Friday, June 10, 2016

METASPLOIT - Windows 7 - Bypassing User Account Control


- Layout for this exercise:

- Let's suppose we have a Windows 7 system already exploited:

- From Control Panel -> User Accounts and Family Safety -> User Accounts -> Change User Account Control Settings:

In this case Windows 7 has got the User Account Control (UAC) set to Default level:

- Let's exploit the system with badblue_passthru:

- However, it is not possible to get total control over the system, due to the presence of the UAC:

- Post explotaition cannot be performed:

- To perform good exploitation of UAC, it is recommendable to use processes as much stable as possible. For instance, the current process is badblue.exe:

- It would be a good idea to migrate to a more stable process like explorer.exe:

- To start the process of bypassing UAC, in order to get total control over the victim, the current meterpreter session is put into background mode:

- At the moment, there is only 1 meterpreter session active:

- There is a good exploit to bypass the User Account Control:

- For this exploit, the active meterpreter session is a required option:

- So, session is set to 1:

- Also, reverse_tcp payload is used, with local host the attacker's IP:

- The exploit is launched, and a second meterpreter session is achieved as a result:

- Now, from this second meterpreter session Privilege Escalation is done with no problem. Getting control over the system with authority credentials:

- A good example of post exploitation is the command hashdump, which provides hashes of the passwords:

- Also, smart_hashdump dumps hashes on a file text, for further treatment for instance with John the Ripper: