Wednesday, December 23, 2015

From ADMIN to SYSTEM with love. The case of Windows 10, Server 2016 and above

This is for my mental note. If it benefits you great.
2015 is an extremely challenging year for most of us. Nerveless hitting a shell with admin privileged is not really a big deal. Problem is that on certain environment, the system have been hardened to prevent lsass.exe process making dumping or tampering seems impossible. 

For those of you who are not familiar, onprevious version of Windows we can simply use the at.exe trick combine with remote.exe (refer to Chris Gates note) to obtained SYSTEM (aka NT AUTHORITY\SYSTEM). 

Unfortunately on Windows 10. The at function is no longer available.




This prove to be inconvenience for us. On Alternative method, we can use the meterpeter getsystem command which based on 3 techniques:

You can read on my AV evasion technique. But say you are in a bit of hurry. and  spawning shell via exploits is not priority and what you really truly need is just a Damn Good Shell to ehem let say install software?  Simple just use psexec.  I wrote it about it previously to run as other user. But the current version psexec comes with a GodMode Switch.. that  damn -s switch.



To become a SYSTEM, right click run as admin for your cmd.exe. and run psexec -s -i -d CMD
And thus you are spawn with a shell with the highest integrity.



R.I.P AT and Shift 5 times.





 

No comments: