husk/build/exploit/windows/print_nightmare/CVE-2021-1675/README.html

<!doctype html>
<html lang="en">
    <center>
    <head>
        
    
        <script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
        <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
        <script type="text/javascript" src="/static/js/auto-complete.js"></script>
        <script type="text/javascript" src="/static/js/lunr.min.js"></script>
        <script type="text/javascript" src="/static/js/search.js"></script>
        <link rel="stylesheet" href="/static/stylesheet.css">
        <link rel="stylesheet" href="/static/auto-complete.css">
        <br>
        <title>The Real Hugo</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
        

    </head>
    <body>
        <!-- topmenu -->
    <div class="menu">
    <a href="/" style="text-decoration:none">Husk</a>
    </div>
    <div class="search-container">    
        <label for="search-by"><i class="fas fa-search"></i></label>
        <input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
        <!--button type="submit"><i class="search"></i>&#128269;</button>-->
        <span data-search-clear=""><i class="fas fa-times"></i></span>
    </div>

</div>
    <div class="menu">
    </div>
    <!--br><br-->
    </center>
<p></p>
        <div class="columns">
        <!-- Sidebar -->
<div class="column column-1">
  <ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
</ul>
</div>
<div class="column column-2"> 
       <span class="body">
           <style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#cve-2021-1675-printnightmare-lpe-powershell">CVE-2021-1675 - PrintNightmare LPE (PowerShell)</a><ul>
<li><a href="#usage">Usage</a></li>
<li><a href="#details">Details</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="cve-2021-1675-printnightmare-lpe-powershell">CVE-2021-1675 - PrintNightmare LPE (PowerShell)</h1>
<blockquote>
<p>Caleb Stewart | John Hammond | July 1, 2021</p>
</blockquote>
<hr />
<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675">CVE-2021-1675</a> is a critical remote code execution and local privilege escalation vulnerability dubbed "PrintNightmare."</p>
<p>Proof-of-concept exploits have been released (<a href="https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py">Python</a>, <a href="https://github.com/afwu/PrintNightmare/blob/main/EXP/POC/POC.cpp">C++</a>) for the remote code execution capability, and a <a href="https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare">C# rendition</a> for local privilege escalation. We had not seen a native implementation in pure PowerShell, and we wanted to try our hand at refining and recrafting the exploit.</p>
<p>This PowerShell script performs local privilege escalation (LPE) with the PrintNightmare attack technique.</p>
<p><img alt="image" src="https://user-images.githubusercontent.com/6288722/124203761-70b36580-daab-11eb-8520-7d93743062af.png" /></p>
<p>This has been tested on Windows Server 2016 and Windows Server 2019.</p>
<h2 id="usage">Usage</h2>
<p>Add a new user to the local administrators group by default:</p>
<div class="codehilite"><pre><span></span><code>Import-Module .<span class="se">\c</span>ve-2021-1675.ps1
Invoke-Nightmare <span class="c1"># add user `adm1n`/`P@ssw0rd` in the local admin group by default</span>

Invoke-Nightmare -DriverName <span class="s2">&quot;Xerox&quot;</span> -NewUser <span class="s2">&quot;john&quot;</span> -NewPassword <span class="s2">&quot;SuperSecure&quot;</span> 
</code></pre></div>

<p>Supply a custom DLL payload, to do anything else you might like.</p>
<div class="codehilite"><pre><span></span><code>Import-Module .<span class="se">\c</span>ve-2021-1675.ps1
Invoke-Nightmare -DLL <span class="s2">&quot;C:\absolute\path\to\your\bindshell.dll&quot;</span>
</code></pre></div>

<h2 id="details">Details</h2>
<ul>
<li>The LPE technique does not need to work with remote RPC or SMB, as it is only working with the functions of Print Spooler.</li>
<li>This script embeds a Base64-encoded GZIPped payload for a custom DLL, that is patched according to your arguments, to easily add a new user to the local administrators group.</li>
<li>This script embeds methods from PowerSploit/<a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1">PowerUp</a> to reflectively access the Win32 APIs.</li>
<li>This method does not loop through all printer drivers to find the appropriate DLL path -- it simply grabs the first driver and determines the appropriate path.</li>
</ul>
        </span>
</div>
</div>
<div id="footer">
         
