Climbing the ladder with Armitage
Privilege escalation is a funny topic nowadays because the tools at our disposal do so much behind the scenes. It’s easy to take systems for granted when we’re playing with Metasploit and the Armitage frontend. In a Meterpreter session, for example, we can execute getsystem
, and often, we get the SYSTEM
privilege in a matter of seconds. How is this accomplished so effortlessly? First, we’ll look at a couple of core concepts in Windows: named pipes and security contexts.
Named pipes and security contexts
Yes, you’re right; the word pipe in this context is related to pipelines in the Unix-like world (and, as we covered in Chapter 9, Powershell Fundamentals, pipelines in PowerShell). The pipelines we worked with were unnamed and resided in the shell. The named pipe concept, on the other hand, gives the pipe a name, and by having a name, it utilizes the filesystem so that interaction with it is like interacting...