Windows Privilege Escalation - AlwaysInstallElevated
Рет қаралды 7,353
Күн бұрынThere are many different ways that local privilege escalation can be done on a Windows system. This video goes over priv esc in the case where the AlwaysInstallElevated setting is enabled for the current user. This setting allows a user to run any .msi file and NT AUTHORITY\SYSTEM. An attacker can exploit this by crafting a malicious .msi installer file and running it with system level privileges. This technique can be very helpful to those studying for the OSCP exam.
Join my Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter: / 0xconda
If you found this video helpful and would like to support future creations, please considering visiting the following links:
Patreon: / conda
Buy Me a Coffee: www.buymeacoffee.com/conda
Amazon affiliate link (anything purchased through this link will provide me with a small commission): amzn.to/3hsHzD2
Commands to Setup Lab:
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
reg add HKEY_USERS\(USER_SID)\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
Query Commands:
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
00:00 Misconfiguration Explanation
01:36 Lab Setup
04:08 Exploiting the Misconfiguration
@caueb 3 жыл бұрын
Great video Conda, I'm taking the oscp next week and your videos are very helpful. Just one thing I would like to add here is the command to execute the reverse shell via terminal in case you don't have RDP into machine: msiexec /i "C:\Windows\Temp\shell.msi"
@c0nd4 3 жыл бұрын
Good luck on the exam! Thanks for adding that little tip. I pinned your comment so others can see that too. Appreciate it!
@Eggsec 6 ай бұрын
I used this method couple of times! Very powerful. I don't see it as much in ctf environments
@andreapiola369 Жыл бұрын
Just so you know, this is much better explained than some paid content out there. Thanks for all the work.
@c0nd4 Жыл бұрын
Thank you! That's awesome to hear
@TotemManVooDoo 3 жыл бұрын
I love all your videos man; learned a lot from your videos. You do a great job at explaining everything. Keep up the great work!
@c0nd4 3 жыл бұрын
Thank you so much! I really appreciate that
@Haxr-dq6wt 3 жыл бұрын
Hats off The king is back with another legendary video
@c0nd4 3 жыл бұрын
Thanks! Loving the enthusiasm 😀
@cwinfosec 3 жыл бұрын
I love this technique! This is one of my favorite ways to escalate!
@c0nd4 3 жыл бұрын
Oh yeah, it's such a sweet victory
@prashantpandey645 3 жыл бұрын
Really amazing @conda ❤️
@c0nd4 3 жыл бұрын
Thank so you much! The support means a lot :)
@deidara_8598 2 жыл бұрын
Really nice tutorial, you explain very well. Liked and subbed.
@c0nd4 2 жыл бұрын
Thank you! I really appreciate it
@joshuafranco7998 Жыл бұрын
great video!
@Umar0x01 3 жыл бұрын
Thank you! Little feedback: Please use extensions to change the color of pages with white background 😬
@thejulfikar 7 ай бұрын
thanks man
@abhishek_k7 2 жыл бұрын
This was great and I like it but would have also liked to see a complete CLI way since we won't always have RDP to do things with GUI. Great video nonetheless. Thank you!
@ITachi_11.11 2 жыл бұрын
Great straight forward video! But I do have one question, how would you set the AlwaysInstallElevated to 0x1 on a computer with normal user privs e.g a work from home laptop for us to be able to run the payload correctly? I saw you changing that on your windows (victim machine) as you already own it and have admin access but what if you dont control that machine? Appreciate your response
@smidi4711 3 жыл бұрын
lool what a timing I'm sure I saw it somewhere to get privesc but I forgot where 🤣anyway gg
@c0nd4 3 жыл бұрын
Haha I was a little too late!
@smidi4711 3 жыл бұрын
@@c0nd4 nah it's good no spoiler i hope 🤞
@koushiksuthar95 3 жыл бұрын
Please share your complete setup tour❤️❤️
@c0nd4 3 жыл бұрын
Great idea! 👍
@koushiksuthar95 3 жыл бұрын
@@c0nd4 I guess next video will be your complete Setup Tour😜😜
@grandmakisses9973 3 жыл бұрын
@@koushiksuthar95 next sunday
@ca7986 3 жыл бұрын
❤️👌
@AllenGaming. 3 жыл бұрын
So you can’t use this method if you don’t have the admin credentials to add the registry key? But if you have admin creds don’t u already have nt authority?
@c0nd4 3 жыл бұрын
This is to show exploiting a misconfiguration. As in, if you see that registry key is set then you can exploit it. I only showed how to add it so you can replicate the attack in a lab.
@AllenGaming. 3 жыл бұрын
@@c0nd4 ahhhhh okay nice vid.👍🏽
@AllenGaming. 3 жыл бұрын
@@c0nd4 is there a way we can verify, or see if it’s misconfigured like that?
@c0nd4 3 жыл бұрын
@@AllenGaming. yes run the registry queries I showed
@Kingdd1os Жыл бұрын
@@c0nd4 i have a question iam searching for it very long time hope you can answer , is it possible to break out the absolute lowest level for example public account or Internet Coffeshop User account and going up to medium and higher? Could you please make a explanation in your series. Thank you very much.
@david808323 2 жыл бұрын
how is that privilege escalation when you logged in as Administrator before you set the registry keys? that's called a backdoor, not a genuine privilege escalation. Sorry.
@c0nd4 2 жыл бұрын
I logged in and set the registry keys so that people can follow along in a lab. The privilege escalation technique exploits a system that has those keys set already, which can happen during system provisioning. It certainly is a privilege escalation method based off of a misconfiguration.
@VitoV77 2 жыл бұрын
Thanks for the video, nice work! You said the .msi execution could be done over a WinRM Session. I tried that and it didn't work.. "msiexec /quiet /qn /i C:\pathtomsi\shell.msi /L*V msi.log" The log tells it returns with code 1601. Do you know what could be the problem?
Cybertalk with YOU
Рет қаралды 4,4 М.