> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/getsystem/trick-0442.md).

# Windows Privesc GetSystem

***

To attempt privilege escalation to the `NT AUTHORITY\SYSTEM` user when you have a Meterpreter session on a Windows target, use the `getsystem` command.

```
getsystem
```

This command bundles several techniques, often involving token impersonation, to try and elevate your current process's privileges to the highest level available. Its success depends on the current user's privileges and the target OS version and patch level.

The `getsystem` command attempts to elevate the current Meterpreter session to `NT AUTHORITY\SYSTEM`. There are several methods that `getsystem` attempts, which can be specified with the `-m` option.

The available methods are:

* `-m 0`: Token Impersonation (`CreateProcessWithTokenW` / `CreateProcessAsUserW`) - Attempts to impersonate a token from an existing process.
* `-m 1`: Named Pipe Impersonation - Creates a named pipe and then tricks a privileged process into connecting to it.
* `-m 2`: Service (Token Impersonation) - Creates a service that runs as SYSTEM and impersonates the current user’s token.
* `-m 3`: Service (Named Pipe Impersonation) - Combines service creation and named pipe impersonation.
* `-m 4`: Service (Named Pipe Impersonation with SYSTEM token) - Similar to Method 3, but it specifically goes after a SYSTEM token.

By default, `getsystem` will attempt all methods in a specific order until one succeeds. You can specify a particular method using the `-m` option.

For example, to attempt method 1:

```
meterpreter > getsystem -m 1
```

Or simply to attempt all methods:

```
meterpreter > getsystem
```
