Promptless UAC Bypass & Powershell Privilege Escalation techniques - Hak5 2510

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

a little privilege escalation and PowerShell that's right we're covering a fun little UAC bypass technique and a bunch more this time on hack five hello and welcome to act 5 my name is Darren kitchen it's your weekly dose of Technol estancia because city we're talking about privilege escalation it's all about getting higher access on a system and what's provided you know like they give you login as guests and then you can run stuff as administrator which you're clearly not supposed to be able to do but you know that's kind of the whole idea right and you AC or user x was control that's the security method that Microsoft uses in modern versions of Windows to say limit standard users from running admin tasks and things of that nature is pretty relaxed in most instances I mean typically you can bypass it just by clicking guests I do want to do this as admin put the owners sound the user oh yeah or if you're a keystroke injection tool like the USB rubber ducky or that bash bunny then just hit alt Y hooray but you know that said it's pretty cool to learn that there are some windows tasks that actually run without prompting for UAC to elevate their own privileges that can run as standard users and we're going to take advantage of that because recently I was checking out a post by Loki ox posted on the hak5 forums of one such method using the silent cleanup component of the Windows disk cleanup tool and I think this is so cool it's similar to a Windows 10 UAC bypass discovery by substituting researchers note 6 at our na 6 2016 mat Graber and Matt Nelson so props you guys links in the description this is a somewhat different take but essentially let's check out the script because it's pretty cool and I've got it read over here on my Linux box ok so low key looks posts this script and essentially there's two parts to it so you know the top bit here is essentially going to run everything as administrator and it's going to first do this by you know checking like hey do we have those elevated privileges and if we do whatever you put in here is going to run as that pro how well it's because of what's going on down here so all of this good stuff is what actually sets up the tak and here's what it's doing basically there's an environment variable called we which is typically set to say C colon backslash Windows you can you know find this on your system if you oh gosh where did they hide it now there we go and so these are your environment variables and you'll see winter is C colon backslash Windows but of course you could change it and anything hard-coded with su colon backslash Windows would break so hence they're being environment variables that's just like any other variable in a program except it works everywhere in Windows which is kind of cool and we're going to abuse that in a very crafty way here so let's come back over and take a look at this payload so what we're doing is this PowerShell set item property of this particular H hkey current user environment variable for winter and replacing the value with this bit of PowerShell here and that PowerShell bypasses the execution policy and hidden window and runs this command followed by a pound which is kind of important and after that registry entry is set we essentially use the scheduled tasks to run what tasks this particular silent cleanup task and then you know pipe the output tunnel and then at the very end it does a little cleanup of itself by removing that registry key that we just changed but this part here is where it gets interesting because what happens is the silent cleanup task is actually going to run with elevated privileges and it's going to try to run against percent Wynter percent which is our actual you know if we come back over to our windows box currently set to C colon backslash Windows but is going to be changed to this bit of PowerShell here so what will happen is in an elevated state that windows directory has been replaced by the powershell which uses a couple of very simple parameters tack EP for the execution policy to bypass so that we can run the script and tack w for the windows style hidden in this case so we don't actually see it and then dollar sign PS command path which is actually just a reference to this particular script and then it ends with semicolon meaning the next command and then a pound which says hey basically ignore the rest of this because the rest of it is going to be a comment so when it actually gets to the part where it tries to run the actual cleanup it's ignored because it thinks it's a comment so this does mean that the script needs to reside on the disk to be run but when it does run itself it actually checks that if statement at the top says hey am i running with higher privileges and if it is it'll execute whatever you put in there so just as a test let's um let's make a directory in Seagal and backslash windows which shouldn't be allowed by a standard user so if I open my ua c dot ps1 here you'll see i have this exact script except I've added make directory sequel by shows windows backslash UAC bypass now if I try to run that here I'm gonna get an error saying like permission is denied because I don't have the you know the permissions to do that but if I go ahead and run this script with those same permissions so that would just be dot slash u AC dot ps1 and you'll see now here's the bit it's not perfect it's gonna ask me this this could be finessed a little bit but once I get out of this if I do a dir C colon backslash Windows backslash UAC and then tab complete it's there I guess I should have shown you that it wasn't there before here let's remove it so just as before PowerShell I'm going to go ahead and run that and again alt Y to go ahead and bypass that rmdir so you come back to this windows backslash UAC bypass great now that's removed if I try to run that it's saying like yo dog that doesn't exist okay cool so again we'll run our UAC bypass booyah and now when we run that there we go I mean it's an empty directory right but you know you get the idea it now exists so there you go and in just a moment we're gonna check in with our hack v gear giveaway but first a word from our sponsor domain comm has all of your website needs from command dotnet to intuitive website builders create your online identity with their affordable reliable tools even brand yourself with over 300 extensions from dock club two dots face domain.com loves hak5 which is why you get 15% off domain names hosting an email when you check out with coupon code hak5 when you think domain names think domain.com now i have to say awesome contribution low key exchange gift certificate and if you would like to win some awesome hack 5 gear all the good stuff you find over at hack 5 dot org then there's two bits of creativity I'd like to see this week now it's an either-or right first you could just post some awesome pics of your own hack 5 geared to social media with the hashtag hack 5 I love seeing our bits of kit being used in the wild otherwise ok I'd really love to see if someone wants to pay low defy this so I've linked it to this forum post in the description below as well as some of the other research related to this and I would just love to see this put into action so the first one to make a pelota this some some freebies this this is typically the part where I like hold up whatever our newest bit of kit is and in this case it's the plunder bug but all I have is my you know sample from development because I gave all of mine away but I bought some more from my own store so I can give some more oh hey man actually here's here's one of the prototypes of of the plunder bug and then this is typically part of the development cycle as we do these in 3d printed plastics and so they come out white and this guy here is ye olde microUSB and then we're like and now I gotta go get us PC anyway it's probably way too much inside baseball but in any event yeah UAC bypass pretty cool privilege escalation would love to see what you guys do with this I will be on the hack 5 forms as well as the IRC and our newly created discord which you can get to by a clicking community at the top of hack $5 and with that i'm darren kitchen I'll see you on the Internet trust your technology you [Music]

Info

Channel: Hak5

Views: 92,095

Rating: undefined out of 5

Keywords: hak5, hack, technology, darren kitchen, hack5, hacker, privilege escalation, powershell, uac, uac bypass, run as administrator, payload, bash bunny, usb rubber ducky

Id: C9GfMfFjhYI

Channel Id: undefined

Length: 8min 48sec (528 seconds)

Published: Thu Mar 14 2019