A bit of a qUACkery – how to elevate… w/o doing a single thing ;)
September 7, 2018 in UAC Bypass
Update
After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick 🙂
You can follow the twitter convos here. I’ll update the post once I know more.
Old Post
I recently discovered a really funny way to bypass UAC and launch any process with High Mandatory Level.
This is how to reproduce it:
- As a regular user launch cmd.exe.
- Confirm the integrity level:
C:\test>WHOAMI /Groups | FIND "S-1-16"
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
- Launch: sdclt /configure
- The sdclt.exe program is auto-elevated
- Walk through the wizard and back up some files; in my case I created a dummy folder c:\test with a small number of files and backed it up
- Let it finish
- Now that we have a backup, let’s go to the list of Backups so we can restore some files
- Choose the backup, then search for c:\test and tick it so you can restore it (it’s all about a small set so we can do it quickly, but you can choose any backup & restore really)
- Restore files; you should be presented with a panel; it is important that at least _some_ files are restored so we can see the logs
- Click View Log file
- This will launch Notepad.exe with elevated privileges
- In Notepad, go to menu File -> Open -> c:\windows\system32
- Type cmd*.* so we can see cmd.exe on the list
- Right click on cmd.exe, hit Open
- cmd.exe will open –
- it has S-1-16-12288/High Mandatory Level/A high integrity level.
C:\Windows\System32>WHOAMI /Groups | FIND "S-1-16"
Mandatory Label\High Mandatory Level Label S-1-16-12288 - Launch any program you want – it will be on a High Mandatory integrity level
Comments are closed.