UAC Bypass: UACMe
Overview
In this lab, we will look at bypassing UAC using the UACME tool.
UACME:
Defeat Windows User Account Control (UAC) and get Administrator privileges.
It abuses the built-in Windows AutoElevate executables.
It has 65+ methods that can be used by the user to bypass UAC depending on the Windows OS version.
Developed by https://twitter.com/hFireF0X
Written majorly in C, with some code in C++
tasks
Lab Environment
In this lab environment, you will be provided with GUI access to a Kali machine. The target machine running a vulnerable server will be accessible at demo.ine.local.
Your task is to fingerprint the application using the tools available on the Kali machine and exploit the application using the appropriate Metasploit module. And then, bypass UAC using the UACME tool.
Objective: Gain the highest privilege on the compromised machine and get admin user NTLM hash.
Note: The UACMe tool is located in "/root/Desktop/tools/UACME/" directory.
Tools
The best tools for this lab are:
Nmap
Metasploit Framework
UACME
Solutions
Step 1: Open the lab link to access the Kali machine.
Step 2: Check if the target machine is reachable:
Command:
The target is reachable.
Step 3: Check open ports on the target machine:
Command:
Step 4: We have discovered that multiple ports are open. We will run Nmap again to determine version information on port 80.
Command:
HTTP File Server (HFS) 2.3 is available.
Step 5: We will search for an exploit for hfs file server using searchsploit.
Command:
Step 6: : Rejetto HTTP File Server (HFS) 2.3 is vulnerable to RCE. Exploiting the target server using the Metasploit framework.
Commands:
We have successfully exploited the target vulnerable application (hfs) and received a meterpreter shell.
Step 7: Checking the current user.
Commands:
Step 8: We can observe that we are running as an admin user. Migrate the process in explorer.exe. First, search for the PID of explorer.exe and use the migrate command to migrate the current process to the explorer process.
Commands:
Step 9: Elevate to the high privilege:
Command:
We can observe that we do not have permission to elevate privileges.
Step 10: Get a windows shell and check if the admin user is a member of the Administrators group.
Commands:
The admin user is a member of the Administrators group. However, we do not have the high privilege as of now. We can gain high privilege by Bypassing UAC (User Account Control)
We are going to bypass the UAC for admin user with the help of UACMe tool.
Step 11: Generating malicious executable using msfvenom and running it on the target machine to gain administrator user privileges.
Note: Please make sure that you replace the “10.10.31.2” local IP address with yours.
Generating malicious executable using msfvenom.
Commands:
The UACMe tool located in "/root/Desktop/tools/UACME/" directory.
Step 12: Switch the directory to the user’s temp folder and upload the Akagi64.exe and backdoor.exe executable.
Commands:
Step 13: Start another msfconsole and run a multi handler.
Commands:
Step 14: Switch back to the meterpreter and run the Akagi64.exe executable.
Note: Please provide the full path of the backdoor executable.
Commands:
We are going to use UACMe method number 23:
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\pkgmgr.exe
Component(s): DismCore.dll
Implementation: ucmDismMethod
Once we execute the above command we would expect a meterpreter session.
We have successfully gained high privilege access. Dump the user hashes.
Step 15: Migrate in lsass.exe process.
Commands:
Step 16: Dump the hashes.
Command:
This reveals the flag to us.
Admin NTLM Hash: 4d6583ed4cef81c2f2ac3c88fc5f3da6
Conclusion
In this lab, we exploited a vulnerable application to gain shell access on the target machine and then bypassed UAC using the UACME tool to gain elevated access and dump user hashes.
References
Last updated