Windows 7 privilege escalation using UAC bypass

Suppose you have already compromised a windows machine, but you have got the low-level privilege.
Now, what if you need administrator-level access to the machine?
We would need to do privilege escalation.

In the below example, we are taking windows with bad blue vulnerability.

System Details:

1. Kali Linux(Attacker): 192.168.1.35
2. Windows Bad blue edition(Victim): 192.168.1.34

Let’s first compromise the windows machine using Metasploit.

Okay, lets use the 2.72b Passthru exploit
And check for what parameters it requires using the show options command, to run the exploit.

Now, set RHOST parameter as the remote host means the victim’s IP.
and hit run/exploit.

Okay, So we have the meterpreter session ready.

Let’s do the getuid.

**The getuid() function returns the real user ID of the calling process.**

Now, Let’s check the getsystem command to get our session escalated to SYSTEM privileges.

from above screenshot we can see getsystem tries all the 3 techniques but failed.

Now we need to bypass UAC to get escalated privileges.

let’s background this session and run a UAC bypass exploit.

Search for bypassuac in Metasploit

Select the exploit/window/local/bypassuac

Check for what parameters are required.

So Parameter required is meterpreter session ID.
Let’s list all the meterpreter sessions using sessions -i command

We got the SESSION ID as 1 from the above screenshot.

Set the SESSION parameter to 1.

and run the exploit.

Now let’s do getuid→ It shows root-PC\root.
Now getsytem to escalate the session to NT AUTHORITY.

Now once again check getuid .

Now we have successfully bypassed UAC(user access control)

Security researcher, Blogger, Bug Bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store