Windows 7 privilege escalation using UAC bypass

Image for post
Image for post

Suppose you have already compromised a windows machine, but you have got the low-level privilege.
Now, what if you need administrator-level access to the machine?
We would need to do privilege escalation.

In the below example, we are taking windows with bad blue vulnerability.

System Details:

1. Kali Linux(Attacker): 192.168.1.35
2. Windows Bad blue edition(Victim): 192.168.1.34

Let’s first compromise the windows machine using Metasploit.

Image for post
Image for post

Okay, lets use the 2.72b Passthru exploit
And check for what parameters it requires using the show options command, to run the exploit.

Image for post
Image for post

Now, set RHOST parameter as the remote host means the victim’s IP.
and hit run/exploit.

Image for post
Image for post

Okay, So we have the meterpreter session ready.

Let’s do the getuid.

**The getuid() function returns the real user ID of the calling process.**

Now, Let’s check the getsystem command to get our session escalated to SYSTEM privileges.

Image for post
Image for post

from above screenshot we can see getsystem tries all the 3 techniques but failed.

Now we need to bypass UAC to get escalated privileges.

let’s background this session and run a UAC bypass exploit.

Image for post
Image for post

Search for bypassuac in Metasploit

Image for post
Image for post

Select the exploit/window/local/bypassuac

Image for post
Image for post

Check for what parameters are required.

So Parameter required is meterpreter session ID.
Let’s list all the meterpreter sessions using sessions -i command

Image for post
Image for post

We got the SESSION ID as 1 from the above screenshot.

Set the SESSION parameter to 1.

and run the exploit.

Image for post
Image for post

Now let’s do getuid→ It shows root-PC\root.
Now getsytem to escalate the session to NT AUTHORITY.

Now once again check getuid .

Image for post
Image for post

Now we have successfully bypassed UAC(user access control)

Security researcher, Blogger, Bug Bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store