HTB Academy: Windows Privilege Escalation DnsAdmins

I am having trouble with this section. I am OK until “clean-up”. I am trying to delete the registry key so that I can successfully restart the DNS service. However, when I try to either quiery or delete the key i get “ERROR: Access is denied.” The commands that I am using are reg query \[machineIP]\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters and reg delete \[machineIP]\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll

Same problem. jad2121 do you have any progress?

So you can finish the questions on the page without “clean up” by just following the rest of the directions on the page. That being said, I still can’t get this part to work

The main problem that I have is: despite I got to add my user to Domain Admins group I still have no access to the flag file. Neither have access to registry key. Do you have access to the flag file while for the registry key the permission is denied?

1 Like


How did you finish it. I also get access denied both for registry keys as well as for the flag.txt

I have same issue. But with .dll reverse shell it’s work properly.
Any body know why Domain Admins group dosnt work here?

For anyone stuck and looking for help on the conundrum of why you’re still not able to read the file despite the account being part of the Domain Admins group, consider whether there’s anything that often needs to be done before updated permissions take effect on Windows systems. The permissions WILL work, there is a (very small) step missing from the walkthrough.


can anyone help me if they can send me a private message

If anyone is stuck with this… logout and log back into the server. I think a gpupdate /force should work too…(as an alternative to login/logout)


There is no need for an login/logout or gpupdate /force. I needed to reset the machine, because i made some mistakes and had some issue to clean up the registry in order to retry. For me, this module was not 100% clearly explained, also not the mimilib.dll and how to compile/use it. I really stuck a while in this module, but what i can say is to focus on the dll, how to inject, with which rights the dll is executed with and how to get it tailored to read the flag in the admin folder. Also to consider when the dll will be executed…

Logging out and logging back in works for me thanks all!


the module is not clear… also cleaning is problematic… taken alot of time… thanks for post in the forums… that safe me from cyclic loop

Hint for everyone who can’t access the flag - even with gpupdate /force or loggin in again: use a reverse shell :wink: Maybe even experiment with the DLL executing nc.exe (its pretty simple, you just have to copy the nc64.exe onto the target in advance of cource)

Have fun everyone!

some time u need to sign out and sign in
to update u rule

1 Like


Yeah I had to logout and back in again, and it worked :slight_smile:

Please could you write this small step here?

It’s already been mentioned a number of times on previous replies.

1 Like

Things i noticed in this room:
Check if sc really stops / starts dns. Else use net stop/start - should work.

1 Like