<p></p>
    <center>
            &copy; Stefan Friese
    </center>
            
        </div>

        <script>
    function linkClick(obj) {
       if (obj.open) {
           //console.log('open');
                       if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
                           sessionStorage.removeItem(obj.id);
                       }
           sessionStorage.setItem(obj.id,"open");
           console.log(obj.id);
       } else {
           //console.log('closed');
            sessionStorage.removeItem(obj.id);
      }
    }

    let _keys = Object.keys(sessionStorage);
    if (_keys) {
       for ( let i = 0; i < _keys.length; i++ ) {
            document.getElementById(_keys[i])['open'] = 'open';
       }
    }
</script>            
    <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
    <script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      config: ["MMLorHTML.js"],
      jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
      extensions: ["MathMenu.js", "MathZoom.js"]
    });
    </script>
    </body>
</html>
init 2022-09-02 09:05:59 +02:00			`<!doctype html>`
			`<html lang="en">`
			`<center>`
			`<head>`


			`<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>`
			`<script type="text/javascript" src="/static/js/auto-complete.js"></script>`
			`<script type="text/javascript" src="/static/js/lunr.min.js"></script>`
			`<script type="text/javascript" src="/static/js/search.js"></script>`
init 2022-09-02 09:05:59 +02:00			`<link rel="stylesheet" href="/static/stylesheet.css">`
			`<link rel="stylesheet" href="/static/auto-complete.css">`
			`<br>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<title>The Real Hugo</title>`
init 2022-09-02 09:05:59 +02:00			`<meta name="viewport" content="width=device-width, initial-scale=1">`


			`</head>`
			`<body>`
			`<!-- topmenu -->`
			`<div class="menu">`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<a href="/" style="text-decoration:none">Husk</a>`
init 2022-09-02 09:05:59 +02:00			`</div>`
			`<div class="search-container">`
			`<label for="search-by"><i class="fas fa-search"></i></label>`
			`<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">`
			`<!--button type="submit"><i class="search"></i>🔍</button>-->`
			`<span data-search-clear=""><i class="fas fa-times"></i></span>`
			`</div>`

