A bit of a qUACkery – how to elevate… w/o doing a single thing ;)

September 7, 2018 in UAC Bypass

Update

After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick 🙂

You can follow the twitter convos here. I’ll update the post once I know more.

Old Post

I recently discovered a really funny way to bypass UAC and launch any process with High Mandatory Level.

This is how to reproduce it:

  • As a regular user launch cmd.exe.
  • Confirm the integrity level:

C:\test>WHOAMI /Groups | FIND "S-1-16"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192

  • Launch: sdclt /configure

  • The sdclt.exe program is auto-elevated
  • Walk through the wizard and back up some files; in my case I created a dummy folder c:\test with a small number of files and backed it up
  • Let it finish

  • Now that we have a backup, let’s go to the list of Backups so we can restore some files

  • Choose the backup, then search for c:\test and tick it so you can restore it (it’s all about a small set so we can do it quickly, but you can choose any backup & restore really)

  • Restore files; you should be presented with a panel; it is important that at least _some_ files are restored so we can see the logs

  • Click View Log file
  • This will launch Notepad.exe with elevated privileges
  • In Notepad, go to menu File -> Open -> c:\windows\system32
  • Type cmd*.* so we can see cmd.exe on the list
  • Right click on cmd.exe, hit Open
  • cmd.exe will open –
  • it has S-1-16-12288/High Mandatory Level/A high integrity level.
    C:\Windows\System32>WHOAMI /Groups | FIND "S-1-16"
    Mandatory Label\High Mandatory Level Label S-1-16-12288
  • Launch any program you want – it will be on a High Mandatory integrity level
Share this :)

Comments are closed.