cybergeegee Posted November 30, 2016 Posted November 30, 2016 I am testing this on target machine Windows 10 (Build 14393). I was able to change the UAC level to 0 with the following on PowerShell: Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "ConsentPromptBehaviorAdmin" -Value 0 I am well aware that I can simply go through the trouble of having the ducky do ALT+Y to bypass UAC. However, I want to be able to do this on the run box (WIN+R), if possible. I tried this on the run box but no luck: powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "ConsentPromptBehaviorAdmin" -Value 0 Please let me know if anyone has any idea. If you have a quicker or more efficient way of bypassing UAC, feel free to share. Highly appreciated! Thank you, G Quote
Enzym3 Posted December 1, 2016 Posted December 1, 2016 You would require running PowerShell in administrator mode in order to execute that code, meaning you'll have to bypass UAC the old fashioned way using ALT + Y for at least the first time you run it on a targeted machine that has UAC enabled. However, it would still be useful if you intend to run multiple payloads that would require bypassing multiple prompts, or any situation where you may not want a user to catch on to things being executed while they're actively using the PC. That being said, a smart user may notice that UAC has been disabled and start sniffing around, so make sure your payloads are clearing the system event logs at the end. Quote
Enzym3 Posted December 1, 2016 Posted December 1, 2016 Just a tip: You can use the -whatif parameter in PowerShell at the end of any line of code that will make changes to your system to see the result of executing the code without it actually executing. Additionally, you can use -confirm in a similar fashion to be prompted before the changes take effect. This is how I tested your code to see why it wasn't working. I opened two separate PowerShell windows and typed in your code and added the -whatif parameter to the end in each and here's what I got: Non-administrator shell: Adminstrator shell: Quote
cybergeegee Posted December 1, 2016 Author Posted December 1, 2016 I finally realize that the run box trick works on commands where administrator privilege is not necessary (like downloading a batch file with wget and executing it). It all clears up now! Although its still disappointing that you have to go through ALT+Y in order to execute the code. I've been trying to escalate privileges with exploit/windows/local/ask after getting a meterpreter shell on a normal user with UAC enabled. To do so, it needs the user to click Yes on the prompt (which defeats the purpose of being stealthy). That's why I wanted to try changing the UAC level through the ducky in fast and sneaky way. I appreciate the help Enzym3! Thanks for the tip too Quote
Enzym3 Posted December 1, 2016 Posted December 1, 2016 I'm certain there's a way to do what you're wanting to do, but it may require too much work or a very specific exploit to actually be viable since most often you want a payload that will work on a broad range of hosts. I wish I had an answer for you, but I just started messing with PowerShell in the past few weeks, so my knowledge is still extremely basic. One other tip I will give you that I quickly learned and don't see any other payloads accounting for is writing payloads that will work both with UAC and without UAC enabled. And by that I mean having your payload press ALT + Y to bypass the UAC prompt while accounting for any hosts that don't prompt for UAC which will end up causing the PowerShell script to begin with a 'y' (since the dialog box doesn't pop up, it ends up typing in the PowerShell window), thus causing an error when the following command is executed. Before you start inserting your first line of code, you need to LEFTARROW and then press DELETE to take care of the leading 'y' first. Therefore, I always write my UAC bypass portion of my payloads like this: <...> STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 300 ALT y DELAY 300 LEFTARROW DELAY 50 DELETE DELAY 50 STRING $usbpath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'QUACK' } | select name <...> Cheers, -Enzym3 Quote
cybergeegee Posted December 1, 2016 Author Posted December 1, 2016 Yup, that's definitely something that I considered when writing my payload. To compensate for the 'y', I use CONTROL c to simply drop on to the next line so that the following command executes successfully. One thing I noticed on one of my testings was when you get the UAC prompt, sometimes ALT+Y does not work because the prompt is not the selected window (ex. after executing powershell in Admin). I took that into consideration and found a fix by doing the following: GUI TAB DELAY 250 GUI TAB DELAY 250 ALT y Basically it will WIN+TAB twice and somehow it magically selects the UAC prompt window again. It also works with UAC disabled. So far, it only happened to me on one virtual machine running Windows 10. Not sure why it happens, but at least I got a fix for it. Not sure if you or anyone else have encountered the same problem. Quote
Enzym3 Posted December 1, 2016 Posted December 1, 2016 I have not ran into that issue before, but good looking out. I'll keep an eye out for it and make sure to account for it. Good call too on CTRL + C to jump to the next line. Much easier! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.