Contact Form

Name

Email *

Message *

Privilege escalation with Windows 7 SP1 64 bit

This post follows up from where we had left off with the Social Engineer Toolkit. I'm going to perform a privilege escalation on Windows 7 SP1 64 bit.

With SET, I could successfully exploit the system, but I couldn't become system administrator, which limited my chances of a successful exploitation.

I couldn't get a privilege escalation through getsystem.

Solution (for a clearer understanding of these steps, please refer to the embedded video tutorial)



I could successfully solve the escalation problem by using the bypassuac exploit (exploit/windows/local/bypassuac), which allowed me to hack in the system and open up another session as the local administrator account.

However, this time around I was able to use getsystem for me to achieve a privilege escalation.


That done, I could successfully migrate to another system process.
Checking the active processes, through the ps command, we can now see the processes owned by the system administrator as well, along with the ones belonging to the local user.



I could successfully dump usernames and passwords stored on the system through the hashdump command.


By opening up a Windows shell, I also added a user for myself to the victim machine with the command net havoc 12345 /add from Command Prompt (where havoc is the username and 12345 is the password).


We can see the users currently installed on the victim system, with the net user command.

We can also see the mounted drives and shares and the routing table.

.

Wrap-up

The bypassuac exploit, following up to the exploitation already performed by SET, allowed me to successfully become the system administrator and complete all the exploitation stages I wasn't able to perform in the previous post.

It was a pretty easy attack.

The victim virtual machine had Windows Defender installed, which is the fastest on my laptop for example, but doesn't seem to have a sufficient virus detection rate.

I keep saying your best defense (and the best antivirus in the world) is common sense and paranoia.

For me to be able to attack my victim machine, I had to click the payload file.

If this weren't the case, I wouldn't be able to get in.

Hope that makes you think twice before clicking all you see.

Comments

Related Posts Plugin for WordPress, Blogger...