Re: framework Digest, Vol 46, Issue 15

[Jeff Piquette <trcx528 () gmail com>]

Try taking a look at kon-boot. Boot from the cd and it will modify the
kernel on the fly to allow to log in as any user, just supply any
password (odd I know) ant it will log you in as that user. My personal
use of it has given me a 75% success rate, otherwise I just us
ophcrack to crack the admin pass.

~Jeff

Sent from my iPod

On Nov 26, 2011, at 12:00 PM, "framework-request () spool metasploit com"
<framework-request () spool metasploit com> wrote:

> Send framework mailing list submissions to
>    framework () spool metasploit com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://mail.metasploit.com/mailman/listinfo/framework
> or, via email, send a message with subject or body 'help' to
>    framework-request () spool metasploit com
>
> You can reach the person managing the list at
>    framework-owner () spool metasploit com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of framework digest..."
>
>
> Today's Topics:
>
>   1. Re: Privilege escalation on an isolated system (Brahim Sakka)
>   2. Re: Privilege escalation on an isolated system (5.K1dd)
>   3. Re: Privilege escalation on an isolated system (Lukas Kuzmiak)
>   4. Re: Privilege escalation on an isolated system (Kevin Shaw)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 25 Nov 2011 22:39:03 +0100
> From: Brahim Sakka <brahim.sakka () gmail com>
> To: Roberto Espreto <robertoespreto () gmail com>, hazard0us.pt () gmail com
> Cc: framework () spool metasploit com
> Subject: Re: [framework] Privilege escalation on an isolated system
> Message-ID:
>    <CAHLWfDRYMPe=fERPDy-ve11ggVk=0u31aSSaYdTt0A5DawJ1hA () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Thanks haZ and Roberto.
>
> Let me explain the situation again. The Windows system I'm facing is
> not connected to a network (it has no NICs). I have unprivileged user
> access into it. It is _not_ an access through a meterpreter shell,
> it's just a classic user/password combo that I'm using (I have
> phisical access to the box).
> My question is: is there a way to leverage MSF's privilege
> exploitation capabilities in order to get admin privileges on this
> box?
>
>
> 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:
> > Hi!
> >
> > Launch the Incognito module, list the available tokens and impersonate the
> > one you want.
> >
> > Regards,
> >
> >
> > 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>
> >
> > > Hello list,
> > >
> > > I have a Windows XP SP3 test system with a limited user account. I
> > > want to escalate my privileges and "getsystem".
> > > Typically, I would generate an evil file with MSF, get a meterpreter
> > > shell then getsystem. However, in this particular case, the system
> > > cannot be connected to any network (no NICs). Also, I can't install
> > > MSF itself on it because I don't have the required privileges.
> > >
> > > Is it somehow possible to leverage the framework's built-in privilege
> > > escalation capabilities in order to get admin priveleges?
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> >
> >
> > --
> > *Roberto S. Soares (espreto)*
> > robertoespreto () gmail com
> > espreto () hacktraining com br
> > www.hacktrainig.com.br
> > http://codesec.blogspot.com
> > Skype: hack_training
> > Twitter @espreto
> > ?
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 25 Nov 2011 16:26:29 -0600
> From: "5.K1dd" <5.k1dd () austinhackers org>
> To: framework () spool metasploit com
> Subject: Re: [framework] Privilege escalation on an isolated system
> Message-ID: <4ED01615.20301 () austinhackers org>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Metasploit really isn't designed for such a scenario.  You could
> generate meterpreter as an exe and run it locally, but you'd need a
> handler to interact with the session.  I'm not sure its possible to have
> the handler and meterpreter running on the same box since they would
> both be trying to use the same port to communicate.  Some of the aux
> modules come in standalone form on the websites of the various authors.
> That might be a possible avenue.
>
> > Thanks haZ and Roberto.
> >
> > Let me explain the situation again. The Windows system I'm facing is
> > not connected to a network (it has no NICs). I have unprivileged user
> > access into it. It is _not_ an access through a meterpreter shell,
> > it's just a classic user/password combo that I'm using (I have
> > phisical access to the box).
> > My question is: is there a way to leverage MSF's privilege
> > exploitation capabilities in order to get admin privileges on this
