-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[solved] HID Backdoor: Start elevated shell if target user is administrator (UAC bypass) #51
Comments
Good question. Not at the moment. The first stage doesn't include an UAC bypass. Have to wrap my head around a proper solution fo this. Quick and dirty way would be to prepend keystrokes to run the initial powershell with elevated privileges, but this doesn't seem to be a clean solution (based on context menu or dialog). |
Add another fire command or argument to try for admin to run... ALT Y to select yes if they are admin to say yes for run as admin. Write code to execute shell now. I actually was going to add an extra payload copying your fire one and adding the extra commands to invoke as admin. Trying to do it silently with exploit usually involves you launching another agent process with the new rights so in beginning better to get it up front if possible. of course if they are not local admin then it will fall apart so user of app will have to know if they are admin already or not. Just tossing ideas as these are things I was planning on playing with in the project. |
from my test |
The above is a common usage for the PS commandline so it will never be detected as malicious. Maybe a warning in the future but to rule a feature as malicious would break too many things. |
This payload tests an UAC bypass, I'll implement it as shown in the video. The approach is very similar to the one described here. It doesn't rely on ALT+Y to confirm the UAC dialog and thus doesn't depend on the target language |
The dialog based UAC bypass has been published with this commit: Usage Additional remarks:
@ALL @PoSHMagiC0de |
|
Hey @mame82 Looks like a lot of what you are doing has been done in my project...kinda except you added some improvements. Check out example payloads in the job folder for the project I built for the BB. The Invoke-Adminjobs does the admin check like you do above, I got it from the Empire Project. I have the sethc backdoor too you have. Been my go to method for customers who locked themselves out of their machine as long as I can access the drive if booted from a bootdisk. There might be other ideas you can snake if you like from it for this project. |
It is a common test, but anyway useless in my case.
Again a common task, but we have different approaches. Flying over your PS code, it seems you're operating on file system (granting permisdions to sethc.exe and replacing it with cmd.exe). Your projects seems promising. The purpose of this project is to provide a framework, which is able to do such tasks ... its purpose is not to provide deployment-ready attacks. But obviously some demos are needed, to allow users to understand how such tasks can be conerted into a short payload fo P4wnP1. |
@mame82 |
Is it even possible the get the shell (wiht the HID wifi Background) with admin right
while having UAC enabled ?
The text was updated successfully, but these errors were encountered: