Tampering the PAC — Post exploit windows — Metasploit

Kapil Verma
3 min readJun 5, 2019


PAC: Proxy auto config.
→ It is very important in enterprises to assign proxies based on policies.
→ A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL.
→ File is written is JavaScript and only certain no of functions are allowed and runs within a sand box**.
• *A sandbox is a type of software testing environment that enables the isolated execution of software or programs for independent evaluation, monitoring or testing.


Let’s create a fresh directory named PAC (you can name whatever you want), and create a file named proxy.pac(you can name whatever you want, but normally it’s proxy.pac)

Now we need to create a PAC file written on Javascript.

Here our Kali Machine’s IP is
The browser is going to contact the given proxy( to get the URL asked by the user.

Now I am assuming we already have compromised a windows machine and got system on it using UAC bypass.

At first a quick compromise of Windows followed by UAC bypass

Now on the kali machine let’s fire up apache2 server.

Now lets put the pac file in the /var/www/html

Now we need to use a metasploit script named ie_proxypac.

Lets run the exploit:

Let’s check if the proxy settings have been changed or not.

Okay, Great it has been changed.

Now let’s go and check in the internet explorer.

Here we are trying to access any website but it is serving us out index.php
Let’s check the Apache logs.



Kapil Verma

Security researcher, Blogger, Bug Bounty hunter