Windows Privilege Escalation is one of the crucial phases in any penetration testing scenario which is needed to overcome the limitations on the victim machine. This phase also results in providing fruitful information and maybe a chance of lateral movement in the Penetration Testing Environment. Well overcoming the limitations on the victim machine won’t be that easy but this blog is completely based on “low-fruit-hanging” technique for pentesters. So let’s get started!
AlwaysInstallElevated is functionality that offers all users(especially the low privileged user) on a windows machine to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing, storing and removing of a program.
Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.
By default, this option is turned off and to create this privilege escalation entry point we need to turn it on which we will see further in this blog.
As the functionality gives allowance to all the user to run msi file with escalated privileges the low privileged user can indeed run the malicious msi file and can spawn a shell or add a newly created user to Administrator group.
Setting up the Environment to perform the escalation technique.
|Virtual Machine||IPv4 Address|
|Windows 10 Enterprise version||192.168.52.136|
Now we will add the key to the Registry using gpedit (Obviously running with Administrator).
To Start with, open the Command Prompt with “Run as Administrator” option and type “gpedit”.
This command will open Local Group Policy Editor, now we need to select the Following Option.
“Computer Configuration” -> “Administrator Templates” -> “All Settings” -> “Always install with Elevated Privileges”
Click on the “Always install with elevated privileges” and Enable the Setting.
We will do the same for “User Configuration” and Enable the “Always install with elevated privileges” option.
“User Configuration” -> “Administrator Templates” -> “All Settings” -> “Always install with Elevated Privileges” and Enable the setting.
Now that we have set the option Enable for the “Always install with elevated privileges” we are ready to get on the hands-on practical part to escalate our privileges.
Let’s start by checking whether the system is vulnerable or not.We can use manual way or the tool way but let’s try it manually first.
[sh] reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated [/sh]
[sh] reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated [/sh]
If the system is vulnerable the machine would give the following result as shown in the image below.
Now let’s do it the tool way. We will be using PowerUp.ps1 powershell script from Powersploit Project to find whether the machine is vulnerable or not.
Run the powershell in bypass mode.
[sh] powershell -ep bypass [/sh]
Loading the powershell script
[sh] . .\PowerUp.ps1 [/sh]
[sh] Invoke-AllChecks -Verbose [/sh]
And the Tool successfully detects the vulnerability as shown in the below image.
To Escalate the “lowuser” privilege we need to run the Abuse Function.
[sh] Write-UserAddMSI [/sh]
Now we just need to run the msi file “UserAdd.msi”
Well we have another lazy pentester method to do it, and that’s the meterpreter way.
Now if we have a low privileged user meterpreter prompt on metasploit tool we can use the following module to escalate our privileges.
[sh] exploit/windows/local/always_install_elevated [/sh]
[sh] use exploit/windows/local/always_install_elevated [/sh]
Setting the options for the module.
As we can see in the image below we have successfully gain the system level privileges on the windows machine.
Hope that this blog will help you in understanding the concept behind the always install elevated windows privilege escalation in a good manner.
Till then hacknpentest!!!