Post

Windows UAC Privilege Escalation

Demonstration of how to perform Windows UAC Privilege Escalation (CVE-2019-1388). This vulnerability allows a user to escalate from a low privilege level (non-admin) to SYSTEM.

  1. Download EXE
  2. Walkthrough

Download EXE

We’re going to use the exe that was used in the a PoC for this CVE. The exe can be downloaded here.

Walkthrough

Step 1

Run the program as a Admin and we should see a prompt similar to this:

Click Show details or Show more details, and click the link that says Show information about this publisher's certificate

Step 2

A new window will appear showing the certificate info.

In the Issued By field, click the link:

  • NOTE it will appear as if nothing happened. This is normal. A browser has actually been opened that we can’t see.

Step 3

Close the window showing the certificate info, and the UAC prompt.

We can now see the browser that was opened:

  • It doesn’t matter if the site doesn’t load. Internet is NOT required for this to work.

Step 4

Our goal now is to open a file browser/saver window. There is a few ways we can do this.

One way is to click Page -> Save As....

Another way is to click Print -> Find Printer.

There’s other ways to do this, choose whatever works.

Step 5

Once we have this new window open, we need to type cmd in the location bar and click enter:

A command prompt will now open that should be running as SYSTEM:

This post is licensed under CC BY 4.0 by the author.