Today we’re gonna be using a classic method to escalate privileges on a fully patched Windows box. Of course, we’ll be using no other than the Python server & shell for the whole process. The reason for demonstrating this sole method is simple: privilege escalation methods/exploits vary from time to time and although some operating systems (especially the no longer supported ones) have specific exploits that work, current operating systems are constantly being patched… which leads security researchers to develop new exploits, which leads to new patches, etc… on that note,
If you’re wondering why we need go through such hassle, it has been mentioned previously: in order to enhance the shell’s functionality, sometimes system access is needed. Be it to install applications, browse through restricted directories, etc. certain things just can’t be accomplished under a standard user.
For further insight, read the following excerpt from wikipedia:
“Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.” (wikipedia)
The method I am gonna be demonstrating will work in a standard Windows 7 installation, so long as the user is an administrator. We will be using the BypassUAC executable, courtesy of David Kennedy and Kevin Mitnick; credits go out to them on the awesome work. If you have the Metasploit Framework, you can issue the following command to locate it:
If you don’t have the framework, you’re definitely missing out, but download the executable from TrustedSec.
After bypassing User Access Control, it’s simply a matter of creating a service and starting it. I browsed a bit searching for the original author of this method, however, I was unable to find it. If anybody knows who originally discovered it, let me know and I will update it here with the well-deserved credits.
I was able to find other methods to escalate from a non-administrator user here, which clearly illustrates the same concept along with a nice writeup. Must read.
Check out the video in high quality & enjoy!