{"id":5350,"date":"2018-09-07T18:45:44","date_gmt":"2018-09-07T18:45:44","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5350"},"modified":"2018-09-07T21:35:54","modified_gmt":"2018-09-07T21:35:54","slug":"a-bit-of-a-quackery-how-to-elevate-w-o-doing-a-single-thing","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/09\/07\/a-bit-of-a-quackery-how-to-elevate-w-o-doing-a-single-thing\/","title":{"rendered":"A bit of a qUACkery &#8211; how to elevate&#8230; w\/o doing a single thing ;)"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick \ud83d\ude42<\/p>\n<p>You can follow the twitter convos <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1038136386426167296\">here<\/a>. I&#8217;ll update the post once I know more.<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>I recently discovered a really funny way to bypass UAC and launch any process with High Mandatory Level.<\/p>\n<p>This is how to reproduce it:<\/p>\n<ul>\n<li>As a regular user launch cmd.exe.<\/li>\n<li>Confirm the integrity level:<\/li>\n<\/ul>\n<p><tt>C:\\test&gt;WHOAMI \/Groups | FIND \"S-1-16\"<\/tt><tt><br \/>\n<\/tt><tt>Mandatory Label\\Medium Mandatory Level Label S-1-16-8192<\/tt><\/p>\n<ul>\n<li>Launch:<tt> sdclt \/configure<\/tt><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5351\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt1.png\" alt=\"\" width=\"352\" height=\"174\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt1.png 352w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt1-300x148.png 300w\" sizes=\"(max-width: 352px) 100vw, 352px\" \/><\/a><\/p>\n<ul>\n<li>The sdclt.exe program is auto-elevated<\/li>\n<li>Walk through the wizard and back up some files; in my case I created a dummy folder c:\\test with a small number of files and backed it up<\/li>\n<li>Let it finish<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5352\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt2.png\" alt=\"\" width=\"500\" height=\"285\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt2.png 545w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt2-300x171.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<ul>\n<li>Now that we have a backup, let&#8217;s go to the list of Backups so we can restore some files<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5353\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt3.png\" alt=\"\" width=\"352\" height=\"388\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt3.png 352w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt3-272x300.png 272w\" sizes=\"(max-width: 352px) 100vw, 352px\" \/><\/a><\/p>\n<ul>\n<li>Choose the backup, then search for c:\\test and tick it so you can restore it (it&#8217;s all about a small set so we can do it quickly, but you can choose any backup &amp; restore really)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-5354\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt4.png\" alt=\"\" width=\"292\" height=\"159\" \/><\/a><\/p>\n<ul>\n<li>Restore files; you should be presented with a panel; it is important that at least _some_ files are restored so we can see the logs<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-5355\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt5.png\" alt=\"\" width=\"500\" height=\"431\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt5.png 635w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/sdclt5-300x259.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<ul>\n<li>Click View Log file<\/li>\n<li><strong>This will launch Notepad.exe with elevated privileges<\/strong><\/li>\n<li>In Notepad, go to menu File -&gt; Open -&gt; c:\\windows\\system32<\/li>\n<li>Type cmd*.* so we can see cmd.exe on the list<\/li>\n<li>Right click on cmd.exe, hit Open<\/li>\n<li>cmd.exe will open &#8211;<\/li>\n<li>it has S-1-16-12288\/High Mandatory Level\/A high integrity level.<br \/>\n<tt>C:\\Windows\\System32&gt;WHOAMI \/Groups | FIND \"S-1-16\"<br \/>\nMandatory Label\\High Mandatory Level Label S-1-16-12288<\/tt><\/li>\n<li>Launch any program you want &#8211; it will be on a High Mandatory integrity level<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Update After I posted it a number of helpful netizens tried to repro and they found issues, so unless we figure it out treat the below as a subject to unknown conditions that may render it useless a.k.a. non-working trick &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/09\/07\/a-bit-of-a-quackery-how-to-elevate-w-o-doing-a-single-thing\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5350"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5350"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5350\/revisions"}],"predecessor-version":[{"id":5359,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5350\/revisions\/5359"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}