Bypass UAC does not provide elevated shell

[whitefi]

Hey, the bypass uac command and bypass uac grunt modules do not appear to give an elevated shell.

The following image shows 3 grunts.

1) Manual_UAC_ByPass - used powershell in an elevated cmd by manually right clicking and running cmd.exe as an administrator

2) GruntByPAss - used "BypassUACGrunt PowerShell" from the medium integrity grunt

3) 20f748d281 - grunt used to get a high integrity shell (GruntByPAss)

Safteykatz etc fails to run on a high integrity grunt when using BypassUACGrunt or BypassUACCommand.

When running whoami /priv we can see that it fails to properly elevate the shell and thus unable to impersonate SYSTEM / Run mimikatz etc.

Manual_UAC_ByPass:

GruntByPAss

[rasta-mouse]

What version of Windows are you running against? I'm pretty sure Covenant uses SharpSploits Token Class which uses Token Duplication. This was fixed in the 1809 release.

[whitefi]

10.0.14393 Build 14393

[cobbr]

@whitefi There's a lot to consider with this.

First, @rasta-mouse is correct that 1809+ the BypassUAC tasks will not work, since the token duplication method has been patched.

But, to me it looks like you successfully used the BypassUAC modules to get a new Grunt with a High Integrity session.

In addition to being High vs Medium integrity, a token has a set of enabled privileges. It looks like you are in an odd situation where you have high integrity token that does not have the appropriate privileges for whatever task you are trying to accomplish.

It would be useful in this situation to have a "getprivs" type of builtin task. Unfortunately, I don't anything like that builtin as a task. However, SharpSploit does have this ability, and can be utilized with the SharpShell command: https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/Credentials/Tokens.cs#L511

Other 3rd-party tools may be able to accomplish this as well, you might look into Tokenvator.

[kjblack]

Thanks, will carry on working on alternatives for newer builds

[rasta-mouse]

Those privs look normal to me after a Token Duplication UAC Bypass. Raffi talks about it here https://www.youtube.com/watch?v=kwnTf253pgI

[whitefi]

Perfect. Thanks for the YouTube link. Clears alot about about this technique, not all is lost 😎

[cobbr]

This is great info to have, thanks for sharing @rasta-mouse

[cobbr]

Closing for now. Let me know if you still have more issues @whitefi