AlwaysInstallElevated
This setting can be set via Local Group Policy by setting Always install with elevated privileges
to Enabled
under the following paths.
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
User Configuration\Administrative Templates\Windows Components\Windows Installer
Enumerating Always Install Elevated Settings
Possible output:
Our enumeration shows us that the AlwaysInstallElevated
key exists, so the policy is indeed enabled on the target system.
Generating MSI Package
We can exploit this by generating a malicious MSI package and execute it via the command line to obtain a reverse shell with SYSTEM privileges.
From our attacker machine:
From the windows host machine:
Executing MSI Package
We will start a netcat listener in our attacking machine:
And execute the file from the command line like so: