{"id":13843813,"url":"https://github.com/HuskyHacks/ShadowSteal","last_synced_at":"2025-07-11T20:30:38.860Z","repository":{"id":48506203,"uuid":"387926337","full_name":"HuskyHacks/ShadowSteal","owner":"HuskyHacks","description":"Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM local privilege escalation","archived":false,"fork":false,"pushed_at":"2022-01-16T02:09:46.000Z","size":307,"stargazers_count":211,"open_issues_count":0,"forks_count":37,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-07-02T19:13:28.569Z","etag":null,"topics":["exploit","exploit-development","nim","windows"],"latest_commit_sha":null,"homepage":"","language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HuskyHacks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-20T22:16:49.000Z","updated_at":"2025-06-04T13:05:10.000Z","dependencies_parsed_at":"2022-08-27T23:10:40.895Z","dependency_job_id":null,"html_url":"https://github.com/HuskyHacks/ShadowSteal","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HuskyHacks/ShadowSteal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HuskyHacks%2FShadowSteal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HuskyHacks%2FShadowSteal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HuskyHacks%2FShadowSteal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HuskyHacks%2FShadowSteal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HuskyHacks","download_url":"https://codeload.github.com/HuskyHacks/ShadowSteal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HuskyHacks%2FShadowSteal/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264891999,"owners_count":23679202,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","exploit-development","nim","windows"],"created_at":"2024-08-04T17:02:27.809Z","updated_at":"2025-07-11T20:30:38.606Z","avatar_url":"https://github.com/HuskyHacks.png","language":"Nim","funding_links":[],"categories":["Nim"],"sub_categories":[],"readme":"# ShadowSteal | CVE-2021-36934\nPure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM Local Privilege Escalation (LPE). Not OPSEC safe.... yet ;). I do not claim credit for the discovery of this exploit.\n\n## Quick Start\n\n### Build with Docker\nGetting started with ShadowSteal is now easier than ever thanks to Docker! Don't wanna mess with installing Nim dependencies? I got you, fam! Run the Python script to create the Docker build environment, compile the binary, transfer it back to your host, and then kill the container.\n\nInstall Docker on your host (look up the documentation for how to install for different OS), then run the ShadowSteal Python script in the main dir:\n```\n$ git clone https://github.com/HuskyHacks/ShadowSteal.git \u0026\u0026 cd ShadowSteal\n```\n```\n$ sudo python3 ShadowSteal.py \u0026\u0026 cd bin/ \u0026\u0026 ls -l\n```\n\n### Build from Source\nOr, build from source by installing Nim and its dependencies:\n\n```\n$ sudo apt-get install nim\n```\n```\n$ nimble install zippy argparse winim\n```\n\nInstall the MinGW tool chain if it's not already installed.\n```\n$ sudo apt-get install mingw-w64\n```\n```\n$ git clone https://github.com/HuskyHacks/ShadowSteal.git \u0026\u0026 cd ShadowSteal\n```\n```\n$ make \u0026\u0026 cd bin/ \u0026\u0026 ls -l\n```\nTransfer to target...\n```\nPS C:\\Users\\husky\\Desktop\u003e .\\ShadowSteal.exe -h\n```\n\n## Summary\nDue to some oversight by Microsoft, regular users have read permissions over the contents of the ...\\System32\\config\\ folder in recent Windows builds. Among other things, this means that a low level user has read access to the SAM, System, and Security files in ...\\System32\\config.\n\n![1.png](img/1.png)\n\nOoof. So what can we do with this?\n\nSome very observant researchers (shout out [@jonasLyk](https://twitter.com/jonasLyk)!) noticed that if a Windows host has been using a specific system restore configuration, \"Volume Shadow Copies\", then the host stores backup copies of these files that are accessible via the Win32 device namespace for these copies.\n\n![2.png](img/2.png)\n\n![3.png](img/3.png)\n\nThe SAM is normally locked during the host's operation, so accessing the SAM in ...