If the two registry keys liosted below are present and both equal "0x1", then we can exploit these permissions to spawn a reverse shell using a specially crafted MSI file. Show
Generate the malicious MSI file like so,
STart the listener using the View the security misconfiguration catalog
Windows environments provide a group policy setting which allows a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges. This can be discovered in environments where a standard user wants to install an application which requires system privileges and the administrator would like to avoid to give temporary local administrator access to a user. From the security point of view this can be abused by an attacker in order to escalate his privileges to the box to SYSTEM. IdentificationLets assume that we have already compromised a host inside the network and we have a Meterpreter session. Meterpreter Session – Normal userThe easiest method to determine if this issue exist on the host is to query the following registry keys: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedQuery the registry to identify the issue Privilege Escalation with MetasploitThe easiest and the fastest way to escalate privileges is via the Metasploit Framework which contains a module that can generate an MSI package with a simple payload that it will be executed as SYSTEM on the target host and it will be removed automatically to prevent the installation of being registered with the operating system. Generate MSI Package with PowerSploitPowerSploit framework contains a script that can discover whether this issue exist on the host by checking the registry entries and another one that can generate an MSI file that will add a user account into the local administrators group. PowerSploit – Always Install ElevatedAdding an account into Administrators group The verification that this user has been added into the local administrator group can be done by running the “net localgroup administrators” command from the command prompt. Verification that the “backdoor user has been createdConclusionMetasploit Framework can be used as well to generate MSI files however the payload will be executed under the privileges of the user running it which in most of the cases it shouldn’t be the administrator. Therefore the PowerSploit script was the only reliable solution to escalate privileges properly. The Windows installer is a utility which through the use MSI packages can install new software. The AlwaysInstallElevated is a Windows policy that allows unprivileged users to install software through the use of MSI packages using SYSTEM level permissions, which can be exploited to gain administrative access over a Windows machine. This option is equivalent to granting full SYSTEM rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. The AttackIf a machine has the AlwaysInstallElevated policy enabled, an attacker could craft a malicious .msi package and run it using SYSTEM level privileges, therefore executing arbitrary code as SYSTEM. For this attack to work, the “AlwaysInstallElevated” value in following Registry keys has to be set to 1:
ExampleThe first step is to check whether the required registry keys are enabled:
This can also be checked with automated scripts such as WinPEAS:
For this example, a reverse shell can be generated using MSFvenom, with the following flags:
Transferring the shell.msi file to the Windows victim machine using the Python web server and the Windows Certutil utility. The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
The following command can then be used to install the .msi file:
The flags used are for the following:
Once the package is installed, the malicious code is executed, granting SYSTEM level access to the system through a reverse shell. Metasploit ExploitationThis vulnerability can also be exploited by using the always_install_elevated Metasploit module. Once a meterpreter shell is obtained, all that is required is to brackground the session, search for and set the module, set the session value and run it: This has granted a SYSTEM level shell. Always try and perform the attack in a manual fashion first, especially when practicing it for the first time. ConclusionBecause this policy permits users to install applications that require access to restricted directories and registry keys system administrators should consider whether it provides users with an appropriate level of security. When it is not set, applications are instead installed using the user’s privileges and only managed applications get elevated privileges. What is always install with elevated privileges?"Always install with elevated privileges" must be disabled as it allows a standard user to install a Microsoft Windows Installer Package (MSI) with system privileges. This can be exploited by an attacker in order to escalate his privileges to gain control over system and perform malicious acts.
How do I install software with elevated privileges?To install software using Privilege Management:. Right-click on the application you want to install.. Select Run as administrator for.exe files or Install for . ... . Confirm Execution by Entering the Business Justification for Installation.. What is privilege escalation vulnerability?Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems. There are two types of privilege escalation attacks including vertical and horizontal.
Why is privilege escalation necessary?A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications.
|