DnsAdmins
Last updated
Was this helpful?
Last updated
Was this helpful?
Members of the group possess access to DNS information on the network, which can be exploited for privilege escalation. By leveraging this group’s permissions, we can create a malicious DLL that adds a user to the Domain Admins group or provides a reverse shell.
Creating a DLL to Add a User to the Domain Admins Group: To create a DLL that executes a command to add a user to the Domain Admins group, use the following command:
This command creates a DLL named adduser.dll, which will execute the command to add the specified user (netadm) to the Domain Admins group.
Creating a DLL for a Reverse Shell: To generate a DLL that provides a reverse shell, use the following command:
This command creates a DLL named dbs.dll that will establish a reverse shell connection back to the attacker's machine.
After generating the desired DLL, transfer it to the target machine. Next, load the DLL into the DNS service by executing the following command:
This command configures the DNS server to load the adduser.dll the next time the service starts.
To execute the DLL, the DNS service needs to be restarted. Run the following commands:
If you lack the necessary permissions to start or stop the DNS service, you may need to wait until the service is restarted naturally, which could occur due to maintenance or other scheduled tasks.
To confirm that the user has been successfully added to the Domain Admins group, execute the following command:
This command will display the members of the Domain Admins group, allowing you to verify that the new user (netadm) has been added successfully.