\\System32\\config\\ is out of the question. But these shadow volume copies are fair game for any user on the host due to this misconfiguration. Very nice!\n\n## ShadowSteal\n\nShadowSteal is a binary written in Nim to automate the enumeration and exfiltration of the SAM, System, and Security files from these shadow copies. It iterates through the possible locations of the shadow copies and, when it has found a target, it extracts the files to a zipped directory (think Bloodhound output).\n\n![4.png](img/4.png)\n\n## Features:\n- Triage and Bruteforce mode, for thorough or rapid enumeration.\n- Automated extraction and rollup of target credentials.\n- Jeff Beezy mode. (wait, what?)\n- Integrated Docker build environment for easy complation!\n- Will enumerate all available HarddiskShadowCopy locations, pick the highest number dynamically, and target those for exploitation/extraction.\n\n![6.png](img/6.png)\n\nIt's nothing earth shattering and the code is hacky, but it works and it was a fun build!\n\n## Installing from Source\n\nInstall Nim:\n\n```\n$ sudo apt-get install nim\n````\nInstall dependencies:\n```\n$ nimble install zippy argparse winim\n```\nInstall the MinGW tool chain if it's not already installed:\n```\n$ sudo apt-get install mingw-w64\n```\n\nCompile for 64-bit Windows:\n```\n$ make\n```\n\nTransfer to target and run it!\n## Usage\n\n```\nPS C:\\Users\\husky\\Desktop\u003e .\\ShadowSteal.exe -h\n[*] ShadowSteal! Identifies and extracts credentials that can be stolen due to the SeriousSAM (CVE-2021-36934) exploit. Searches from high to low, defaults searching 100 to 1.\n\nUsage:\n   [options]\n\nOptions:\n  -h, --help\n  -t, --triage               [*] Triage mode. Quick enumeration, tries to find quick wins.\n  -bf, --bruteforce          [*] Bruteforce mode. Enumerates the entire range of possible locations (512 to 1). Takes a bit.\n  -b, --bezos                [?] Jeff Bezos Mode\n```\n\n## Triage mode\nLimits location bruteforce to 10 to 1, decrementing with each attempt. Speedy and effective in most environments.\n```\nPS C:\\Users\\husky\\Desktop\u003e .\\ShadowSteal.exe -t\n```\n\n## Bruteforce mode\nSearches all possible locations (512), decrementing down to 1. Try this to thoroughly enumerate the environment. Takes a few minutes.\n```\nPS C:\\Users\\husky\\Desktop\u003e .\\ShadowSteal.exe -bf\n```\n\n## Parsing Output\n\nTransfer the output directory back to your attacker host and carve the data with Pypykatz. To install:\n```\n$ pip3 install pypykatz\n```\nTo run Pypykatz:\n```\n$ pypykatz registry [yyyyMMddhhmm_SYSTEM] --sam [yyyyMMddhhmm_SAM] --security [yyyyMMddhhmm_SECURITY]\n```\n![5.png](img/5.png)\n\n## Release History\n\n### v.04.01 | the Docktastic update\nNow features an easy pre-packaged Docker build environment! Just run the ShadowSteal.py script to set up the Docker environment, compile the binay, transfer it back out to your host, and kill the build containers. It just works! (Some assembly requied, i.e. you need Docker to run it).\n\n###  v.03.69 | the N I C E update\nLean and mean. Optimized compile options added. HUGE performance increase due to compiler optimization, full bruteforce now takes place almost instantly. Huge thanks to @orbitalgun for the pseudo PR, glory be to your house and name!\n\n### v.02 THE JEFF BEEZY UPDATE\n- Bruteforce and Triage mode\n- A better search algo\n- Code cleanup\n- Jeff Beezy Mode\n- Lots of lessons learned from the first release!\n\n### v.01 THE LAUNCHPAD RELEASE\nStap in boiz, this trainwreck is a-rollin. This release was my rapid prototype and it was pretty terrible lol. Lots of fun to build though!\nFeatures:\n- \"Working\" code\n\n## References\n\n- Original disclose of this CVE by by [@jonasLyk](https://twitter.com/jonasLyk).\n- [CVE Reference page](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)\n- Lyric credit: Bezos I by Bo Burnham. All Rights Reserved.\n\n## Disclaimer\n\n- For legal, ethical use only.\n\n\n![7.png](img/7.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHuskyHacks%2FShadowSteal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHuskyHacks%2FShadowSteal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHuskyHacks%2FShadowSteal/lists"}