We covered the Print Nightmare Exploit from a defensive perspective where we performed an incident response and extracted the related artifacts to the exploit using Wireshark, Brim and Windows event viewer. This was part of TryHackMe Printermare room.
To better understand the PrintNightmare vulnerability (or any vulnerability), you should get into the habit of researching the vulnerabilities by reading Microsoft articles on any Windows-specific CVE or browsing through the Internet for community and vendor blogposts.
There has been some confusion if the CVE-2021-1675 and CVE-2021-34527 are related to each other. They go under the same name: Windows Print Spooler Remote Code Execution Vulnerability and are both related to the Print Spooler.
As Microsoft states in the FAQ, the PrintNightmare (CVE-2021-34527) vulnerability “is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well.”
What did Microsoft mean by the attack vector? To answer this question, let’s look into the differences between the two vulnerabilities and append the timeline of events.
Per Microsoft’s definition, PrintNightmare vulnerability is “a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”.
Running arbitrary code involves executing any commands of the attacker’s choice and preference on a victim’s machine.
Suppose you had a chance to look at both CVE’s on Microsoft. You would notice that the attack vectors for both are different.
To exploit the CVE-2021-1675 vulnerability, the attacker would need to have direct or local access to the machine to use a malicious DLL file to escalate privileges. To exploit the CVE-2021-34527 vulnerability successfully, the attacker can remotely inject the malicious DLL file.
Provide the function that is used to install printer drivers.
What tool can the attacker use to scan for vulnerable print servers?
Find the source name and the event ID when the Print Spooler Service stopped unexpectedly and how many times was this event logged? (format: answer,answer,answer)
Oh no! You think you’ve found the attacker’s connection. You need to know the attacker’s IP address and the destination hostname in order to terminate the connection. Provide the attacker’s IP address and the hostname. (format: answer,answer)
What is the local domain?
What user account was utilized to exploit the vulnerability?
What was the malicious DLL used in the exploit?
What was the attacker’s IP address?
What was the UNC path where the malicious DLL was hosted?
There are encrypted packets in the results. What was the associated protocol?
Where can you disable the Print Spooler Service in Group Policy? (format: no spaces between the forward slashes)
Provide the command in PowerShell to detect if Print Spooler Service is enabled and running.