> > box?
> >
> >
> > 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:
> > > Hi!
> > >
> > > Launch the Incognito module, list the available tokens and impersonate the
> > > one you want.
> > >
> > > Regards,
> > >
> > >
> > > 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>
> > >
> > > > Hello list,
> > > >
> > > > I have a Windows XP SP3 test system with a limited user account. I
> > > > want to escalate my privileges and "getsystem".
> > > > Typically, I would generate an evil file with MSF, get a meterpreter
> > > > shell then getsystem. However, in this particular case, the system
> > > > cannot be connected to any network (no NICs). Also, I can't install
> > > > MSF itself on it because I don't have the required privileges.
> > > >
> > > > Is it somehow possible to leverage the framework's built-in privilege
> > > > escalation capabilities in order to get admin priveleges?
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > >
> > >
> > > --
> > > *Roberto S. Soares (espreto)*
> > > robertoespreto () gmail com
> > > espreto () hacktraining com br
> > > www.hacktrainig.com.br
> > > http://codesec.blogspot.com
> > > Skype: hack_training
> > > Twitter @espreto
> > > ?
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 25 Nov 2011 23:29:15 +0100
> From: Lukas Kuzmiak <lukash () backstep net>
> To: Brahim Sakka <brahim.sakka () gmail com>
> Cc: framework () spool metasploit com
> Subject: Re: [framework] Privilege escalation on an isolated system
> Message-ID:
>    <CABV5EtFs_9gUmARs3tnh0uLJV8bP-aU2yyDfO-5RFAvhjn7Bhg () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hey man,
>
> I would simply try to break down the getsystem from meterpreter and
> use its single parts to gain the system privileges.
>
> external/source/meterpreter/source/extensions/priv/server/elevate:
> elevate.c - handler for 4 privilege escalation exploits/techniques
> there (other 4 .c files)
>
> you might either play with those (they were ported for metasploit, so
> it won't be enough to just compile and run, you'd have to get rid of
> the meterpreter structures) or (perhaps an easier path) just use those
> as an inspiration and look on the internet for local implementations
> of those.
>
> from elevate.c:
> // firstly, try to use the in-memory named pipe impersonation
> technique (Requires Local Admin rights)
> // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232)
> (Requires Local User rights and vulnerable system)
> // thirdly, try to use the in-memory service token duplication
> technique (Requires Local Admin rights and SeDebugPrivilege)
> // fourthly, try to use the touching disk named pipe impersonation
> technique (Requires Local Admin rights)
>
> that's what getsystem basically does, so you can just follow the same
> path manually and see where you can get.
>
> hope i helped at least a little.
>
> or just look for other local windows exploits on the internet :)
>
> cheers,
> lukash
>
> On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com> wrote:
> > Thanks haZ and Roberto.
> >
> > Let me explain the situation again. The Windows system I'm facing is
> > not connected to a network (it has no NICs). I have unprivileged user
> > access into it. It is _not_ an access through a meterpreter shell,
> > it's just a classic user/password combo that I'm using (I have
> > phisical access to the box).
> > My question is: is there a way to leverage MSF's privilege
> > exploitation capabilities in order to get admin privileges on this
> > box?
> >
> >
> > 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:
> > > Hi!
> > >
> > > Launch the Incognito module, list the available tokens and impersonate the
> > > one you want.
> > >
> > > Regards,
> > >
> > >
> > > 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>
> > >
> > > > Hello list,
> > > >
> > > > I have a Windows XP SP3 test system with a limited user account. I
> > > > want to escalate my privileges and "getsystem".
> > > > Typically, I would generate an evil file with MSF, get a meterpreter
> > > > shell then getsystem. However, in this particular case, the system
> > > > cannot be connected to any network (no NICs). Also, I can't install
> > > > MSF itself on it because I don't have the required privileges.
> > > >
> > > > Is it somehow possible to leverage the framework's built-in privilege
> > > > escalation capabilities in order to get admin priveleges?
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> > >
> > >
> > >
> > > --
> > > *Roberto S. Soares (espreto)*
> > > robertoespreto () gmail com
> > > espreto () hacktraining com br