			`</div>`
			`<div class="menu">`
			`</div>`
			`<!--br><br-->`
			`</center>`
			`<p></p>`
			`<div class="columns">`
			`<!-- Sidebar -->`
			`<div class="column column-1">`
Added settings.toml 2022-09-09 15:41:05 +02:00			<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init 2022-09-02 09:05:59 +02:00			`</ul>`
			`</div>`
			`<div class="column column-2">`
			`<span class="body">`
			`<style>pre { line-height: 125%; }`
			`td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }`
			`.codehilite .hll { background-color: #2C3B41 }`
			`.codehilite .c { color: #546E7A; font-style: italic } /* Comment */`
			`.codehilite .err { color: #FF5370 } /* Error */`
			`.codehilite .esc { color: #89DDFF } /* Escape */`
			`.codehilite .g { color: #EEFFFF } /* Generic */`
			`.codehilite .k { color: #BB80B3 } /* Keyword */`
			`.codehilite .l { color: #C3E88D } /* Literal */`
			`.codehilite .n { color: #EEFFFF } /* Name */`
			`.codehilite .o { color: #89DDFF } /* Operator */`
			`.codehilite .p { color: #89DDFF } /* Punctuation */`
			`.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */`
			`.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */`
			`.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */`
			`.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */`
			`.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */`
			`.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */`
			`.codehilite .gd { color: #FF5370 } /* Generic.Deleted */`
			`.codehilite .ge { color: #89DDFF } /* Generic.Emph */`
			`.codehilite .gr { color: #FF5370 } /* Generic.Error */`
			`.codehilite .gh { color: #C3E88D } /* Generic.Heading */`
			`.codehilite .gi { color: #C3E88D } /* Generic.Inserted */`
			`.codehilite .go { color: #546E7A } /* Generic.Output */`
			`.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */`
			`.codehilite .gs { color: #FF5370 } /* Generic.Strong */`
			`.codehilite .gu { color: #89DDFF } /* Generic.Subheading */`
			`.codehilite .gt { color: #FF5370 } /* Generic.Traceback */`
			`.codehilite .kc { color: #89DDFF } /* Keyword.Constant */`
			`.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */`
			`.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */`
			`.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */`
			`.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */`
			`.codehilite .kt { color: #BB80B3 } /* Keyword.Type */`
			`.codehilite .ld { color: #C3E88D } /* Literal.Date */`
			`.codehilite .m { color: #F78C6C } /* Literal.Number */`
			`.codehilite .s { color: #C3E88D } /* Literal.String */`
			`.codehilite .na { color: #BB80B3 } /* Name.Attribute */`
			`.codehilite .nb { color: #82AAFF } /* Name.Builtin */`
			`.codehilite .nc { color: #FFCB6B } /* Name.Class */`
			`.codehilite .no { color: #EEFFFF } /* Name.Constant */`
			`.codehilite .nd { color: #82AAFF } /* Name.Decorator */`
			`.codehilite .ni { color: #89DDFF } /* Name.Entity */`
			`.codehilite .ne { color: #FFCB6B } /* Name.Exception */`
			`.codehilite .nf { color: #82AAFF } /* Name.Function */`
			`.codehilite .nl { color: #82AAFF } /* Name.Label */`
			`.codehilite .nn { color: #FFCB6B } /* Name.Namespace */`
			`.codehilite .nx { color: #EEFFFF } /* Name.Other */`
			`.codehilite .py { color: #FFCB6B } /* Name.Property */`
			`.codehilite .nt { color: #FF5370 } /* Name.Tag */`
			`.codehilite .nv { color: #89DDFF } /* Name.Variable */`
			`.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */`
			`.codehilite .w { color: #EEFFFF } /* Text.Whitespace */`
			`.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */`
			`.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */`
			`.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */`
			`.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */`
			`.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */`
			`.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */`
			`.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */`
			`.codehilite .sc { color: #C3E88D } /* Literal.String.Char */`
			`.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */`
			`.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */`
			`.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */`
			`.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */`
			`.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */`
			`.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */`
			`.codehilite .sx { color: #C3E88D } /* Literal.String.Other */`
			`.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */`
			`.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */`
			`.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */`
			`.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */`
			`.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */`
			`.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */`
			`.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */`
			`.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */`
			`.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */`
			`.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>`
			`<div class="column column-3">`
			`<ul>`
			`<li><a href="#cve-2021-1675-printnightmare-lpe-powershell">CVE-2021-1675 - PrintNightmare LPE (PowerShell)</a><ul>`
			`<li><a href="#usage">Usage</a></li>`
			`<li><a href="#details">Details</a></li>`
			`</ul>`
			`</li>`
			`</ul>`
			`</div>`
			`<h1 id="cve-2021-1675-printnightmare-lpe-powershell">CVE-2021-1675 - PrintNightmare LPE (PowerShell)</h1>`
			`<blockquote>`
			`<p>Caleb Stewart \| John Hammond \| July 1, 2021</p>`
			`</blockquote>`
			`<hr />`
			`<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675">CVE-2021-1675</a> is a critical remote code execution and local privilege escalation vulnerability dubbed "PrintNightmare."</p>`
			<p>Proof-of-concept exploits have been released (<a href="https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py">Python</a>, <a href="https://github.com/afwu/PrintNightmare/blob/main/EXP/POC/POC.cpp">C++</a>) for the remote code execution capability, and a <a href="https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare">C# rendition</a> for local privilege escalation. We had not seen a native implementation in pure PowerShell, and we wanted to try our hand at refining and recrafting the exploit.</p>
			`<p>This PowerShell script performs local privilege escalation (LPE) with the PrintNightmare attack technique.</p>`
			`<p><img alt="image" src="https://user-images.githubusercontent.com/6288722/124203761-70b36580-daab-11eb-8520-7d93743062af.png" /></p>`
			`<p>This has been tested on Windows Server 2016 and Windows Server 2019.</p>`
			`<h2 id="usage">Usage</h2>`
			`<p>Add a new user to the local administrators group by default:</p>`
			`<div class="codehilite"><pre><span></span><code>Import-Module .<span class="se">\c</span>ve-2021-1675.ps1`
			Invoke-Nightmare <span class="c1"># add user `adm1n`/`P@ssw0rd` in the local admin group by default</span>

