Summary
HiveNightmare AKA SeriousSAM AKA CVE-2021-36934 is a Microsoft Windows vulnerability which affects Windows 10 and 11 starting with Windows 10 version 1809. This vulnerability allows for an attacker that has local access to any low level (non-administrator) account to perform a privilege escalation attack in order to elevate their privileges or harvest credentials and pivot laterally within a corporate environment.
Exploitation is possible due to a misconfiguration of permissions as it relates to the Windows registry hives. While a system is in use, these hives may not be accessed directly even if the user has permissions to do so. Even so, if the Volume Copy Shadow Service (VSCS) is enabled and there are restore points created, an attacker may leverage these weak permissions within the shadow copy of the hives–gaining unauthorized access.
Walkthrough
Pre-requisites:
- System Protection must be turned on
- At least one restore point must be created
- “BUILTIN\Users” must have READ and EXECUTE permissions on the hives
N.B. The password hashes recovered are dependent on the age of the restore point.
For example, if an administrator changed their password in between the cadence of taking restore points, the recovered hash will not be updated or valid for subsequent attacks.
Before going through the exploitation phase, we must verify that all pre-requisites have been met. By running the “icacls” Windows-native tool, the permissions are displayed for groups on the current system. As seen below in Figure 1, “BUILTIN\Users” has the necessary READ and EXECUTE permissions on the SAM hive.
Next, we need to verify that System Protection is enabled and that there is at least one restore point created. With local access, this can be done easily via the Windows GUI.
Now that all pre-requisites have been satisfied, we are ready to move onto the exploitation phase for this vulnerability. This system is exploitable!
Exploitation:
For this exercise, we will be using a HiveNightmare proof-of-concept created by “GossiTheDog” which can be found via their GitHub page:
https://github.com/GossiTheDog/HiveNightmare
For those who do not wish to download and compile the binary themselves, there is a direct download link for the latest version of the executable which is located here:
https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe
Using whatever method desired, download a copy of the HiveNightmare.exe binary to the victim system. Once downloaded, run the binary to obtain copies of the SAM, SYSTEM, and SECURITY hives from the restore point. If there are many restore points, an integer can be passed as an argument to increase the number searched.
After obtaining a copy of the hives from VSCS, we will exfiltrate these files back to our attacker system and proceed to extract the password hashes. While running “smbserver.py” on our attacker system, the “copy” command is used to move the files. This is seen below in Figures 4 and 5, respectively. This spins up an SMB share that is used to copy files back and forth.
Depending on the available or allowed versions of the protocol negotiated, the additional “-smb2support” flag may need to be used.
Finally, these three hive files can be used with the “secretsdump.py” tool to extract the password hashes and secrets as seen below in Figure 6.
At this point we have completed the exploitation for this vulnerability as the goal was to gain unauthorized access to the hives and then extract the password hashes. In the next section, we will go through the Post-Exploitation phase where we will use the password hashes to escalate our privileges and own the system.
Post-Exploitation:
Now that we have the password hashes, we can use them to login to the victim system as the corresponding user(s). We can use a password cracking utility such as “john” or “hashcat” to crack the hash to obtain the cleartext password and login. This is seen below in Figure 7.
We can now use the credential pairs and login as these users. It’s worth mentioning that this is a lab environment and the passwords were purposely selected from this wordlist for the demonstration. So what happens if the password policy is strong and the password doesn’t reside in any known wordlist?
We will need to leverage a different kind of attack: Pass-the-Hash (PtH).
It is still possible to authenticate as a user without knowing the password if the attacker possesses the correct NTLM hash. This can be passed to the victim system in place of plaintext credentials. Taking the LM:NTLM hash of the “Administrator” user, the attacker is able to use the pass-the-hash technique and achieve elevated access on the victim system.
We are now running within the context of “NT AUTHORITY\SYSTEM”!
Mitigations:
At the time of this post, there are currently no official patches released for this vulnerability. There is, however, a workaround currently being implemented until one is released.
In order to temporarily mitigate this vulnerability, two things must be done:
- All system restore points must be deleted
- The permissions to the “C:\Windows\System32\Config\” directory and files must be limited via the following command: icacls C:\Windows\System32\Config\*.* /inheritance:e
Once, these steps have been taken, a new system restore point may be created. It is also noteworthy that other applications which use VSCS may encounter issues depending on functionality and requirements.
Team-53 InfoSec Blog 