Contents

Am I an Admin? Railgun Script

Contents

When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.

But, I wanted to make a way that check a bunch of sessions all at once. So I wrote “AmIAdmin.rb” which uses meterpreter’s railgun extension to execute “IsUserAdmin”.

Being that Shell32.dll isn’t included in railgun by default we have to add it. After writing it I decided to add some checks. These checks make sure that each piece of the script isn’t already loaded. It’s a good reference for doing this in the future.

(you can remove the print_status lines if you want the script to be quieter)

Here is the script for your consumption:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
if client.platform == "x64/win32"        
	print_status "Railgun is currently not supported for x64 bit systems"         
raise Rex::Script::Completed        
end

if client.railgun.present? == true       
	print_status "Railgun already loaded.. skipping"         
else        
	print_status "Loading Railgun"         
	client.core.use("railgun")        
end

if client.railgun.dll['shell32'] == nil       
	print_status "Adding Shell32.dll"         
	client.railgun.add_dll('shell32','shell32')        
else        
	print_status "Shell32 already loaded.. skipping"         
end

if (client.railgun.shell32.functions['IsUserAnAdmin'] == nil       
	print_status "Adding the IsUserAnAdmin function"         
	client.railgun.add_function('shell32', 'IsUserAnAdmin', 'BOOL', [])        
else        
	print_status "IsUserAnAdmin already loaded.. skipping"         
end

print_status "Running the IsUserAnAdmin function"        
status = client.railgun.shell32.IsUserAnAdmin()

if status["return"] == true then       
	print_status "You are an administrator"         
else        
	print_error "You are not an administrator"         
end