Professional Documents
Culture Documents
Bypass UAC and Get Admin Privilege in Windows 7 Using
Bypass UAC and Get Admin Privilege in Windows 7 Using
Bypass UAC and Get Admin Privilege in Windows 7 Using
using metasploit
Filed under: ETHICAL HACKING, KALI LINUX, PEN-TESTING — 9 Comments
June 19, 2014
Sometimes when you trying to exploit a security hole and success gain an access to the target
system, usually you only act as logged user and it’s not a local system account. In this tips and
trick there’s a simple step to escalate your privilege when you’re inside meterpreter.
This picture below taken when hacked successfully gain an access using Payload create by me.
The session only has limited user rights. This can severely limit actions you can perform on the
remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.
Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different
techniques to attempt to gain SYSTEM level privileges on the remote system. There are also
various other (local) exploits that can be used to also escalate privileges.
make use of the ‘getsystem’ command, if its not already loaded we will need to first load the
‘priv’ extension.
We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any
options. The script will attempt every method available to it, stopping when it succeeds.
There are situations where getsystem fails depending upon the operating system and exploiting
method we are using.
In this above image we are only getting access to normal system user acount with less
privileges, by executing post/windows/gather/win_privs command it will list the privilege of
the current users logged in.
For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo
command in your meterpeter shell you will get informations about your exploiting system.
If the getsystem code detects that it is running on a Windows 7 with UAC disabled and it is
running as local admin it will run getsystem and it will use the read registry method.
When we executing getsystem command it will fail because the current logged user have not
enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.
So we first try to bypass UAC enabled in windows 7, Luckily we have windows UAC bypass
exploit in metasploit.
For that we need to background the session, and manually try bypassuac exploit and load the
session recently backgrounded and then exploit and execute getsystem to get admin privilege.
I exploited this machine with the payload i created before, so try the method you used for
exploiting the machine before.