13 - Hyper-V Admins Group

# Intro - The [Hyper-V Administrators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#hyper-v-administrators) group has full access to all [Hyper-V features](https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/manage-virtual-machines) - In a situation where the DCs are virtualized, the virtualization admins should be considered Domain Admins - They could easily create a clone of the live Domain Controller and mount the virtual disk offline to obtain the NTDS.dit file and extract NTLM password hashes for all users in the domain - It is also well documented on this [blog](https://decoder.cloud/2020/01/20/from-hyper-v-admin-to-system/), that upon deleting a VM, `vmms.exe` attempts to restore the original file perms on the corresponding `.vhdx` file and does so as `NT AUTHORITY\SYSTEM`, without impersonating the user - Knowing this, we can delete the `.vhdx` file and create a native hard link to point this file to a protected SYSTEM file, which we will have full perms to - If the operating system is vulnerable to [CVE-2018-0952](https://www.tenable.com/cve/CVE-2018-0952) or [CVE-2019-0841](https://www.tenable.com/cve/CVE-2019-0841), we can leverage the above to gain SYSTEM privileges - Otherwise, we can try to take advantage of an app on the server that has installed a service running in the context of SYSTEM, which is startable by unprivileged users # Hard-Link Exploit Example - An example of this is Firefox, which installs the `Mozilla Maintenance Service` - We can update [this exploit](https://raw.githubusercontent.com/decoder-it/Hyper-V-admin-EOP/master/hyperv-eop.ps1) (i.e., a proof-of-concept for NT hard link) to grant our current user full perms on the file below ```txt C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ``` ## Taking Ownership of File - After running the exploit script, we should have full control of `maintenanceservice.exe` and can take ownership of it as shown below ```cmd takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ``` # Exploit - Next, we can replace this file with a malicious `maintenanceservice.exe`, start the maintenance service as below to get command execution as SYSTEM ```cmd sc.exe start MozillaMaintenance ```