Exploiting CVE-2021-26415 on Windows 10 for Privilege Escalation

​*Exploiting CVE-2021-26415 on Windows 10 for Privilege Escalation* Working with an interesting vector today which leverages crafting a malicious .msi package and utilizes a symlink attack, resulting in the creation of a new local user and adding them to the local administrators group. The user creation is triggered when someone launches an administrative PowerShell session and the command (net user FooBar P@ssw0rd /add ; net localgroup Administrators FooBar /add ) is loaded from “C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1”. This vector has been patched by Windows updates on 2021-04-13. All pertinent info can be found below:
 
PoC Author writeup: https://www.cloaked.pl/2021/04/cve-2021-26415/
 
BaitandSwitch Tool: https://github.com/googleprojectzero/symboliclink-testing-tools
 
Privileged File Operation Abuses: An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam