Privilege Escalation on Windows 7, 8,10 | Lucideus Research

Introduction to UAC
With User Account Control (UAC) fully enabled, interactive administrators normally run with least user privileges, but they can self-elevate to perform administrative tasks by giving explicit consent with the Consent UI. Such administrative tasks include installing software and drivers, changing system-wide settings, viewing or changing other user accounts, and running administrative tools.

In their least-privileged state, administrators are referred to as Protected administrators. In their elevated state, they are referred to as Elevated administrators. By contrast, Standard users can't elevate by themselves, but they can ask an administrator to elevate them using the Credential UI. The Built-in Administrator account doesn't require elevation.

The Consent UI, used to elevate Protected administrators to have administrative privileges

The Credential UI, used to elevate Standard users.
UAC provides the following benefits: It reduces the number of programs that run with elevated privileges, therefore helping to prevent users from accidentally changing their system settings, and helping to prevent "malware" from gaining system-wide access. When elevation is denied, malware is only able to affect the current user's data. Without elevation, malware can't make system-wide changes or affect other users. For managed environments, well designed UAC experiences allow users to be more productive when running as Standard users by removing unnecessary restrictions. It gives Standard users the ability to ask administrators to give them permission to perform administrative tasks within their current session. For home environments, it enables better parental control over system-wide changes, including what software is installed. [1]

Like in Windows Vista and  Windows Vista, Protected administrators can choose to be notified about all system changes or none. The UAC default setting is to notify about all changes, no matter what their origin. 

When you're notified, your desktop will be dimmed, and you must either approve or deny the request in the UAC dialog box before you can do anything else on your computer. The dimming of your desktop is referred to as the secure desktop because other programs can't run while it's dimmed.

Windows 7 introduces two intermediate UAC settings for Protected administrators, in addition to the two from Windows Vista. The first is to notify users only when a program is making the change, so administrators are automatically elevated when they make a change themselves. This is the UAC default setting in Windows 7, and it also makes use of the secure desktop.

The second intermediate setting in Windows 7 is the same as the first except that it doesn't use the secure desktop.

Windows 7 introduces two intermediate UAC settings.

So in short UAC is a very important feature present in all windows operating systems to make sure your system is protected from unwanted attacks and every execution will go through administrator rights with admin’s authority before execution. [2]

Defeating Windows User Account Control

1. UACMe:
2. System Requirements : x86-32/x64 Windows 7/8/8.1/10(TH1/TH2/RS1/RS2/RS3/RS4) (client, some methods however works on server version too).
3. Admin account with UAC set on default settings required.

First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.

Run Examples:
akagi32.exe 1
akagi64.exe 3
akagi32 1 c:\windows\system32\calc.exe
akagi64 3 c:\windows\system32\charmap.exe

Proof of Concept POC : 1 : Windows 7 : 64 bit : Ultimate Edition UAC Bypassing
Username: Lucideus-TestUser

Privileges : Standard User

As you can see we are in user mode only with limited privileges after seeing output of whoami command.
Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info.

By Executing the Akagi64.exe & Akagi32.exe. We have Admin Privilege without any password or any permission.

POC 2 : Windows 8.1 Pro
After we enter the password we don't get there Admin privilege 

You can check it by :- whoami in cmd  

Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param].
See "Run examples" below for more info.

In windows 8.1 Pro  is same as Windows 7 Ultimate
Here also we get the Admin Privilege without any password or any special permission.

POC 3 : Windows 10 Pro

After we enter the password we don't get there Admin privilege You can check it by :- whoami in cmd

As you see the we are not a Admin 
Then run -> akagi32 [Key] [Param] or akagi64 [Key] [Param]
We get the Admin Privilege without any password or any special permission.

                              Solution : Custom Rule Set Group Policy Editing

Group Policy Settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in Security Settings\Local Policies\Security Options in the Local Security Policy snap-in. For More about patching the same please refer this link :

No comments:

Powered by Blogger.