[numer_05]

Hello,

Essentially what I am exploring at this moment and time is some form of priv escalation on Windows. There are several resources especially FuzzSecurity's Article and others. There is of course UACME and other sources on github, but just wondering if anyone on this forum has a better knowledge on bypassing UAC that isn't 'common' since 'explorer.exe' injection has been used and abused or at least point me in the right direction?

[Tracefl0w]

This is a quite good article explaining an alternative way to bypass the user account control (UAC) in windows.
Hopefully you'll have some good use of it

[Drako]

I have a different suggestion. A while back I saw you can use any flavor of Linux to modify system files to open an administrator console. From there do whatever you want!

First create a live boot of Kali Linux on your USB, and boot into Kali. And then you should see a menu with a bunch of boot options, just select the first one. Then you need to mount your drive with Windows in your terminal. Then search for a file called 'sethc.exe' which is located in Windows/System32. You're going to want to rename it to 'sethc2.exe' so you can change it back later. Then find the 'cmd.exe' and rename it to 'sethc.exe'. Now just boot into Windows and once you get to the login screen, spam your ctrl key so Windows thinks it's opening sticky keys, and you should get the admin console!

Yeah it's a lot of work, but it's just an alternative.