Saturday 3 September 2016

MSI_privilege_escalation (MSF module for privilege escalation in windows)

Sup guys ? hope u all doin well :)

Today's post is about a module SSA just completed about a week ago. This module is all bout privilege escalation in win based sessions on metasploit :)

So lets start :)

-- What is Privilege escalation ? 

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.


                                                                                                                                  (WikiPedia)

-- [Module Discription]





-- [ Installation ]

Download module from following link : https://sourceforge.net/p/msf-auxiliarys/repository/ci/master/tree/MSI_privilege_escalation.rb

now copy&paste it to following msf path : 
ubuntu : /opt/metasploit-framework/modules/post/windows/escalate/
kali : /path/metaploit/modules/post/windows/escalate/

now load msfconsole and type following commands 
msf > reload_all
msf > use post/windows/escalate/MSI_privilege_escalation
msf post(MSI_privilege_escalation) > info


-- [ Module Advanced Options ]





-- WorkFlow of Module (config required setting)

'GET_SYSTEM' allows users to elevate current session (client) to nt authority/system. using impersonate tokens. 


'MSI_ESCALATION' allows users to CHECK/SET 'AlwaysInstallElevated' registry keys remottly. If the reg key its allready set to dword:1 in target system, then this funtion will warn attacker
that the bypass its allready active. (so no further need to change reg key data again).

dword:0 keys are set to dword:1. Bypassed :)


'REVERT_PRIVS' allows users to set 'AlwaysInstallElevated' registry keys to default (dword:0). Now here attacker can set all setting to old default ones as well :) 






--- General Errors 

This is common error ppl might encounter with. nothing wrong with module. The reason is mostly might be using old version of metasploit. So replace the class name to the default class name your MSF using(Current one is MetasploitModule) and it work right like it should be :)



-- [Video Demo]




[Credits]

'r00t-3xp10it' =>  post-module author
  Inspiration: Ben Campbell | Parvez Anwar
  Module debug: Chaitanya [ SSA RedTeam ]