Welcome to elevationstation Discussions!

[g3tsyst3m]

👋 Welcome!

Yo! I'm using Discussions as a place to connect with other members of the InfoSec community and discuss this project in greater detail.

• Ask questions you’re wondering about.
• Share ideas.
• Doesn't require issue requests to chat so that's cool

So without further ado, start chatting!

[g3tsyst3m]

I'll start. what's the deal with this issue I'm running in to? In short, if you right click on cmd.exe and run as admin, all the expected functionality of ElevationStation and CreateProcessAsUser API fully cooperates and spawns a shell within your current console.

However, if I do a UAC bypass/escalate (something I have working and REALLY want to add to this solution) from a standard user that is a member of the administrators group and get a shell (that is running with high integrity and elevated admin cmd prompt), I get an access denied 0x5 on CreateProcessAsUser. I have all the necessary token privs required. no change there.

Both cmd.exe's are running within local administrator privileges...I'll keep researching but if anyone has thoughts please, by all means, chime in.

this works:

this doesn't:

UAC BYPASS Executed

[g3tsyst3m]

figured it out! had to do this:
dwCreationFlags = CREATE_BREAKAWAY_FROM_JOB;
the reason why can be found in this well written article and stackoverflow OG writeup:
https://learn.microsoft.com/en-us/archive/blogs/alejacma/createprocessasuser-fails-with-error-5-access-denied-when-using-jobs
https://stackoverflow.com/questions/58040954/how-to-launch-an-interactive-process-in-windows-on-java/58093917#58093917