On first look this appears to be a follow up for the Scorching challenge from Phase 2. At first I interpret the comment that "the vulnerability was also present in the scorching challenge" to mean that the Kerberoasting attack has been patched. Silly me! It is actually referring to the Print Nightmare Exploit CVE-2021-1675.
This CVE is another windows print spooler vulnerability that allows an attacker with regular account credentials to gain system privileges by executing a malicious .dll file.
Before we can start working on this challenge don't forget to connect to your challenge user VPN connection. In my case the command is:
$ openvpn ~/Downloads/nmcpher2-key.ovpn
First lets go ahead and confirm that the system is vulnerable. We can use the following script from the impacket collection which you can find here https://github.com/SecureAuthCorp/impacket. The script confirms that the print spooler service is running.
$ rpcdump.py @10.6.0.2 | grep MS-RPRN
Protocol: [MS-RPRN]: Print System Remote Protocol
There are a few exploits available for this CVE but after a bit of research I decide on this exploit which is an impacket implementation:
The first thing we need to do is set up an anonymous share. Check that samba is not currently running on your system.
$ systemctl status smbd nmbd
Now we want to back up our existing samba conf file and create a new one required for the exploit.
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
Create a new smb.conf with the following contents