> > > www.hacktrainig.com.br
> > > http://codesec.blogspot.com
> > > Skype: hack_training
> > > Twitter @espreto
> > > ?
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 25 Nov 2011 17:46:32 -0500
> From: Kevin Shaw <kevin.lee.shaw () gmail com>
> To: Lukas Kuzmiak <lukash () backstep net>
> Cc: framework () spool metasploit com
> Subject: Re: [framework] Privilege escalation on an isolated system
> Message-ID:
>    <CAG7+V37nF3C7VkJqzNZMYLV2bLFDS0h+g0Ht-VfD00T+MzVNag () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I wouldn't bother with meterpreter, just find a local privilege escalation
> exploit.  You have access to the system, you don't need much in the way of
> sparkle.
> On Nov 25, 2011 5:30 PM, "Lukas Kuzmiak" <lukash () backstep net> wrote:
>
> > Hey man,
> >
> > I would simply try to break down the getsystem from meterpreter and
> > use its single parts to gain the system privileges.
> >
> > external/source/meterpreter/source/extensions/priv/server/elevate:
> > elevate.c - handler for 4 privilege escalation exploits/techniques
> > there (other 4 .c files)
> >
> > you might either play with those (they were ported for metasploit, so
> > it won't be enough to just compile and run, you'd have to get rid of
> > the meterpreter structures) or (perhaps an easier path) just use those
> > as an inspiration and look on the internet for local implementations
> > of those.
> >
> > from elevate.c:
> > // firstly, try to use the in-memory named pipe impersonation
> > technique (Requires Local Admin rights)
> > // secondly, try to use the in-memory KiTrap0D exploit (CVE-2010-0232)
> > (Requires Local User rights and vulnerable system)
> > // thirdly, try to use the in-memory service token duplication
> > technique (Requires Local Admin rights and SeDebugPrivilege)
> > // fourthly, try to use the touching disk named pipe impersonation
> > technique (Requires Local Admin rights)
> >
> > that's what getsystem basically does, so you can just follow the same
> > path manually and see where you can get.
> >
> > hope i helped at least a little.
> >
> > or just look for other local windows exploits on the internet :)
> >
> > cheers,
> > lukash
> >
> > On Fri, Nov 25, 2011 at 10:39 PM, Brahim Sakka <brahim.sakka () gmail com>
> > wrote:
> > > Thanks haZ and Roberto.
> > >
> > > Let me explain the situation again. The Windows system I'm facing is
> > > not connected to a network (it has no NICs). I have unprivileged user
> > > access into it. It is _not_ an access through a meterpreter shell,
> > > it's just a classic user/password combo that I'm using (I have
> > > phisical access to the box).
> > > My question is: is there a way to leverage MSF's privilege
> > > exploitation capabilities in order to get admin privileges on this
> > > box?
> > >
> > >
> > > 2011/11/25, Roberto Espreto <robertoespreto () gmail com>:
> > > > Hi!
> > > >
> > > > Launch the Incognito module, list the available tokens and impersonate
> > the
> > > > one you want.
> > > >
> > > > Regards,
> > > >
> > > >
> > > > 2011/11/25 Brahim Sakka <brahim.sakka () gmail com>
> > > >
> > > > > Hello list,
> > > > >
> > > > > I have a Windows XP SP3 test system with a limited user account. I
> > > > > want to escalate my privileges and "getsystem".
> > > > > Typically, I would generate an evil file with MSF, get a meterpreter
> > > > > shell then getsystem. However, in this particular case, the system
> > > > > cannot be connected to any network (no NICs). Also, I can't install
> > > > > MSF itself on it because I don't have the required privileges.
> > > > >
> > > > > Is it somehow possible to leverage the framework's built-in privilege
> > > > > escalation capabilities in order to get admin priveleges?
> > > > > _______________________________________________
> > > > > https://mail.metasploit.com/mailman/listinfo/framework
> > > >
> > > >
> > > >
> > > > --
> > > > *Roberto S. Soares (espreto)*
> > > > robertoespreto () gmail com
> > > > espreto () hacktraining com br
> > > > www.hacktrainig.com.br
> > > > http://codesec.blogspot.com
> > > > Skype: hack_training
> > > > Twitter @espreto
> > > > ?
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mail.metasploit.com/pipermail/framework/attachments/20111125/f9c52701/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> framework mailing list
> framework () spool metasploit com
> https://mail.metasploit.com/mailman/listinfo/framework
>
>
> End of framework Digest, Vol 46, Issue 15
> *****************************************
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework