Forum Thread: Bypasssing Windows UAC

Bypasssing Windows UAC

Hello community!

I have been trying to escalate my privileges on a compromised windows 7 laptop (x86). I tried a couple of different things but I wasn't successful at all:

getsystem -> UAC block my attemp: Access denied

exploit bypassuac -> Exploit failed timeout-expired: Timeout::Error execution expired. After reading about it, it seems that Microsoft Security Essentials identifies the payload as Trojan:Win32/Swrort

exploit bypassuac_injection -> States that I was successfull with the injection but does not start a second meterpreter session. It also states that manual cleanup might be necessary, and I really don't understand why...

exploit ask -> - Exploit failed: Rex::TimeoutError Operation timed out
After researching, I found out that ask always uses a self-generated payload which is easily detected by AV.

What method would you should to bypass windows UAC? I am a bit confused with the bypassuac_injection as it should give me a second session and it didn't...

Thanks in advance!

5 Responses

Have you tried changing the TECHNIQUE of the exploit/windows/local/ask to PSH (must be in all caps) with set TECHNIQUE PSH?

Also must set SESSION (meterpreter id)

I did set the session, of course ;)

And yeah, i did try changing the technique. because of the exploit's nature I think, It asked for authorization to use command line in the victim... Not exactly stealthy.

Anyway, even after I press "yes" in victim's PC, meterpreter still won't connect

So, you manage to get the prompt on the victim PC but after you accept said prompt the metasploit console comes up with the exploit failed?

Has the new session come up but you forgot to connect?
Have you tried exploit -j after changing the settings for the ask exploit?

Also could you post some screenshots.

SOLVED

Well, adding the -j switch did the job! (sorry for the pun)
Thank you so much for your answer!!!

Using exploit -j opened up a 2nd meterpreter session. Then I just had to getsystem and ta-da!

However, a noob question: how does running the exploit as a job make it work? I don't get it ...

Anyway, thanlk you so much!

I'm glad that I could help,

As with the question, I don't really know why it is better to use exploit -j instead of just exploit, I should try to find out.

Share Your Thoughts

  • Hot
  • Active