			`Invoke-Nightmare -DriverName <span class="s2">"Xerox"</span> -NewUser <span class="s2">"john"</span> -NewPassword <span class="s2">"SuperSecure"</span>`
			`</code></pre></div>`

			`<p>Supply a custom DLL payload, to do anything else you might like.</p>`
			`<div class="codehilite"><pre><span></span><code>Import-Module .<span class="se">\c</span>ve-2021-1675.ps1`
			`Invoke-Nightmare -DLL <span class="s2">"C:\absolute\path\to\your\bindshell.dll"</span>`
			`</code></pre></div>`

			`<h2 id="details">Details</h2>`
			`<ul>`
			`<li>The LPE technique does not need to work with remote RPC or SMB, as it is only working with the functions of Print Spooler.</li>`
			`<li>This script embeds a Base64-encoded GZIPped payload for a custom DLL, that is patched according to your arguments, to easily add a new user to the local administrators group.</li>`
			`<li>This script embeds methods from PowerSploit/<a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1">PowerUp</a> to reflectively access the Win32 APIs.</li>`
			`<li>This method does not loop through all printer drivers to find the appropriate DLL path -- it simply grabs the first driver and determines the appropriate path.</li>`
			`</ul>`
			`</span>`
			`</div>`
			`</div>`
			`<div id="footer">`

			`<p></p>`
			`<center>`
			`© Stefan Friese`
			`</center>`

			`</div>`

			`<script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`function linkClick(obj) {`
init 2022-09-02 09:05:59 +02:00			`if (obj.open) {`
Added settings.toml 2022-09-09 15:41:05 +02:00			`//console.log('open');`
init 2022-09-02 09:05:59 +02:00			`if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {`
			`sessionStorage.removeItem(obj.id);`
			`}`
Added settings.toml 2022-09-09 15:41:05 +02:00			`sessionStorage.setItem(obj.id,"open");`
			`console.log(obj.id);`
init 2022-09-02 09:05:59 +02:00			`} else {`
Added settings.toml 2022-09-09 15:41:05 +02:00			`//console.log('closed');`
			`sessionStorage.removeItem(obj.id);`
			`}`
			`}`
init 2022-09-02 09:05:59 +02:00
Added settings.toml 2022-09-09 15:41:05 +02:00			`let _keys = Object.keys(sessionStorage);`
			`if (_keys) {`
			`for ( let i = 0; i < _keys.length; i++ ) {`
			`document.getElementById(_keys[i])['open'] = 'open';`
			`}`
			`}`
init 2022-09-02 09:05:59 +02:00			`</script>`
Added settings.toml 2022-09-09 15:41:05 +02:00			`<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>`
init 2022-09-02 09:05:59 +02:00			`<script type="text/x-mathjax-config">`
Added settings.toml 2022-09-09 15:41:05 +02:00			`MathJax.Hub.Config({`
			`config: ["MMLorHTML.js"],`
			`jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],`
			`extensions: ["MathMenu.js", "MathZoom.js"]`
			`});`
			`</script>`
init 2022-09-02 09:05:59 +02:00			`</body>`
			`</html>`