How To: Post-Exploitation Privilege Escalation

Post-Exploitation Privilege Escalation

Hey everyone, I've been encountering some problems with privilege escalation when the target has an AV installed, so here's a tutorial for when the almighty "getsystem" doesn't cut it and "bypassuac" gets blocked by the AV. The machine is running Windows 7

Step 1: Get a Meterpreter Session Running on the Target Machine

As you can see on the picture above we don't have administrator rights over the system. Let's try using "getsystem" and attempt to own the PC.

If this happens, we need not lose hope, we can use a local exploit to still try and get admin rights. The exploit we'll use is "ms14_058_track_popup_menu", so background the session and select it as your exploit (its CVE is 2014-4113).

Now we just need to set the options for the exploit. Set the session option to the session you just backgrounded and everything else should be all set. All we need to do now is type in "exploit" and wait to see what happens.

And voila! You now own the machine and can do whatever you want with it. Stay tuned to Null-Byte for more awesome tutorials on hacking!

EDIT: It's not always the antivirus that's causing the issues, but most of the time it's responsible for most of the difficulties one might encounter.

13 Comments

Thanks OTW, I hope I'll be able to make more tutorials in the future and I really hope you keep yours coming as they're one of the best here on Null-Byte :D

Very informative with nice pictures. +1

EDIT: It's nice to have workaround posts, so things aren't confined. :)

Thank you C|H

Nice tutorial! Kudos+

I was planning on making an article about this but never got around to it! Thanks!

Thank you too :D

The blue theme caught my eye. Kudos +1

EDIT : Didn't give Kudos because of the screen shots. Gave kudos because it was informative and excellent. Worked for me ...

Eye-candy, simple, right to the point.

Welcome to Null Byte, enjoy the stay.

Thanks everyone for the warm welcome, I really hope I'll be useful to the community, see you all in the near future :D

Exploit aborted due to failure: no-target: Running against WOW64 is not supported <--- :(

this usually means the exploit doesn't work on 64-bit systems. but could you please post a screenshot? thanks.

-Phoenix750

Phoenix is probably right about your issue, but you can still find some local exploit that could work on a 64-bit system + the process for setting up most local exploits is generally the same (you just have to specify the session number). You can use a website like www.exploit-db.com to search for an exploit compatible with the machine you're trying to exploit. (If you do decide to use exploit-db from the "Exploits" tab you can select "Privilege Escalation and Local Exploits" and sort the platform tab so you get the windows exploits first and try to find one that's not very old and easy to locate in Metasploit. From then on you can background your current session just like we did in the tutorial, select the chosen exploit, set the options for it, type "exploit" and you should get a new meterpreter shell if everything went good. Hope this is somewhat helpful.)

Obsrv_

Also didn't work for me because I am running a 64bit victim system. I tried searching for any legit 64-bit exploit for W7 but couldn't find any. No doubt it will work on a 32-bit system, but I am wondering if this exploit gives you enough privilege to kill their firewall or AV.

Share Your Thoughts

  • Hot
  • Latest