Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Elevate

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Elevate

Includes:

Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

Defined in:

lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

Overview

The local privilege escalation portion of the extension.

Constant Summary

Klass =

Console::CommandDispatcher::Priv::Elevate

ELEVATE_TECHNIQUE_NONE =

-1

ELEVATE_TECHNIQUE_ANY =

0

ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE =

1

ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 =

2

ELEVATE_TECHNIQUE_SERVICE_TOKENDUP =

3

ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS =

4

ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER =

5

ELEVATE_TECHNIQUE_NAMEDPIPE_EFS =

6

ELEVATE_TECHNIQUE_DESCRIPTION =

[
  'All techniques available',
  'Named Pipe Impersonation (In Memory/Admin)',
  'Named Pipe Impersonation (Dropper/Admin)',
  'Token Duplication (In Memory/Admin)',
  'Named Pipe Impersonation (RPCSS variant)',
  'Named Pipe Impersonation (PrintSpooler variant)',
  'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
]

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary

• #cmd_getsystem(*args) ⇒ Object

  Attempt to elevate the meterpreter to that of local system.

• #commands ⇒ Object

  List of supported commands.

• #name ⇒ Object

  Name for this dispatcher.

• #translate_technique_index(index) ⇒ Object

  Returns the description of the technique(s).

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #initialize, #log_error, #msf_loaded?, #session, set_hash, #unknown_command

Methods included from Msf::Ui::Console::CommandDispatcher::Session

#cmd_background, #cmd_background_help, #cmd_exit, #cmd_irb, #cmd_irb_help, #cmd_irb_tabs, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_resource_tabs, #cmd_sessions, #cmd_sessions_help

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, included, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #unknown_command, #update_prompt

Instance Method Details

#cmd_getsystem(*args) ⇒ Object

Attempt to elevate the meterpreter to that of local system.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 79

def cmd_getsystem( *args )

  technique = ELEVATE_TECHNIQUE_ANY

  desc = ""
  ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }

  getsystem_opts = Rex::Parser::Arguments.new(
    "-h" => [ false, "Help Banner." ],
    "-t" => [ true, "The technique to use. (Default to '#{technique}')." + desc ]
  )

  getsystem_opts.parse(args) { | opt, idx, val |
    case opt
      when "-h"
        print_line( "Usage: getsystem [options]\n" )
        print_line( "Attempt to elevate your privilege to that of local system." )
        print_line( getsystem_opts.usage )
        return
      when "-t"
        technique = val.to_i
    end
  }

  if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
    print_error( "Technique '#{technique}' is out of range." )
    return false
  end

  if client.sys.config.is_system?
    print_error("Already running as SYSTEM")
    return
  end
  begin
    result = client.priv.getsystem( technique )
  rescue Rex::Post::Meterpreter::RequestError => e
    print_error("#{e.message} The following was attempted:")
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
    elog("Technique: #{technique})", error: e)
    return
  end

  # got system?
  if result[0]
    print_line( "...got system via technique #{result[1]} (#{translate_technique_index(result[1]).first})." )
  else
    print_line( "...failed to get system while attempting the following:" )
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
  end

  return result
end

#commands ⇒ Object

List of supported commands.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 43

def commands
  {
    'getsystem' => 'Attempt to elevate your privilege to that of local system.'
  }
end

#name ⇒ Object

Name for this dispatcher.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 52

def name
  'Priv: Elevate'
end

#translate_technique_index(index) ⇒ Object

Returns the description of the technique(s)

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 60

def translate_technique_index(index)
  translation = ''

  case index
  when 0
    desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
    desc.shift
    translation = desc
  else
    translation = [ ELEVATE_TECHNIQUE_DESCRIPTION[index] ]
  end

  translation
end