UAC Bypassing
Notes from the TryHackMe Room created by @munra Completed in January 2023
Abstract
This room was a great introduction to UAC bypassing. The room starts by giving a bit of theory about what is UAC and what is it for. Some concepts related to UAC are such as Mandatory Integrity Level and AutoElevate are also explained. Then, as we are going forward in the room, we learned in what context UAC bypass might be useful and the underlying principle behind most of the UAC bypass technique. The room covered the well known UAC bypass technique abusing of the foodhelper.exe program. Bypassing UAC might not be simple as it seems. Antivirus such as Windows Defender or some UAC setting can be a barrier to simple UAC bypass techniques. The room cover some alternatives to bypass UAC when Windows Defender is on and the UAC is set to the more restrictive level. Finally, the room covered UAC bypass automation by introducing the tool UACME.
Theory
UAC stands for User Account Control and relies on the Application Information Service since Windows Server 2008 and Windows Vista. UAC is a Windows feature that allows process to run in the context of a standard users instead of a high privilege users, unless the high privilege context is specifically approved by the end users. This mechanism avoid processes to run unnecessarily in a high privilege context which could poses a risk for undesirable modifications or malicious actions on the computer.
On our daily activities you might already have had to deal with UAC without knowing it. For example, when installing a new program you might have already been prompted by Windows to accept the program to make change to your computer.
It is also very likely that you have had to open the command prompt or any programs installed on your computer in the context of an Administrator to perform various administrative operations.
The UAC of a system has four levels of notifications from "Never Notify" to "Always notify". This level can be changed by the administrator in the host settings parameters.
Mandatory Integrity Level (MIC)
Windows has 4 integrity levels (IL). The higher is the integrity level, the higher the process is allowed to perform actions on the system and its configurations. Standards users and most of processes are running with a Medium integrity Level by default.
Integrity level of a process is inherited from its calling user or process. Integrity level is also prioritized over DACLs.
When a user logs in on a computer he get provided a token of a specified integrity level. Unlike standard users who are provided a single token of medium IL, administrators are given two tokens, one with medium IL and the other with high IL. If UAC is enabled, the administrator high IL token is only used with the consent of the user through prompting.
Bypassing UAC
During an intrusion testing engagement, we can gain a shell as administrator on the target machinewhile not being able to perform any administrative actions because we only have access to a medium integrity command prompt. Since we do not have any GUI, we are not able to accept the Windows prompt and to use the high level token of the administrative account. Bypassing UAC is thus needed in that context.
The idea behind bypassing UAC is to abuse a process already running with a High IL to perform an action or start another process on our behalf. Since the Integrity Level is inherited from its parent, the child or the called process will inherit from the High IL token. Firstly, the TryHackMe room demonstrates that concept with two examples of UAC bypassing using the GUI.
We leverage processes running in a High IL with AutoElevate to spawn a command prompt as administrator. Even though those examples were not that realistic, this helped me understand the core principle behind bypassing UAC.
AutoElevate
Some applications or programs can run with AutoElevate privileges. This means that the program can run with a High Integrity Level without the user being prompt for its consent. Many of the applications that are targeting the Windows system configuration and settings have the AutoElevate property, which allows them to make change to Windows setting without prompting the user for consent. However, if the UAC is set to "Always Notify", the user will be always prompted to give its consent.
Some conditions need to be met for a program to AutoElevate:
The program needs to be signed by a Windows Publisher
The program needs to be located in a trustable location such as in the
Sytem32
orProgramFiles
directories.
Sometime, executables require the AutoElevate property to be specified in its manifest with <autoElevate>true</autoElevate>.
The tool sigcheck from the suite Sysinternals can be used to consult the manifest of an executable.
Fodhelper.exe - Simplest exploit
The abuse of the Fodhelper.exe program is probably one of the most known UAC bypass technique. Fodhelper.exe is a AutoElevate program that aim to configure optional settings of the Windows operating system. Thus, it runs with a high integrity token without requiring the UAC prompt.
