0xma Cyber Security Articles




April 23, 2022

Privilege Escalation via Server Operators Group

In this tutorial, we will see how to escalate our privileges from an account that is a member of the "Server Operators Group" and gain "nt authority\system" level privileges. Members of this group can start and stop system services.

The net user svc-printer command shows some information regarding the "svc-printer" account. We can see that it is part of the "Server Operators" group.

View group memberships of an account.

We need to upload nc.exe (netcat) to the target box.

Upload netcat to the target.

Let's modify the binary path of "vss" and point it to a netcat reverse shell.

Modify the vss service.

It restarts the "vss" service.

Restarting the vss service.

Once the "vss" service is started, we can catch the reverse shell in a netcat listener on our own box.

Administrator privileges on the box.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.