Bypassing User Access Control
User access control (UAC) is a security feature that was introduced from Windows Vista and
onward. The purpose of introducing UAC was to prevent malware from compromising the sys-
tem. It accomplishes this by assigning normal user privileges to an application even if a user has
administrator privileges. The application then has to be approved by an administrator for it to
make changes to your computer.
The UAC can be configured easily depending upon the operating system you are using; all
you need to do is search for the keyword “
uac
” using the search box. The default level of UAC is
level 3, which is when it will notify when programs try to make changes to your computer.
Here is how the interface looks inside Windows 7:
If we try to use the “
getsystem
” technique in any of the operating systems with
UAC enabled, it will fail by default. Luckily, we already have a postexploitation module in
Metasploit named “
bypassuac
”, which could help us bypass user access control to escalate
our privileges.
Postexploitation
◾
239
So for the sake of demonstration we assume that you have a meterpreter session on a Windows
7 machine. From our current meterpreter session we will run the following command:
meterpreter> run post/windows/escalate/bypassuac
Now we will try to use the “
getsystem
” command again, and it will escalate our privileges.
We will use “
getuid
” to check our privileges and the “
sysinfo
” command for meterpreter to
display information about the current system.
Impersonating the Token
The concept of an access token is very similar to the concept of a cookie that is used to authenti-
cate a user on a particular website. When a user is authenticated on a Windows machine an access
token is assigned, which contains information about login details, user privileges, etc. The access
tokens for Windows are of two types:
Primary token—The primary token can be associated with a process and is created within the
operating system using privileged methods.
Impersonation token—An impersonation token can let a process act as another user; it can only
be associated with threads. This is the type of token that we will be abusing for our privilege
escalation process.
We can use a valid impersonation token of a specific user, say, administrator, to impersonate that
user without any authentication.
Incognito
is a meterpreter module that can help us with this
task. We can load it by using the following command:
use incognito
240
◾
Ethical Hacking and Penetration Testing Guide
Next, we would run the “
help
” command to see all the options; this will load up the meterpreter
help menu, but you will also see
Incognito
commands along with their description at the
bottom:
Before impersonating a token we need to take a look at the available tokens. To see all the
available tokens, we use the
list _ tokens
command followed by a –u parameter (which lists
the tokens available under a current user context). With SYSTEM-level privileges you can see the
list of all tokens, but with administrator or lower privileges you cannot.
list_tokens –u
As we can see, we have the administrator token available, which looks interesting; so let’s
try to impersonate this token and escalate our privileges. The command for impersonating is as
follows:
meterpreter> impersonate_token ABDUL-CB7402ACD\\Administrator
Note that we have added an additional backslash, “\” before “Administrator” for it to execute
properly.
Postexploitation
◾
Dostları ilə paylaş: |