Print Operators

The Print Operators group has administrative privileges over printers and can install drivers (SeLoadDriverPrivilege), including malicious ones. Members can escalate privileges by loading unsigned drivers, which execute with SYSTEM privileges. Attackers can exploit this by DLL hijacking or abusing printer spooler services. If misconfigured, it can lead to full system compromise through privilege escalation techniques like CVE-2020-1048 (PrintDemon).

---

Verify SeLoadDriverPrivilege

We can check if we have this privilege using whoami /priv command. If we don't see it, we can bypass UAC using UACME. Or open elevated cmd.exe shell which will show SeLoadDriverPrivilege but it will be disabled.

Abusing with Capcom.sys

Capcom.sys contains a functionality that allows any user to execute shellcode with SYSTEM privileges.

The Capcom.sys driver is a well-known driver that allows users to execute shell code with system privileges. This driver can be particularly useful for escalating privileges in a Windows environment.

1. Download the Capcom.sys Driver:
   • Capcom.sys, LoadDriver.exe and ExploitCapcom.exe files are available in the following repository:
     • SeLoadDriverPrivilege - Josh Morrison
2. Create a Malicious Executable:
   • Using Metasploit, create a malicious executable (e.g., rev.exe) that will provide a reverse shell when executed. This executable will be run with elevated privileges after loading the Capcom.sys driver.
3. Load the Capcom.sys Driver:

   • Use the LoadDriver.exe tool to load the Capcom.sys driver. The command syntax is as follows:

     .\LoadDriver.exe System\CurrentControlSet\MyService C:\Users\rezydev\Capcom.sys

   • Upon successful execution, this command should return NTSTATUS: 00000000, WinError: 0. If it does not, check the location of Capcom.sys or ensure that you are executing LoadDriver.exe from the correct directory.

4. Execute the Malicious Executable:

   • After successfully loading the driver, use ExploitCapcom.exe to execute your malicious executable with elevated privileges:

     .\ExploitCapcom.exe C:\Windows\Path\to\rev.exe

   • This command runs the rev.exe file with system privileges, providing the attacker with a reverse shell.

info

Use msf's multi/handler for capturing reverse shells if the malicious payloads are created with msfvenom.