Premise
In this tutorial, I explained how to take over and exploit Windows 7 using Metasploit with Msfvenom. The method works also on Windows 10 but you need to use high iterations along with xor_dynamic. Then I used UAC Bypass vulnerability to escalate privileges to SYSTEM. Credentials have been dumped with Mimikatz and Powershell.
Skills Learned
- Windows Privilege Escalation
- Powershell
- Metasploit
- User Access Control Bypass
- Mimikatz
Step 1: Creating the Payload
First things first, I need to create my malicious payload. I use a tool called msfvenom for this. The command I use generates a reverse TCP payload, which means that once the victim runs it, their computer will connect back to me. I also use an encoder called xor_dynamic to make it harder for antivirus software to detect. To make it even more convincing, I can even bind this payload to a legitimate application like Google Chrome.
Step 2: Setting Up My Listener
Before I send this payload out into the world, I need to set up a listener to catch the connection when it comes back. I use the exploit/multi/handler in Metasploit for this. I just need to make sure that the payload, IP address, and port I use for my listener match what I used when I created the payload. Once everything is configured, I start the listener and wait for the magic to happen.
Step 3: Getting a Meterpreter Session
Once the victim opens my malicious file, I get a Meterpreter session. This is my command and control center for the compromised machine. I can list all my active sessions and interact with them one by one.
Step 4: Gathering Intel
The first thing I do when I get a session is to gather as much information as I can about the target system. The sysinfo command is great for this. It tells me the operating system, service packs, and other useful details. In this case, the target is running Windows 7, which is still surprisingly common in a lot of corporate environments.
Step 5: Spying on the User
Now for the fun part! I can take screenshots of the victim’s desktop to see what they’re up to. I can also start a keylogger to capture every single keystroke they make. Before I start the keylogger, I always migrate my Meterpreter process to a more stable one, like Notepad. This way, if the user closes the original program they opened, I won’t lose my session.
Step 6: Escalating My Privileges
At this point, I have a good amount of control, but I want more! I want to be the system administrator. To do this, I need to escalate my privileges. In Windows, this often means bypassing the User Access Control (UAC).
I use a specific Metasploit module for this called exploit/windows/local/bypassuac_injection. I just need to tell it which session to use, and it will work its magic. If it’s successful, I get a brand new Meterpreter session with full system privileges.
Step 7: The Grand Prize: Dumping Credentials
Now that I’m the system administrator, I can go for the grand prize: the user’s credentials. I use the kiwi extension in Meterpreter, which is basically Mimikatz built right in. With a simple command, I can dump the NTLM hashes of all the user accounts on the system. I can then take these hashes offline and crack them to get the plain text passwords.
Step 8: Exfiltrating Files
Finally, I can also download any sensitive files from the compromised system. I can navigate the remote file system just like I would on my own computer and use the download command to grab anything I want.
And that’s it! A complete Windows takeover from start to finish. I want to stress that the best way to protect yourself from these kinds of attacks is to keep your systems updated. The UAC bypass I used in this video is effective against older versions of Windows 10, but it’s much harder to pull off on a fully patched system. Stay safe out there!
