April 23, 2022
Privilege Escalation via Server Operators Group
In this tutorial, we will see how to escalate our privileges from an account that is a member of the "Server Operators Group" and gain "nt authority\system" level privileges. Members of this group can start and stop system services.
The net user svc-printer command shows some information regarding the "svc-printer" account. We can see that it is part of the "Server Operators" group.
We need to upload nc.exe (netcat) to the target box.
Let's modify the binary path of "vss" and point it to a netcat reverse shell.
It restarts the "vss" service.
Once the "vss" service is started, we can catch the reverse shell in a netcat listener on our own box.
If you liked reading this article, you can follow me on Twitter: mujtabareads.
- Capture LDAP Credentials
- Bypass AppArmor with Perl Script
- Exploit PrintNightmare
- Extract Passwords with LaZagne
- Local Privilege Escalation on Linux Kernel < 4.4.0-116
- Bruteforce Windows Server SMB Credentials with Medusa
- Brute Force Windows Server SMB Credentials with Hydra
- Brute Force Windows Server SMB Credentials with NCrack
- Brute Force Windows Server SMB Credentials with CrackMapExec
- Brute Force Windows Server SMB Credentials with Metasploit