UAC Bypass: Memory Injection (Metasploit)
Checking the current user priviledges
getuid
sysinfo
We can observe that we are running as an admin user. Migrate the process in explorer.exe. First, search for the PID of explorer.exe and use the migrate command to migrate the current process to the explorer process.
Please note the explorer.exe arch is x64 bit, so later when we perform UAC bypass, we have to use x64 based meterpreter payload.
Elevate to the high privilege:
We can observe that we do not have permission to elevate privileges.
Get a windows shell and check if the admin user is a member of the Administrators group.
The admin user is a member of the Administrators group. However, we do not have the high privilege as of now. We can gain high privilege by Bypassing UAC (User Account Control).
We are going to bypass UAC using the Metasploit local exploit module.
“This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.”
Source: [https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_injection/]
Background the current session and use the local exploit for UAC bypass.
Run UAC Bypass In-Memory Injection module.
Elevate to the high privilege.
We have successfully gained high privilege access. Dump the user hashes.
Migrate in lsass.exe process.
Dump the hashes.
References
[https://www.exploit-db.com/exploits/39161]
[https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec]
[https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_injection/]
Last updated