Bypassing UAC
Last updated
Last updated
Room Link: https://tryhackme.com/room/bypassinguac
Victim(cmd)
Victim(cmd)
This will spawn a notepad process that we can leverage to get a shell. To do so, go to File->Open and make sure to select All Files in the combo box on the lower right corner. Go to C:\Windows\System32 and search for cmd.exe and right-click to select Open:
Victim(cmd)
When Windows opens a file, it checks the registry to know what application to use. The registry holds a key known as Programmatic ID (ProgID) for each filetype, where the corresponding application is associated. Let's say you try to open an HTML file. A part of the registry known as the HKEY_CLASSES_ROOT will be checked so that the system knows that it must use your preferred web client to open it. The command to use will be specified under the shell/open/command subkey for each file's ProgID. Taking the "htmlfile" ProgID as an example:
One of our agents has planted a backdoor on the target server for your convenience. He managed to create an account within the Administrators group, but UAC is preventing the execution of any privileged tasks. To retrieve the flag, he needs you to bypass UAC and get a fully functional high IL shell.
To connect to the backdoor, you can use the following command:
Kali
Once connected, we check if our user is part of the Administrators group and that it is running with a medium integrity token:
Victim(cmd)
Kali
And then proceed to execute fodhelper.exe, which in turn will trigger the execution of our reverse shell:
Victim(cmd)
If you query the corresponding value on the registry, you will notice it has been erased.
Although by now it would seem our exploit wouldn't work with Windows Defender enabled, check what happens if you run the same commands but with a slight modification (be sure to replace your IP address where needed):
Victim(cmd)
Kali
Victim(cmd)
Victim(cmd)
A variation on the fodhelper exploit was proposed by @V3ded, where different registry keys are used, but the basic principle is the same.
Instead of writing our payload into HKCU\Software\Classes\ms-settings\Shell\Open\command, we will use the CurVer entry under a progID registry key. This entry is used when you have multiple instances of an application with different versions running on the same system. CurVer allows you to point to the default version of the application to be used by Windows when opening a given file type.
To this end, we will create an entry on the registry for a new progID of our choice (any name will do) and then point the CurVer entry in the ms-settings progID to our newly created progID. This way, when fodhelper tries opening a file using the ms-settings progID, it will notice the CurVer entry pointing to our new progID and check it to see what command to use.
The exploit code proposed by @V3ded uses Powershell to achieve this end. Here is a modified version of it adapted to use our reverse shell (be sure to replace your IP address where needed):
This exploit creates a new progID with the name .pwn and associates our payload to the command used when opening such files. It then points the CurVer entry of ms-settings to our .pwn progID. When fodhelper tries opening an ms-settings program, it will instead be pointed to the .pwn progID and use its associated command.
This technique is more likely to evade Windows Defender since we have more liberty on where to put our payload, as the name of the progID that holds our payload is entirely arbitrary. Let's start a new reverse shell on our attacker's machine:
Kali
And execute the exploit from our backdoor connection as is. As a result, Windows Defender will throw another alert that references our actions:
Although we are still detected, it is essential to note that sometimes the detection methods used by AV software are implemented strictly against the published exploit, without considering possible variations. If we translate our exploit from Powershell to use cmd.exe, the AV won't raise any alerts (be sure to replace your IP address where needed):
Victim(cmd)
Note: Be sure to disable Windows Defender for this task, or you may have some difficulties when running the exploit. Just run the provided shortcut on your machine's desktop to disable it.
To understand why we are picking Disk Cleanup, let's open the Task Scheduler and check the task's configuration:
Victim(cmd)
Here we can see that the task is configured to run with the Users account, which means it will inherit the privileges from the calling user. The Run with highest privileges option will use the highest privilege security token available to the calling user, which is a high IL token for an administrator. Notice that if a regular non-admin user invokes this task, it will execute with medium IL only since that is the highest privilege token available to non-admins, and therefore the bypass wouldn't work.
Checking the Actions and Settings tabs, we have the following:
The task can be run on-demand, executing the following command when invoked:
Since the command depends on environment variables, we might be able to inject commands through them and get them executed by starting the DiskCleanup task manually.
Luckily for us, we can override the %windir% variable through the registry by creating an entry in HKCU\Environment. If we want to execute a reverse shell using socat, we can set %windir% as follows (without the quotes):
At the end of our command, we concatenate "&REM " (ending with a blank space) to comment whatever is put after %windir% when expanding the environment variable to get the final command used by DiskCleanup. The resulting command would be (be sure to replace your IP address where needed):
Where anything after the "REM" is ignored as a comment.
Let's set up a listener for a reverse shell with
Kali
We will then connect to the backdoor provided on port 9999:
Kali
And finally, run the following commands to write our payload to %windir% and then execute the DiskCleanup task (be sure to replace your IP address where needed):
Victim(cmd)
