What is UAC?
User Account Control is a security feature in Windows that protects the machine from unauthorized code. Its that little pop-up that you get when you try to run something with admin privileges or when you’re installing a software.
This way, the user gets to decide whether or not a program runs with elevated privileges. For hackers who’ve managed to hack a Windows machine without a gui and only have a shell, they’ll be stuck with an admin shell but won’t really be able to do anything with it.
So what does this look like for the attackers?
It says that our mandatory label is medium. But we’re also part of the Administrators group. We still haven’t actually escalated privileges however because we’re part of the medium mandatory label.
So our goal is to go from medium mandatory level to high mandatory level
Event Viewer Exploit
One common method to get High Mandatory Level is to use Event viewer.
How does the event viewer exploit work?
The event viewer executable (eventvwr.exe) usually runs with AutoElevate meaning if a user in the Administrator group tries to execute it, it won’t give the user a UAC popup asking them for permission. The goal of this attack is to run our reverse shell using event viewer. Since its set to Autoelevate, it should execute our reverse shell with elevated privileges.
Bypassing UAC
Enumerating
We have a shell as the T.Stark user. Running whoami, we can see that we’re part of the Administrators group but also have the Medium Mandatory level.
If we try to run mimikatz and do “privilege::debug”, we’ll get an error
Lets try out the Event Viewer exploit.
First thing we should do is check where “eventvwr.exe” is.
where /r C:\\windows eventvwr.exe
Now that we know where it is; lets check if its set to autoelevate. We can use a tool called strings.exe to get UNICODE and ASCII characters from the executable. From there, we can look for the “autoelevate” string.
.\strings64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i "autoelevate"- -accepteula– This option will accept the user agreement popup that shows up when we have a GUI.
- | findstr /i “autoelevate”– This will find any string that says “autoelevate” in the output.
Exploiting
Lets hop back on Kali and create a reverse shell executable using msfvenom (name the executable “shell.exe”)
Now we can try to exploit Event Viewer using this Powershell script.
If you’re questioning how to bring files from Kali over to Windows, consider giving this a look.
After the poweshell script and reverse shell executable has been brought over, we can test the exploit.
Before we actually run it, lets start up a netcat listener to catch that reverse shell
To run the exploit, we need to type “Invoke-EventViewer” followed by the path to our reverse shell
Back on the netcat listener, we get a connection!
Checking our level of access, we can see that we have High Mandatory label.
This means we’re able to execute mimikatz…with no errors
If you want to take it a step further with mimikatz, check out this post about dumping hashes.
