{"id":609,"date":"2020-03-06T23:25:03","date_gmt":"2020-03-06T22:25:03","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=609"},"modified":"2020-03-06T23:27:10","modified_gmt":"2020-03-06T22:27:10","slug":"challenge-day2-uac-virtualization","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=609","title":{"rendered":"Challenge Day 2 &#8211; UAC Virtualization"},"content":{"rendered":"<blockquote><p>Here your task will be to discover the File System Virtualization mechanism and use it to make the app prepared by us running fine in the user context.<br \/>\nYou will have a chance to learn how to run the application with standard user privileges even though it\u2019s requiring access to some restricted directories.<\/p><\/blockquote>\n<ul>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/CQChallenge2.zip\">CQChallenge2<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5dc2.0_day2_skill_instruction.pdf\">5dc2.0_day2_skill_instruction<\/a><\/li>\n<\/ul>\n<p>A file called <strong>CQChallenge2.exe<\/strong> will be provided. If we execute the file and click on &#171;Save user data&#187; it will work with admin priviledges, but it won&#8217;t work with an unpriviledged account.<\/p>\n<p>Let&#8217;s open that file first with admin priviledges:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-625\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-2.png\" alt=\"\" width=\"509\" height=\"401\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-2.png 509w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/1-2-300x236.png 300w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-626\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-2.png\" alt=\"\" width=\"516\" height=\"393\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-2.png 516w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-2-300x228.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/2-2-80x60.png 80w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/a><\/p>\n<p>Checking the file path:<\/p>\n<p>The file is there and that&#8217;s my Username \/SID and timestamp<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-628\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-2.png\" alt=\"\" width=\"483\" height=\"220\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-2.png 483w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/4-2-300x137.png 300w\" sizes=\"auto, (max-width: 483px) 100vw, 483px\" \/><\/a><\/p>\n<p>Now let&#8217;s login with the unprivileged\u00a0 Useraccount <strong>John Doe<\/strong> and see what we get:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-627\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/3-2.png\" alt=\"\" width=\"218\" height=\"204\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-629\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-2.png\" alt=\"\" width=\"412\" height=\"299\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-2.png 412w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/5-2-300x218.png 300w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/a><\/p>\n<p>As we can see we don&#8217;t have permissons to write in the filepath where data.txt is stored.<\/p>\n<p>Let&#8217;s start Task-Manager and activate UAC-Virtualization on the CQChallenge2.exe process.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-621\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-2.png\" alt=\"\" width=\"772\" height=\"523\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-2.png 772w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-2-300x203.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/6-2-768x520.png 768w\" sizes=\"auto, (max-width: 772px) 100vw, 772px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-631\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-2.png\" alt=\"\" width=\"396\" height=\"302\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-2.png 396w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-2-300x229.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9-2-80x60.png 80w\" sizes=\"auto, (max-width: 396px) 100vw, 396px\" \/><\/a><\/p>\n<p>And now it works. But if we browse to the path where the file data.txt is stored there is no new data in it.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9_1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-632\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9_1.png\" alt=\"\" width=\"762\" height=\"329\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9_1.png 762w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/9_1-300x130.png 300w\" sizes=\"auto, (max-width: 762px) 100vw, 762px\" \/><\/a><\/p>\n<p>Let&#8217;s check out this <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/user-account-control\/how-user-account-control-works\" target=\"_blank\" rel=\"noopener noreferrer\">guide<\/a> from microsoft.<\/p>\n<blockquote><p>Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator&#8217;s access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user&#8217;s profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.<\/p><\/blockquote>\n<p>That would be the explanation! We see there&#8217;s a folder called &#171;VirtualStore&#187; in %localappdata% where the files are being redirected. The <a href=\"https:\/\/docs.microsoft.com\/de-de\/windows\/win32\/sysinfo\/registry-virtualization?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noopener noreferrer\">registry<\/a> knows a similar mechanism for that.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-633\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-2.png\" alt=\"\" width=\"762\" height=\"409\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-2.png 762w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/10-2-300x161.png 300w\" sizes=\"auto, (max-width: 762px) 100vw, 762px\" \/><\/a><\/p>\n<p>Virtualization is not an option in the following scenarios:<\/p>\n<ul>\n<li>Virtualization does not apply to apps that are elevated and run with a full administrative access token.<\/li>\n<li>Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.<\/li>\n<li>Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.<\/li>\n<\/ul>\n<p>Repeating questions:<\/p>\n<blockquote><p>Which locations are redirected to safer, user-specific locations when UAC Virtualization is enabled for particular application?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>* %programFiles%,%WinDir%,%WinDir%\\System32<\/li>\n<li>*<strong> %programFiles%,%WinDir<\/strong><\/li>\n<li>* HKLM:\\Software and all other registry keys that an administrator can write to<\/li>\n<li>\u00a0* Answer A and C are correct<\/li>\n<\/ol>\n<blockquote><p>For which scenarios from the below, UAC Virtualization is not possible?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>*Applications that are elevated and run with a full administrative access token<\/li>\n<li>*64bit applications<\/li>\n<li>*Applications including an application manifest with a requested execution level attribute<\/li>\n<li>*<strong>All answers are correct<\/strong><\/li>\n<\/ol>\n<blockquote><p>When an application with UAC Virtualization enabled attempts to write something to the restricted folder, where does the UAC Virtualization mechanism redirect the request to?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li>*<strong>\\Appdata\\local\\virtualStore\\ folder in the user&#8217;s profile<\/strong><\/li>\n<li>*\\Appdata\\LocalLow\\VirtualStore\\ folder in the user&#8217;s profile<\/li>\n<li>*\\Appdata\\Roaming\\VirtualStore folder in the users&#8217;s profile<\/li>\n<li>*C:\\Users\\Public\\VirtualStore<\/li>\n<\/ol>\n<blockquote><p>How to make sure that UAC Virtualization will be disabled system-wide?<\/p><\/blockquote>\n<ol style=\"list-style-type: lower-alpha;\">\n<li><strong>* Set &#171;EnableVirtualization&#187; DWORD value to 0 in the following registry key: HKLM:\\Software\\Microsoft\\CurrentVersion\\Policies\\System<\/strong><\/li>\n<li>* It&#8217;s not possible<\/li>\n<li>* Create a manifest with explicit execution level attribute for every application on the system<\/li>\n<li>* Forbid users from running task manager<\/li>\n<\/ol>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-635\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-1.png\" alt=\"\" width=\"743\" height=\"173\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-1.png 743w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/03\/11-1-300x70.png 300w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Here your task will be to discover the File System Virtualization mechanism and use it to make the app prepared by us running fine in <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=609\" title=\"Challenge Day 2 &#8211; UAC Virtualization\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":610,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,10],"tags":[],"class_list":["post-609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-windows-security"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=609"}],"version-history":[{"count":5,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/609\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/609\/revisions\/637"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/610"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}