Breaching UAC

Learn common ways to bypass User Account Control (UAC) in Windows hosts.

tryhackme host evasion room

Dec 12, 2024

Task 1: Introduction

Q1: Click and continue learning!

Ans1: No answer needed

Task 2: User Account Control (UAC)

Q1: What is the highest integrity level (IL) available on Windows?

Ans1: system

Q2: What is the IL associated with an administrator’s elevated token?

Ans2: high

Q3: What is the full name of the service in charge of dealing with UAC elevation requests?

Ans3: application information service

Task 3: UAC: GUI based bypasses

Q1: What flag is returned by running the msconfig exploit?

Ans1: THM{UAC_HELLO_WORLD}

Q2: What flag is returned by running the azman.msc exploit?

Ans2: THM{GUI_UAC_BYPASSED_AGAIN}

Task 4: UAC: Auto-Elevating Processes

Q1: What flag is returned by running the fodhelper exploit?

4.1_1

4.1_2

4.1_3

4.1_4

4.1_5

4.1_6

4.1_7

Ans1: THM{AUTOELEVATE4THEWIN}

Task 5: UAC: Improving the Fodhelper Exploit to Bypass Windows Defender

Q1: What flag is returned by running the fodhelper-curver exploit?

5.1_1

5.1_2

Ans1: THM{AV_UAC_BYPASS_4_ALL}

Task 6: UAC: Environment Variable Expansion

Q1: What flag is returned by running the DiskCleanup exploit?

6.1_1

6.1_2

Ans1: THM{SCHEDULED_TASKS_AND_ENVIRONMENT_VARS}

Task 7: Automated Exploitation

Q1: Click and continue learning!

Ans1: No answer needed

Task 8: Conclusion

Q1: Click and continue learning!

Ans1: No answer needed

Breaching UAC

Task 1: Introduction

Task 2: User Account Control (UAC)

Task 3: UAC: GUI based bypasses

Task 4: UAC: Auto-Elevating Processes

Task 5: UAC: Improving the Fodhelper Exploit to Bypass Windows Defender

Task 6: UAC: Environment Variable Expansion

Task 7: Automated Exploitation

Task 8: Conclusion

Contents