Home Bypassing UAC
Post
Cancel

Bypassing UAC

Learn common ways to bypass User Account Control (UAC) in Windows hosts.

THM Room https://tryhackme.com/room/bypassinguac

TASK 1 : Introduction

Click and continue learning!

No Answer

TASK 2 : User Account Control (UAC)

What is the highest integrity level (IL) available on Windows?

Answer : System

What is the IL associated with an administrator’s elevated token?

Answer : high

What is the full name of the service in charge of dealing with UAC elevation requests?

Answer : Application Information Service

TASK 3 : UAC: GUI based bypasses

What flag is returned by running the msconfig exploit?

Viewing the process “msconfig.exe” with processHacker :

Process Hacker Process Hacker

Then launching a IL (Integrity Level) high command prompt inherited from msconfig :

msconfig msconfig

We have now an system command prompt and can query the flag :

msconfig Flag msconfig Flag

Answer : THM{UAC_HELLO_WORLD}

What flag is returned by running the azman.msc exploit?

azman.exe runs with IL high by default too :

azman.exe azman.exe

Then in the help menu, the view source of “help topic” open notepad.exe with the same inherited IL :

Azman Help Azman Help

View Source View Source

IL notepad Spawn IL notepad Spawn

We can now open cmd.exe from the System32 folder with the High IL :

System cmd System cmd

System cmd 2 System cmd 2

And now we can query the flag :

azman.exe Flag azman.exe Flag

Answer : THM{GUI_UAC_BYPASSED_AGAIN}

TASK 4 : UAC: Auto-Elevating Processes

What flag is returned by running the fodhelper exploit?

Following the explained steps we can add a specific registry key so the fodhelper.exe will check the user configuration in the registry, not the System one :

fodhelper.exe fodhelper.exe

Then quering the flag :

fodhelper.exe Flag fodhelper.exe Flag

Answer : THM{AUTOELEVATE4THEWIN}

TASK 5 : UAC: Improving the Fodhelper Exploit to Bypass Windows Defender

What flag is returned by running the fodhelper-curver exploit?

Same process than previously, but bypassing the windows defender security :

Bypass windefend Bypass windefend

Answer : THM{AV_UAC_BYPASS_4_ALL}

TASK 6 : UAC: Environment Variable Expansion

What flag is returned by running the DiskCleanup exploit?

DiskCleanup DiskCleanup

Answer : THM{SCHEDULED_TASKS_AND_ENVIRONMENT_VARS}

TASK 7 : Automated Exploitation

Click and continue learning!

No Answer.

TASK 8 : Conclusion

Click and continue learning!

No Answer.

This post is licensed under CC BY 4.0 by the author.