Ideas for privilege escalation via a custom [printer] driver

jonathan123jonathan123 Registered Users Posts: 3 ■□□□□□□□□□
Hello there. First time poster. I've stumbled on this forum from some google searches on SANS certifications ive been interested in. I'm currently doing the OS PWK course, but this question isnt about that certification as much as it is about ideas/guidance for a penetration test I'm participating in for work

I'm somewhat new to penetration testing, and have been drinking from the firehose between the SANS courses I've taken and PWK course I'm currently taking.

Anyways, I'm hoping to get some direction on a test I'm currently participating in. I have local privileges on a windows 10 (x64) box, and I am trying to escalate privileges. The box is fully patched, but the computer is setup so that certain functions/processes are allowed to run with elevated privileges. One said function is adding a printer to the machine.

I noticed that when I go to add a network printer I get a warning asking me if i trust the printer, because windows will install a software driver from it (if I say yes, it goes forth with the installation). From some reading, windows runs this driver installation as system.

So my idea to get admin is to install a local printer, with a malicious printer driver (or a valid printer driver, I've injected with badness). I've never done this before, so I did some research. I found this article, which somewhat describes what I'd like to do but;
  • This would be a local priv. escalation attack, so no need to attack a network printer
  • I dont want to have to reverse engineer a printer driver (at least, not with IDA, and assembly, as I have little experience there)
  • I'd rather avoid reverse/bind shells... I just need it to execute a windows command, to add my local user to the admin group ("net localgroup administrators myuser /add")

I thought it would be as simple as downloading a printer DLL and using the "backdoor.py" script to inject it with badness, then installing the DLL (like a mouse driver), but everywhere I look printer drivers are just executable's. I've tried unpacking (with 7-zip) one of these exe's but I dont see any DLLs in the extracted output.

I've started down the path of writing my own printer driver and then seeing if i can get it installed as as printer driver on my machine, and then from there determining how to inject system commands into my driver code, but I'm starting to feel in over my head.

Could somebody provide some direction that would simplify what I'm trying to do, or at least confirm that writing my own driver is the way to go?

Thanks

Comments

  • GirlyGirlGirlyGirl Member Posts: 219
    Hello there. First time poster. I've stumbled on this forum from some google searches on SANS certifications ive been interested in. I'm currently doing the OS PWK course, but this question isnt about that certification as much as it is about ideas/guidance for a penetration test I'm participating in for work

    I'm somewhat new to penetration testing , and have been drinking from the firehose between the SANS courses I've taken (curious to know the courses) and PWK course I'm currently taking.

    Anyways, I'm hoping to get some direction on a test I'm currently participating in. I have local privileges on a windows 10 (x64) box, and I am trying to escalate privileges. The box is fully patched (hard to believe), but the computer is setup so that certain functions/processes are allowed to run with elevated privileges. One said function is adding a printer to the machine.

    I noticed that when I go to add a network printer I get a warning asking me if i trust the printer, because windows will install a software driver from it (if I say yes, it goes forth with the installation). From some reading, windows runs this driver installation as system. ........

    So my idea to get admin is to install a local printer, with a malicious printer driver. So you are telling me you can't install a printer driver with admin rights if you get them, hugh? You are trying to break the window of a car when you can grab the keys off the counter in the kitchen. (or a valid printer driver, I've injected with badness). I've never done this before, so I did some research. I found No I am not clicking this link this article, which somewhat describes what I'd like to do but;
    • This would be a local priv. escalation attack, so no need to attack a network printer
    • I dont want to have to...... reverse engineer a printer driver..... (at least, not with IDA, and assembly, as I have little experience there)
    • I'd rather avoid reverse/bind shells... I just need it to execute a windows command, to add my local user to the admin group. If you get admin whats the point of this -)("net localgroup administrators myuser /add")
    I thought it would be as simple as downloading a printer DLL and using the "backdoor.py" script to inject it with badness, then installing the Driver(like a mouse driver), but everywhere I look printer drivers are just executable'do you expect them not to be?. I've tried unpacking (with 7-zip) one of these exe's but I dont see any DLLs in the extracted output.

    I've started down the path of writing my own printer driver and then seeing if i can get it installed as as printer driver on my machine, and then from there determining how to inject system commands into my driver code, but I'm starting to feel in over my head.

    Could somebody provide some direction that would simplify what I'm trying to do, or at least confirm that writing my own driver is the way to go?

    Thanks

    So, this is your first post and you want someone to tell you how to escalate privs? That is assuming everything you said is true. Why are you trying to get on a machine just to get access to a printer again? Are you the employee who prints and increases the priority so that the stuff they print gets printed first?
  • jonathan123jonathan123 Registered Users Posts: 3 ■□□□□□□□□□
    GirlyGirl wrote: »
    So, this is your first post and you want someone to tell you how to escalate privs? That is assuming everything you said is true. Why are you trying to get on a machine just to get access to a printer again? Are you the employee who prints and increases the priority so that the stuff they print gets printed first?

    Hey there, thanks for the reply. Its actually my own host (or rather, a virtual machine, imaged with an image file the corporation uses, which resembles my host), and the goal is to find configurations/weaknesses/exploits that allow priv. escalation so that ultimately those configurations can be locked down/patched (or at least monitored). we have software on the machine that allows processes to run with elevated rights, one of which happens to be manage/add printers. There are many other features (such a disk management, monitor calibration, virus scan console) that run with elevated rights, which are also potential vectors. I already have an account on my host which has admin rights (and I own the virtual machine, and the hypervisor, or rather have access to them as admin, somebody else set it up). I understand the skeptisism with all the script kiddies out there, which is why i didnt just post 'give me the codez' but rather, asking for some guidance, to help me along (or at least a nudge in the right direction).

    Im happy to provide you with some personal information via private message, so you can 'vet me' if you will. If nothing else, I can give you my sans certificate information and real name, though i prefer to not give out PII on a public forum. I understand if you'd rather not help anyways. Thanks for considering.
  • jonathan123jonathan123 Registered Users Posts: 3 ■□□□□□□□□□
    Oops just realized you replied in red... let me respond to those;

    Re courses and certs, they were SEC504, SEC401 & SEC542. I got the certs for each (although I'm guessing youll doubt that, because I'm asking what you may consider stupid/basic questions? not sure).

    It's possible the boxes are missing the latest patches (i.e. from the last few months), honestly I didnt check, I just know my company is good about staying on top of patching. My goal is to try to escalate privileges through other means, because proving that I can run an exploit/poc that recently came out, doesnt add a ton of value... its a threat vector everybody already knows about.

    Re my printer driver idea, sorry if I was unclear. I am a low level user. When i click 'add printer' software on the endpoint says the application is 'starting with admin rights'. If the application is running with admin (system rights?) my goal is to then get the application to execute something of my design (although there is no 'execute my code' button, so i have to use the built in features to accomplish this). I can add a local printer (one option of the add printer dialog), and specify a driver. Thus my idea to create a custom driver, which has the code i want to accomplish built in. I cant just point it to an 'exe' it wants a configuration file 'inf'. Which I guess makes sense for a printer, but its been so long since i added any device to my machine that wasnt plug and play, that I remember little about this process.

    Hope that helps clear some things up.
Sign In or Register to comment.