The Fodhelper bypass abuses the fact that when this program starts it checked for the following registry keys that are not existent by default:
The default value of this registry key specified which program to open when opening a file with the type ms-settings
. The ms-settings
part of the key refers to the ProgID which, in simple terms, refers to a COM object class (object type). According to the Microsoft Documentation, the format of a ProgID is like so
[Vendor or Application].[Component].[Version]
Word.Document.6
The ProgID associates a filetype with an application or a program to use. For example, clicking on a HTML file will open our preferred browser by default. When clicking on a .doc document, this will open the Word application.
The idea behind the Fodhelper.exe UAC bypass is to set up the registry key value to an action that will be performed by the system when the program is started. As said earlier, the Fodhelper.exe programs runs with a High Integrity Level meaning that any others programs or process that has Fodhelper.exe as parent will inherit from that token.
The image below shows us two important things: 1) Our user is member of the Administrators groups and 2) we have a Medium Integrity Level shell.
Our objective is to bypass UAC to get a high level integrity shell. The socat tool located in the C:\tools\socat
directory will send a connection to our attacker machine once the fodhelper.exe program will be started.
Clean up
Fodhelper.exe - Windows Defender Bypass
The UAC bypass technique used previously triggers a Windows Defender alert and our registry key get removed very soon following its modification.
This section of the room proposes one of the solution that exist to bypass Windows Defender using the ProgID subkey CurVer
. The technique is well described by its author in the following article.
CurVer
is used by Windows when it exists multiple versions of a single application running on the same system. The CurVer
is used to differentiate the version of each application.
The first step is to create a new ProgID (new file type) which name can be arbitrary.
Then, we can create the CurVer
ProgID subkey to the ms-setting
ProgID. The subkey value points to the new ProgID we just created.
Then, when the fodhelper.exe program will be launched, Windows will point to the CurVer
value, and then execute the command specified in the command subkey of the .thm
ProgID. This method is to circumvent the modification of the original HKCU\Software\Classes\ms-settings\Shell\Open\command
subkey which is likely to trigger a Windows alert.
Although, this method aim to bypass Windows Defender, a Windows alert can be triggered or not depending on the AV implemented and any variation of the exploit to use. In the example shown, running the same exploit but using Powershell triggered an alert.
Clean up
This will delete the two created registry keys.
Environment Variable Expansion
Abusing of a scheduled task can allow an attacker to bypass UAC even if the feature is set with the highest level "Always Notify". Since a scheduled task is designed to run on its own it won't prompt the user for its consent before it get executed.
The TryHackMe room showed us how the DiskCleanUp Scheduled Task can be abused to bypass UAC. This scheduled task as some interesting properties such as running with the highest integrity level of the calling user. The program can also be run manually by running a command that includes an environment variable whose value can be modified for our payload.
These properties can be observed in the images below.
The DiskCleanup task can be run manually with the following command:
The %windir%
variable is a Windows environment variable refering to the C:\Windows
directory. This environment variable can be modified by adding an entry to the HKCU\Environment
registry key.
In the following command, we are creating an entry named windir
and we set its value to the following which send a reverse shell to our attacker IP.
Adding the registry entry to the HKCU\Environment
registry key:
The &REM
expression aim to comment everything that is following. Meaning that the expanded command to run the DiskCleanup task becomes the following:
Every command coming after the &REM
expression won't be executed.
Then, start manually the scheduled task:
Clean Up
To cleanup our traces, we should not forget to delete the registry entry we created
Automation - UACME
Finally, the TryHackMe room introduced us to the tool UACME, which is a binary that can perform more than 60 known UAC bypass techniques. We only need to specify the method to use and the tool will automatically do the job.
The methods to fire should be chosen based on the Windows version and features of the targeted environment.
The GitHub Repo does not contain any compiled binary. It is needed to be compile from source using Visual Studio.
A demonstration of UACME and how to compile the binary can also be found on this video from the HackerSploit channel.
Last updated