Privilege escalation is the process of increasing the level of access to a machine or a network. Technically, it could be said that any exploit that gains access to a system is escalating the privileges of the attacker. Coming from no access to User access is escalating the privileges of the attacker, but normally this term is used for exploits gaining either root or SYSTEM access. In Hacker terms, Total Pwnage. This is the ultimate goal of an attacker. Once this level of access is gained, all data and control of the system is now under your control. Stealing data and/or confidential information is now just a matter of copying the data off the system. You now have the rights. In this chapter, we will cover the following:
- Getting Access with Metasploit
- Replacing Executables with Malevolent Twins
- Local Privilege Escalation with a Stand-Alone tool
- Escalating Privileges with Physical Access
- Weaseling in with Weevely
Metasploit gives you an "Easy Button"; it's called getsystem. Once an exploit has exploited the system and you have a Meterpreter shell running, the command getsystem will automatically run an exploit to gain full SYSTEM level access of a Windows machine. This also works on almost all other operating systems once the Meterpreter shell is implemented. Metasploit will run the right exploit of that operating system to gain full access. We have seen the use of this command in earlier chapters of this book. We will cover the details of this command a little more here.
We are going to use an EasyFTP exploit to gain access. As we all know, some applications must be run under the Administrator account in order for the application to run. This is also a good demonstration of why applications should never run under the Administrator account. We are going to exploit the system with a known Domain User Account named rred. The rred account is a normal domain account with rights that any normal domain user would have. Using this service, he has read/write access to the EasyFTP service and the FTP directory. The EasyFTP service is doing a Run As Administrator.In the following screenshot, we see the exploit running and exploiting the system using the rred account:
After exploiting the system, we run the following command:
sysinfo
This shows we have a successful compromise and lists the system information.
Next, run the following command:
getuid
This shows the account the exploited is running under and the rights you have with the exploit. We can see we have administrator rights. We want full SYSTEM access, so then run the following command:
getsystem
This elevates your rights to SYSTEM. You can see this by running the getuid command again:
We now have a fully compromised machine.