Server Operators
Server Operators
The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges. It is a very highly privileged group that can log in locally to servers, including Domain Controllers.
Membership of this group confers SeBackup and SeRestore privileges and the ability to control local services.
We focus on exploiting local services. Exploiting SeBackup/SeRestore is explained in the Backup Operators section.
Attack
We look for a service thats runned by LocalSystem, for example AppReadiness
sc qc AppReadinessSERVICE_START_NAME : LocalSystem indicates the service is runned by LocalSystem
Then we use the service viewer/controller PsService (part of the Sysinternals suite) to check permissions (query the DACL) on the service.
C:\hacker> security AppReadiness
PsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: AppReadiness
DISPLAY_NAME: App Readiness
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Server Operators
AllWe see members of Server Operators have full access.
Then we change the service binary to a command of our choice, here adding ourselves to the Administrators group:
Then we start the service:
Log out and log back in, and finally we confirm we're now members of the Adminstrators group:
Last updated