to jump back into
msfconsole
and leave the session running. Then enter
sessions -l
and
sessions -i
sessionid
to return to your Meterpreter console.
Now let’s get administrative or SYSTEM rights. As shown in the next list-
ing, we enter
use priv
to load the
priv
extensions, which gets us access to the
privileged module (which may already be loaded). Next, we enter
getsystem
in an attempt to elevate our privilege to that of local system, or administra-
tor. We then verify that we have admin privileges with the
getuid
command.
The server username returned is
NT AUTHORITY\SYSTEM
, which tells us
that we’ve succeeded at gaining administrator access.