Jump to content

Recommended Posts

Posted

I am testing this on target machine Windows 10 (Build 14393).

I was able to change the UAC level to 0 with the following on PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "ConsentPromptBehaviorAdmin" -Value 0

I am well aware that I can simply go through the trouble of having the ducky do ALT+Y to bypass UAC. However, I want to be able to do this on the run box (WIN+R), if possible.

I tried this on the run box but no luck:

powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "ConsentPromptBehaviorAdmin" -Value 0

 

Please let me know if anyone has any idea. If you have a quicker or more efficient way of bypassing UAC, feel free to share. Highly appreciated!

 

Thank you,

G

Posted

You would require running PowerShell in administrator mode in order to execute that code, meaning you'll have to bypass UAC the old fashioned way using ALT + Y for at least the first time you run it on a targeted machine that has UAC enabled. However, it would still be useful if you intend to run multiple payloads that would require bypassing multiple prompts, or any situation where you may not want a user to catch on to things being executed while they're actively using the PC. That being said, a smart user may notice that UAC has been disabled and start sniffing around, so make sure your payloads are clearing the system event logs at the end.

Posted

Just a tip: You can use the -whatif parameter in PowerShell at the end of any line of code that will make changes to your system to see the result of executing the code without it actually executing. Additionally, you can use -confirm in a similar fashion to be prompted before the changes take effect. This is how I tested your code to see why it wasn't working. I opened two separate PowerShell windows and typed in your code and added the -whatif parameter to the end in each and here's what I got:

Non-administrator shell:

1565ca7707f10bc0f3b9cf1757b5331d.png

 

Adminstrator shell:

947f8966992bba049e572b09a6d83784.png

Posted

I finally realize that the run box trick works on commands where administrator privilege is not necessary (like downloading a batch file with wget and executing it). It all clears up now! Although its still disappointing that you have to go through ALT+Y in order to execute the code. 

I've been trying to escalate privileges with exploit/windows/local/ask after getting a meterpreter shell on a normal user with UAC enabled. To do so, it needs the user to click Yes on the prompt (which defeats the purpose of being stealthy). That's why I wanted to try changing the UAC level through the ducky in fast and sneaky way.

I appreciate the help Enzym3! Thanks for the tip too :grin:

Posted

I'm certain there's a way to do what you're wanting to do, but it may require too much work or a very specific exploit to actually be viable since most often you want a payload that will work on a broad range of hosts. I wish I had an answer for you, but I just started messing with PowerShell in the past few weeks, so my knowledge is still extremely basic.

One other tip I will give you that I quickly learned and don't see any other payloads accounting for is writing payloads that will work both with UAC and without UAC enabled. And by that I mean having your payload press ALT + Y to bypass the UAC prompt while accounting for any hosts that don't prompt for UAC which will end up causing the PowerShell script to begin with a 'y' (since the dialog box doesn't pop up, it ends up typing in the PowerShell window), thus causing an error when the following command is executed. Before you start inserting your first line of code, you need to LEFTARROW and then press DELETE to take care of the leading 'y' first.

Therefore, I always write my UAC bypass portion of my payloads like this:

<...>

STRING powershell Start-Process powershell -Verb runAs
ENTER
DELAY 300
ALT y
DELAY 300
LEFTARROW
DELAY 50
DELETE
DELAY 50
STRING $usbpath = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'QUACK' } | select name

<...>

 

Cheers,

-Enzym3

Posted

Yup, that's definitely something that I considered when writing my payload. To compensate for the 'y', I use CONTROL c to simply drop on to the next line so that the following command executes successfully. One thing I noticed on one of my testings was when you get the UAC prompt, sometimes ALT+Y does not work because the prompt is not the selected window (ex. after executing powershell in Admin). I took that into consideration and found a fix by doing the following:

GUI TAB
DELAY 250
GUI TAB
DELAY 250
ALT y

Basically it will WIN+TAB twice and somehow it magically selects the UAC prompt window again. It also works with UAC disabled. So far, it only happened to me on one virtual machine running Windows 10. Not sure why it happens, but at least I got a fix for it. Not sure if you or anyone else have encountered the same problem.

Posted

I have not ran into that issue before, but good looking out. I'll keep an eye out for it and make sure to account for it. Good call too on CTRL + C to jump to the next line. Much easier!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...