Privilege Escalation with PowerShell and SET

In a previous article we used PowerShell Empire v2.3.0 for Windows Post Exploitation. The same can be done with one of the most popular tools called SETOOLKIT which is already pre-installed on every Kali Linux distribution.

To do this, you need to follow these steps:

Πριν ξεκινήσετε, βεβαιωθείτε ότι πρέπει να έχετε εγκαταστήσει την τελευταία version του SETOOLKIT στο μηχάνημα Kali Linux και η εντολή εκκίνησης του SET είναι “setoolkit".

As you press enter, a welcome screen will appear with the following list of options to select:

1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET Configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit

From the above menu, we will choose Social-Engineering Attacks, that is, the Select 1

Now as you press 1, new options will appear in the section Social-Engineering Attacks where is:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules
99) Return back to main menu.

So here, we will choose the option 4, that is Create a Payload and Listen , where we will create a malicious payload, which we will send by any means (Social Engineering, via Facebook, via Twitter, via email, etc.).

The next screen will list the number of payloads based on his selection exploit.

Here the best payload is Windows Reverse_TCP Meterpreter, that is, the option 2 which immediately opens a meterpreter shell against the target whenever it runs it file you.

In addition, each payload has its own use and options and from this reverse TCP payload is one of the best payloads.

Then enter the localhost IP address and PORT number (443) as shown below:

Wait 1-3 minutes for the tool to automatically generate a compatible payload and start the listener service on its own as shown below

And finally, a reverse TCP handler will start against the target.

In the screenshot below, a new file appears to have been created payload.exe, which you must further install the same on other machines or VMs.

Now, as you can see, you immediately got a meterpreter session and typing “Sysinfo”Shows you all the information about your operational goal.

Now execute the command “ps”To see all current processes and note the PID value of the explorer.exe process.

Here we will migrate the Meterpreter to the process explorer.exe, so that we do not have to worry about the repetitive process that will reset and close our session.

To migrate it, just type the following command:

Then enter the command getuid where it will show you the user to whom the Meterpreter server is running as on the host.

Also enter the command “shell” to switch to Shell mode Command Windows where you can run all CMD commands like dir, net user etc.

Then, if you want to see all the information of the current user, then enter “”Where you can tick the“ Local Group Memberships ”section (which is an administrator) as shown below:

Often, especially with client-side exploits, you will find that the session has limited user rights. This can severely limit the actions you can perform on the remote system, such as password dumping, registry manipulation, installation backdoors etc.

Fortunately, Metasploit has a Meterpreter script called “getsystem ”, which will use various techniques to attempt to obtain SYSTEM level privileges in the remote system.

Just exit shell and we type "use priv”Together with the command“getsystem".

We will let Metasploit try to do the hard work for us by running “getsystemWithout any other choice. The script will use every available method, stopping when the process is successful.

In the blink of an eye, your session will receive SYSTEM privileges, but if not, then you should use the Empire Powershell Framework for scaling privileges as we have already explained.

Return to its main directory Empire and grant executable rights to empire by typing “chmod + x empire”And then run it ./empire.

We see the welcome screen of Empire Project which clearly shows that, there are 285 sections that include listeners, agents, mimikatz etc.

To view the available sections, type usemodule [tab] . To search for section names / descriptions, use searchmodule privesc and the corresponding names / descriptions of the modules to be exported.

The first thing you need to do is create a local listener. The listeners command will take you to the listeners management menu.

The order uselistener will allow you to select the type of listener. If you press TAB after this command all available types of listeners will be displayed. So in this case, we're going to use the http listener module that you can use by typing “uselistener http”And then enter“execute" for implementation.