Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Kernel Exploitation

Hive Nightmare

This PoC can be used to perform the attack. This script can be used to detect the flaw.

CVE-2021-36934, also known as HiveNightmare or SeriousSAM, is caused by overly permissive ACLs on sensitive Windows registry hive files.

If vulnerable, low-privileged users may be able to read files such as:

  • SAM
  • SYSTEM
  • SECURITY

These hives can be copied and processed offline to recover local password hashes.

This is not a direct shell by itself. The value comes from extracting credential material and reusing it where possible.

Enumeration

Check permissions:

icacls C:\Windows\System32\config\SAM
icacls C:\Windows\System32\config\SYSTEM
icacls C:\Windows\System32\config\SECURITY

Check for shadow copies:

vssadmin list shadows

Interesting findings include:

  • BUILTIN\Users having read access to sensitive hives
  • Existing shadow copies
  • Readable registry hive backups
  • Local administrator hashes recoverable from copied hives

Exploit

  1. Confirm vulnerable hive permissions
  2. Copy the sensitive hives using an appropriate lab-controlled method
  3. Transfer the copied hives to the attacker machine
  4. Extract hashes offline
  5. Attempt local authentication or password reuse where in scope

Run the PoC on the target:

.\HiveNightmare.exe

Confirm that the hives were copied:

dir

Process the hives offline:

secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

If local administrator hashes are recovered, test whether they can be reused against the same host or other systems.