When you first step on a machine, you want to determine quickly if you are just a user or an administrator. Meterpreter doesn’t have a way to quickly check this. You could drop to a shell, check the local users group “Adminitrators”, and check your user, and correlate any groups that are shared between the outputs. You could do ‘getsystem’ and if one works other than Kitrap0d. You could also just do a ‘ps’ and notice that you can see ‘SYSTEM’ processes.
But, I wanted to make a way that check a bunch of sessions all at once. So I wrote “AmIAdmin.rb” which uses meterpreter’s railgun extension to execute “IsUserAdmin”.
Being that Shell32.dll isn’t included in railgun by default we have to add it. After writing it I decided to add some checks. These checks make sure that each piece of the script isn’t already loaded. It’s a good reference for doing this in the future.
(you can remove the print_status lines if you want the script to be quieter)
Here is the script for your consumption:
if client.platform == "x64/win32"
print_status "Railgun is currently not supported for x64 bit systems"
if client.railgun.present? == true
print_status "Railgun already loaded.. skipping"
print_status "Loading Railgun"
if client.railgun.dll['shell32'] == nil
print_status "Adding Shell32.dll"
print_status "Shell32 already loaded.. skipping"
if (client.railgun.shell32.functions['IsUserAnAdmin'] == nil
print_status "Adding the IsUserAnAdmin function"
client.railgun.add_function('shell32', 'IsUserAnAdmin', 'BOOL', )
print_status "IsUserAnAdmin already loaded.. skipping"
print_status "Running the IsUserAnAdmin function"
status = client.railgun.shell32.IsUserAnAdmin()
if status["return"] == true then
print_status "You are an administrator"
print_error "You are not an administrator"