> For the complete documentation index, see [llms.txt](https://ret2basic.gitbook.io/ctfnote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/meterpreter-getsystem.md).

# Meterpreter getsystem

## getsystem

Meterpreter has a built-in command `getsystem`. This thing is not reliable, but it is good to know that it exists.

{% hint style="danger" %}
Don't use `getsystem` in real-world scenarios since it might crash the victim machine.
{% endhint %}

## Techniques

The getsystem command has three techniques. The first two rely on **named pipe impersonation**, and the last one relies on **token duplication**:

```bash
meterpreter > getsystem -h
Usage: getsystem [options]
 
Attempt to elevate your privilege to that of local system.
 
OPTIONS:
 
-h        Help Banner.
-t   The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
```

**Technique 1** creates a named pipe from Meterpreter. It also [creates and runs a service](https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c) that runs *cmd.exe /c echo “some data” >\\\\.\pipe\\\[random pipe here]*. When the spawned cmd.exe connects to Meterpreter’s named pipe, Meterpreter has the opportunity to impersonate that security context. [Impersonation of clients](http://msdn.microsoft.com/en-us/library/windows/desktop/aa365573\(v=vs.85\).aspx) is a named pipes feature. The context of the service is SYSTEM, so when you impersonate it, you become SYSTEM.

**Technique 2** is like technique 1. It creates a named pipe and impersonates the security context of the first client to connect to it. To create a client with the SYSTEM user context, this technique drops a DLL to disk(!) and schedules rundll32.exe as a service to run the DLL as SYSTEM. [The DLL](https://github.com/rapid7/meterpreter/blob/master/source/elevator/namedpipeservice.c) connects to the named pipe and that’s it. Look at [elevate\_via\_service\_namedpipe2](https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/namedpipe.c) in Meterpreter’s source to see this technique.

As the help information states, this technique drops a file to disk. This is an opportunity for an anti-virus product to catch you. If you’re worried about anti-virus or leaving forensic evidence, I’d avoid getsystem –t 0 (which tries every technique) and I’d avoid getsystem –t 2.

**Technique 3** is a little different. [This technique](https://github.com/rapid7/meterpreter/blob/master/source/extensions/priv/server/elevate/tokendup.c) assumes you have SeDebugPrivileges—something getprivs can help with. It loops through all open services to find one that is running as SYSTEM and that you have permissions to inject into. It uses [reflective DLL injection](http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf) to run [its elevator.dll](https://github.com/rapid7/meterpreter/blob/master/source/elevator/tokendup.c) in the memory space of the service it finds. This technique also passes the current thread id (from Meterpreter) to elevator.dll. When run, elevator.dll gets the SYSTEM token, opens the primary thread in Meterpreter, and tries to apply the SYSTEM token to it.

This technique’s implementation limits itself to x86 environments only. On the bright side, it does not require spawning a new process and it takes place entirely in memory.

Let’s say techniques 1-3 fail. You can always fall back to getting system by hand. All of these techniques rely on your ability, as a privileged user, to create or inject into a service. If these techniques fail, generate an executable for your payload and use sc or at to run it as SYSTEM. There you go, you’ve got system.

## Reference

{% embed url="<https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/>" %}
What happens when I type getsystem?
{% endembed %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/windows-privilege-escalation/meterpreter-getsystem.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.