Metasploit - when UAC is at highest level

Experts,

I am conducting defensive security.
If UAC on my windows 7 system is set to the highest level via GPO (Always Notify), is there ANY way at all to do privilege escalation from a Meterpreter session?

The Metasploit module local/bypassuac does not work when UAC is set to ALWAYS Notify.

I have not been able to find anything online about how this can be bypassed.
trojan81Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Windows 7 works as intended....
Rich RumbleSecurity SamuraiCommented:
You can, but I don't know of M$ has patched it yet. Windows 8 by default is always prompt, and UAC can be bypassed: https://github.com/rapid7/metasploit-framework/compare/master...Meatballs1:bypassuac_win81
-rich
btanExec ConsultantCommented:
the bypassuac with highest will not work as author of the exploit contributed into MS (http://www.rapid7.com/db/modules/exploit/windows/local/bypassuac) stated so.
Win 7 UAC Code-Injection: Summary
Setting UAC to its highest level, or using a non-admin account, will prevent the proof-of-concept from working by forcing it to display a UAC prompt. However, neither of those are the default settings of a Windows 7 install.

Win 7 UAC Code-Injection: The good news
All of this only affects the default account type and UAC level of Windows 7 (builds 7000 & 7022, but probably also the retail given Microsoft's stance so far). If you go against the defaults and run as a non-admin user or turn UAC up to the Always Prompt level, so it behaves like it did in Vista, then it is no longer possible for code-injection from unelevated processes to bypass UAC prompts. So the advice remains as before:

If you are using Windows 7 and want to be protected against silent elevation then turn UAC up to the highest level.
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

btanExec ConsultantCommented:
other means for priv escalate is really based on vulnerability outstanding in unpatched machine (finding Cve that is due to priv and have them rollout, see the getsystem which attempt couple including bypassuac). MS sums it up using its "getsystem"
Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges.
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
there are other methods like the Pivoting, Pass-the-hash (psexec), etc. there is so much you can attempt but with uac set to highest it is not going to be easy unless it has a "hole" to exploit upon on to further the penetration...
gheistCommented:
Best you can find in current situation is to roll back patch that fixes the issue, and essentially confirm that patch fixes the issue.
btanExec ConsultantCommented:
also do verify if it is working by manually setting UAC to Elevate Without Prompting to see if it works so that the setup is indeed fine ...
trojan81Author Commented:
BTAN, if on the victime pc I right click the payload and run as administrator, I am able to get the meterpreter session and do a GET SYSTEM.   If on the victim PC, I simply click the file, I would still establish a meterpreter session but GET SYSTEM will fail. Thus, I know it is the UAC setting.
I will try the bypassuac_injection exploit.
btanExec ConsultantCommented:
you need exploit to get that privilege since we always assume target machine is most restrictive, hence pivoting may help to migrate process to have that systems right to further the modus operandi or else simply have to get the exploit to gain their privileges...
trojan81Author Commented:
BTAN,

on a Windows 7 System with the UAC set to high, are you able to get SYSTEM from a meterpreter session?
trojan81Author Commented:
If so, which exploit did you run to get it?  
I'm having trouble finding any evidence online that anyone is able to get passed the UAC.
gheistCommented:
All the UAC vulnerabilities are only due to Win8 remembering approvals in a database and sometimes handing them out unjustly. They plainly do not apply to Win7
You should be naive thinking microsoft is incapable to download metasploit and fix their bugs next month.
btanExec ConsultantCommented:
you should not or cannot simply  bypass UAC at HIGH. the exploit still applies before anything can goes ... as already shared, regardless, I do not advocate bypassing and only for testing and knowledge...
Area to look into include Golden Ticket, PitH but they can be averted on harden machine. Others is back to the pentest practice - there is no easy feat to bypass SYSTEM w/o the right credential or the right vulnerability dangled
https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/
If Meterpreter gets in thru the exploit (which need to search and never a taken for granted for harden machine...you need to find weakest link via browser etc), that can exploit SYS is not readily available ... probably have to find from cvedetails or exploitdb or contagion. Interestingly, once having the exploit to achieve it, you can start listing the token and move from Admin process to impersonate SYS process https://www.offensive-security.com/metasploit-unleashed/fun-incognito/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.