Windows Server Operators

• The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges

• It is a very highly privileged group that can log in locally to servers, including Domain Controllers.

• Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

Querying the AppReadiness Service

• Let's examine the AppReadiness service. We can confirm that this service starts as SYSTEM using the sc.exe utility

sc qc AppReadiness

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AppReadiness
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k AppReadiness -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : App Readiness
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Checking Service Permissions with PsService

• We can use the service viewer/controller PsService, which is part of the Sysinternals suite, to check permissions on the service.

• PsService works much like the sc utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts.

• This confirms that the Server Operators group has SERVICE_ALL_ACCESS access right, which gives us full control over this service.

Checking Local Admin Group Membership

Modifying the Service Binary Path

Starting the Service

• Starting the service fails, which is expected.

Confirming Local Admin Group Membership

Confirming Local Admin Access on Domain Controller

• From here, we have full control over the Domain Controller and could retrieve all credentials from the NTDS database and access other systems, and perform post-exploitation tasks.

Retrieving NTLM Password Hashes from the Domain Controller