WINDOWS 7 - BYPASSING USER ACCOUNT CONTROL
- Layout for this exercise:
- Let's suppose we have a Windows 7 system already exploited:
- From Control Panel -> User Accounts and Family Safety -> User Accounts -> Change User Account Control Settings:
- In this case Windows 7 has got the User Account Control (UAC) set to Default level:
- Let's exploit the system with badblue_passthru:
- However, it is not possible to get total control over the system, due to the presence of the UAC:
- Post explotaition cannot be performed:
- To perform good exploitation of UAC, it is recommendable to use processes as much stable as possible. For instance, the current process is badblue.exe:
- It would be a good idea to migrate to a more stable process like explorer.exe:
- To start the process of bypassing UAC, in order to get total control over the victim, the current meterpreter session is put into background mode:
- At the moment, there is only 1 meterpreter session active:
- There is a good exploit to bypass the User Account Control:
- For this exploit, the active meterpreter session is a required option:
- So, session is set to 1:
- Also, reverse_tcp payload is used, with local host the attacker's IP:
- The exploit is launched, and a second meterpreter session is achieved as a result:
- Now, from this second meterpreter session Privilege Escalation is done with no problem. Getting control over the system with authority credentials:
- A good example of post exploitation is the command hashdump, which provides hashes of the passwords:
- Also, smart_hashdump dumps hashes on a file text, for further treatment for instance with John the Ripper: