VMware Cloud Community
Dev_docker
Contributor
Contributor
‎07-08-2019 12:30 AM

Bypass UAC with invoke-vmscript

invoke-script throws access denied for the below script.

$Gpassword = '123456' | ConvertTo-SecureString -asPlainText -Force

$Gusername = '.\luser'

$GS = New-Object System.Management.Automation.PSCredential($Gusername,$Gpassword)

$metadata = @'

`$Interface = Get-NetIPAddress | where-object IPAddress -EQ $Oip | select -ExpandProperty interfacealias

write-host [`$Interface]

Remove-NetRoute -InterfaceAlias `$interface -confirm:`$false

Remove-NetIPAddress -InterfaceAlias `$interface -confirm:`$false

New-NetIPAddress -InterfaceAlias `$interface -IPAddress $Ip -AddressFamily IPv4 -PrefixLength 24 -DefaultGateway $gataeway -confirm:`$false

'@

foreach ($data in $Boot)

{

$VM = $data.'Vm name'

$Oip = $data.OldAddress

$Ip = $data.IPAddress

$subnet = $data.SubnetMask

$gataeway = $data.Gateway

$scripttext = $ExecutionContext.InvokeCommand.ExpandString($metadata)

  

Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $scripttext -GuestCredential $GS

}

the account which i am using is a local administrator account (part of local admin group). By doing the manual testing, figured out its a UAC issue. if i disable UAC on the server, the script execution is fine.

Any suggestion, can this be bypassed through invoke-vmscript (any workaround). Because i wont be able to change UAC on all the machines due to certain restrictions and don't have domain accounts.

0 Kudos
9 Replies
LucD
Leadership
Leadership
‎07-08-2019 12:33 AM

If it would be easy to bypass UAC, the whole point of having UAC would be useless!

There are rumours that one could use Scheduled Tasks to run scripts that bypass UAC.

But I don't think the rules of this community allow documenting hacking methods.

Google/Bing are your friends :smileygrin:


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Dev_docker
Contributor
Contributor
‎07-08-2019 01:18 AM

Thank you LucD.

Any suggestion on running Powershell as noninteractive ? will this solve the UAC prompt.

0 Kudos
LucD
Leadership
Leadership
‎07-08-2019 01:26 AM

The powershell.exe has a parameter -NonInteractive for that.
For example

powershell -noninteractive -command "&{Write-Host 'Hello World'}"


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Dev_docker
Contributor
Contributor
‎07-08-2019 01:31 AM

thank you . will this command address the UAC issue ?

how do i embed the powershell -noninteractive -command for below invoke script ?

Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $scripttext -GuestCredential $GS

0 Kudos
LucD
Leadership
Leadership
‎07-08-2019 01:35 AM

The scripts launched via Invoke-VMScript will automatically run with the NonInteractive switch.

And no, as you discovered already, this will not bypass UAC.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lukebes1010
Enthusiast
Enthusiast
‎07-08-2019 01:42 AM

The easiest way is to schedule a task, which should be witch  'Run With Highest Privileges'  (or Set-ScheduledJobOption -RunElevated) as already mentioned here. There are other methods like creating special dll's/exe's and so on are completely unsafe.

0 Kudos
Dev_docker
Contributor
Contributor
‎07-08-2019 06:44 AM

thanks. any example of using invoke-vmscript with schedule tasks to execute remotely ?.

0 Kudos
Dev_docker
Contributor
Contributor
‎07-08-2019 11:34 PM

I have tried creating schedule task using invoke-vmscript but that access also getting denied. Am using local admin account to access. Please provide your insights.

0 Kudos
Dev_docker
Contributor
Contributor
‎07-08-2019 11:40 PM

Basically i am trying to achieve set new-ip address using invoke-vmscript for my VMs in DR data-store (snap-mirrored). Due to different subnet and no network access to VMs in DR, first i need to set the IP address using invoke-vmscript.

but the script is not getting executed due to UAC issue Smiley Sad

LucDlukebes1010

0 Kudos