There are many different ways that local privilege escalation can be done on a Windows system. This video goes over priv esc in the case where the AlwaysInstallElevated setting is enabled for the current user. This setting allows a user to run any .msi file and NT AUTHORITY\SYSTEM. An attacker can exploit this by crafting a malicious .msi installer file and running it with system level privileges. This technique can be very helpful to those studying for the OSCP exam.

Join my Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter:   / 0xconda  

If you found this video helpful and would like to support future creations, please considering visiting the following links:
Patreon:   / conda  
Buy Me a Coffee: https://www.buymeacoffee.com/conda
Amazon affiliate link (anything purchased through this link will provide me with a small commission): https://amzn.to/3hsHzD2

Commands to Setup Lab:
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1
reg add HKEY_USERS\(USER_SID)\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 1

Query Commands:
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

00:00 Misconfiguration Explanation
01:36 Lab Setup
04:08 Exploiting the Misconfiguration