Home

Awesome

ALPC-BypassUAC

UAC bypass with Direct call to RAiLaunchAdminProcess and mmc.

  1. net use \\127.0.0.1\C$
  2. Create Folder C:\gweeperx
  3. Copy paste test.msc inside C:\gweeperx
  4. Execute ALPC-BypassUAC.exe
  5. anything under https://web/jskdnvkjsdnfkjsdfnjsfnl.html will be executed as admin

References:

https://www.youtube.com/watch?v=D-F5RxZ_yXc

https://www.rump.beer/2017/slides/from_alpc_to_uac_bypass.pdf

A bad PoC for Windows 10 Enterprise 1809: https://youtu.be/eOXq-2Gg6lU