Windows 7 privilege escalation using UAC bypass

Kapil Verma
3 min readJun 2, 2019


Suppose you have already compromised a windows machine, but you have got the low-level privilege.
Now, what if you need administrator-level access to the machine?
We would need to do privilege escalation.

In the below example, we are taking windows with bad blue vulnerability.

System Details:

1. Kali Linux(Attacker):
2. Windows Bad blue edition(Victim):

Let’s first compromise the windows machine using Metasploit.

Okay, lets use the 2.72b Passthru exploit
And check for what parameters it requires using the show options command, to run the exploit.

Now, set RHOST parameter as the remote host means the victim’s IP.
and hit run/exploit.

Okay, So we have the meterpreter session ready.

Let’s do the getuid.

**The getuid() function returns the real user ID of the calling process.**

Now, Let’s check the getsystem command to get our session escalated to SYSTEM privileges.

from above screenshot we can see getsystem tries all the 3 techniques but failed.

Now we need to bypass UAC to get escalated privileges.

let’s background this session and run a UAC bypass exploit.

Search for bypassuac in Metasploit

Select the exploit/window/local/bypassuac

Check for what parameters are required.

So Parameter required is meterpreter session ID.
Let’s list all the meterpreter sessions using sessions -i command

We got the SESSION ID as 1 from the above screenshot.

Set the SESSION parameter to 1.

and run the exploit.

Now let’s do getuid→ It shows root-PC\root.
Now getsytem to escalate the session to NT AUTHORITY.

Now once again check getuid .

Now we have successfully bypassed UAC(user access control)



Kapil Verma

Security researcher, Blogger, Bug Bounty hunter