printnightmare

misc::printnightmare can be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370). The MS-PAR function was discovered by cube0x0. It has the following command line arguments:

• /server: the target server or workstation to exploit

• /x64 or /win64: the target server or workstation is 64 bit

• /x86 or /win32: the target server or workstation is 32 bit

• /library: the DLL to use during exploitation

• /authuser: the username to use during exploitation

• /authdomain: the active directory domain

• /authpassword: the password of the user

• /clean: clean-up the operation

The following example demonstrates local privilege escalation through printnightmare. As can be seen, the test user is not part of the local administrators group on the Win10.hacklab.local machine:

PS C:\Users\m3g9tr0n> net user

User accounts for \\WIN10

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
test                     vs2022                   WDAGUtilityAccount
The command completed successfully.

PS C:\Users\m3g9tr0n> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
hacklab\Domain Admins
hacklab\m3g9tr0n
vs2022
The command completed successfully.

After successful exploitation of printnightmare:

The test user is now part of the local administrators group:

For remote exploitation, the following can be used:

With the UNC path bypass: