Now that we have a theoretical background to part of how getsystem does its thing, let's jump back into leveraging Armitage for the post phase. If it seems like we're bouncing around a bit, it's because I think it's important to know what's going on behind the scenes when the tool removes the hurdles for you. Armitage, for example, will attempt escalation automatically once you gain your foothold on a target. Let's take a look.

In this scenario, I've just managed to sniff a password off the wire. It's being used on a local administrative appliance by a user who I know is a server administrator, so on a hunch, I attempt to authenticate to the domain controller. It's unfortunate how often this works in the real world, but it's a valuable training opportunity. Anyway, in Armitage I identify the domain controller, right-click on the icon and select Login, then select psexec:

The password works and the scary lightning bolts entomb the poor server. As I watch, I notice NT AUTHORITYSYSTEM appear under the host. I authenticated as an administrator and Armitage was nice enough to escalate up to a SYSTEM for me: