search
DiscordHackTheBoxTryHackMeGitHub

Print Operators

hashtag
ABOUT

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

hashtag
Capcom Driver Abuse

The plan is to use EnableSeLoadDriverPrivilege script [LINK]arrow-up-right to enable SeLoadDriverPrivilege. Then we need to load the Capcom.sys [LINK]arrow-up-right driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with SYSTEM privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with DriverView [LINK]arrow-up-right. After we verified that info, we are using ExploitCapcom script [LINK]arrow-up-right to get SYSTEM shell.

OR we can change code of ExploitCapcom to make a reverse shell for us (if we have no GUI access).

hashtag
Check privs

C:\> whoami /priv

hashtag
EnableSeLoadPrivilege

C:\> .\EnableSeLoadDriverPrivilege.exe

hashtag
Add Reference to Driver

You need to download Capcom.sys to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\temp\Capcom.sys"

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

hashtag
Verify Driver

hashtag
Exploiting

hashtag
Same stuff but automated

We can use EoPLoadDriver [LINK]arrow-up-right script to automate process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver by using this command.

hashtag
NO GUI

For that we need to find ExploitCapcom.cpp. change string below and recompile.

hashtag
Cleanup

For a little clean up we could just delete registry key we made before.

PreviousServer OperatorsNextDnsAdmins

Last updated