This is the fifth article in our empire series, for the basic guide to empire click here. In this article, we will learn to bypass administrator privileges using various bypassuac post-exploitation methods. UAC stands for User Account Control, which means which user has how many rights to make changes in the system. The rights are given too a user depends on the integrity levels; which are :
- High : Administrator rights
- Medium : Standard user rights
- Low : Extremely restricted
We try and gain the highest integrity that is indicated by the number 1. Let’s start with the first exploit i.e. bypassuac_env. Now, as you can see in the image, we already have an empire session with the integrity of 0, which means we do not have admin right. So type the following set of commands to get administrator privileges :
usemodule privsec/bypassuac_env set Listener http execute
Executing the above module will give you a new session. Upon accessing the said session you can see the integrity has to change to 1, which means no we have administrator rights, just as shown in the image below :
Now, let’s try another exploit which is privsec/bypassuac_eventvwr. The function of this module is the same as before i.e. to get administrator rights so we can attack more effectively. Again, as you can see, we have the session with the integrity of 0 which indicates we have no admin rights yet. So, run the following commands :
usemodule privsec/bypassuac_eventvwr set Listener http execute
As you can see, we have a new session with the integrity of 1 which confirms that we now have admin rights.
The next module we will use for the same purpose is privesc/bypassuac_fodhelper. Therefore just like before use the following set of commands :
usemodule privesc/bypassuac_fodhelper set Listener http execute
Once the module is executed, you will have the session with the integrity of 1, hence we are successful in attaining the admin rights.
Next bypassuac module we will use is privesc/bypassuac_wscript. And similarly, to have administrator privileges use the following commands :
usemodule privesc/bypassuaca_wscript set Listener http execute
As you can see in the image, the new session that we have gained is with admin rights.
The last module we will use for the same purpose is privesc/bypassuac. To execute the following commands :
usemodule privesc/bypassuac set Listener http execute
As you can see in the image above, the new session gained has the integrity of 1 hence the administrator rights are gained.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
The post Bypass User Access Control using Empire appeared first on Hacking Articles.