I’ve made a version of this that drops a shell as SYSTEM by automating the remaining steps, but opting not to publish for now as it’s too EZ mode github.com/GossiTheDog/Hi…
By the way, I haven’t coded anything in C++ since 1999 so this was fun. I’m terrible at it.

I’ve also never used Visual Studio before, and never committed code in GitHub before (previously I was pasting stuff in from browser).
Anyhoo if you’re having imposter syndrome know that any old idiot can own Windows nowadays.
Updated the #HiveNightmare/#SeriousSAM PoC to include changes by @0xblacklight for dumping SECURITY and SYSTEM registry hives as non-admin, pulling credentials out automatically with secretsdump, and bugfix for @DrN1ght around DLL in compiled version. github.com/GossiTheDog/Hi…
Btw when you have the dumps, you can mount the system registry from regedt32.exe - open it, then click File -> Load Hive (and already selecting a hive), click SYSTEM-haxx, then pick a name (e.g. test).

Then you can rummage through registry.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Kevin Beaumont

Kevin Beaumont Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GossiTheDog

20 Jul
I wrote about #HiveNightmare aka #SeriousSAM (blame @cyb3rops for that one), an unpatched Windows 10 vulnerability that allows any non-admin user to access the full system registry, including sensitive areas.

Terribly badly coded PoC included.

Btw there's a pretty big logic gap in one of the fixes I've seen floated online - it doesn't impact the snapshots.
Added US-CERT vulnerability note for this, written by @wdormann. It’s excellent and clearly lays out the problem. #HiveNightmare #SeriousSAM kb.cert.org/vuls/id/506989
Read 6 tweets
19 Jul
Oh dear. I need to validate this myself, but it seems like MS may have goofed up and made the SAM database (user passwords) accessible to non-admin users in Win 10.
Confirmed; works on a Win10 Professional endpoint. It looks like the ACLs have been set wrong in Win10 on SAM database. 🤦‍♀️

It’s obvs not the only priv esc as the print spooler stuff also works out the box.
I think I’m going to be doing a blog asking what the fuck is happening with Windows OS security, as something is badly wrong.
Read 11 tweets
19 Jul
It's the sound of the police (me).

Gonna fly this helicopter around the UK and shout "Stop right there, Criminal Scum!" at people in Oblivion voice.
Trying to figure out if I should yolo try to take off with all these warning lights.
Things I learn, you can open the bum on this and put luggage in it.
Read 16 tweets
19 Jul
The EU attributes Hafnium activity to China (others will go shortly, too). consilium.europa.eu/en/press/press…
I realise as I’m tweeting this how disinterested I am in nation state cyber stuff.
Read 4 tweets
18 Jul
All legal restrictions for Coronavirus are over in England since 19 minutes ago, so clubs are open now.

I’m not a scientist and not in my lane here, but I guess the danger worldwide is going to be variants emerging from England. We’ll see what happens.
Somebody in the replies took offence to the idea England could be a variant issue, but.. eh, all the prior spikes have been stopped via lockdowns. We’re removing all lockdown now.

Serious illness is low due to vaccination here, scientists agree a risk is variant mutation.
Read 4 tweets
18 Jul
I'm going to try flying an Airbus H135 from Caernarfon airport in Wales to Liverpool John Lennon airport.

I've never flown a helicopter before and literally have no idea what I'm doing. Image
Right. Uhm. Hi. How to helicopter? Image
I have no idea how I'm going to land tbh. Image
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!