HackTheBox - DarkZero

00:00 - Introduction 01:00 - Start of nmap, mention VMRDP (2179), not important but just interesting 04:00 - Running NetExec to test the Assume Breach credentials and seeing we can connect to MSSQL 05:30 - Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to us with a machien account, can't crack this 06:55 - Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switching to it and then noticing we are DBO, enable + run XP_CMDSHELL 12:30 - Shell returned on HyperV Machine, showing how to identify patch level on Windows with HKLM:\SOFTWARE\Microsoft\Windows\ NT\CurrentVersion, discover it hasn't been patched since 2024 14:20 - Loading up Meterpreter and Metasploit to use local_exploit_suggester and then exploit CVE-2024-30088 to get admin on this VM (privesc method #1) 20:00 - Enumerating Domains to show we can abuse TGT Delegation to pivot to the adjacent domain 24:30 - Looking at Rusthound/Bloodhound (another good way to enumerate the domains) 29:30 - Explaining the TGT Delegation we will abuse and why we can't just golden ticket (sid filter), get DARKZERO.HTB to connect to DARKZERO.EXT, then replay KRB Ticket 34:50 - Using Meterpreter to run Rubeus, which will get us that ticket 38:45 - Grabbing the DC01 Ticket, then using it to connect to DARKZERO.HTB and getting admin 46:30 - Showing PRIVESC Method #2, NTLMRelay with remove-mic-partial. Works on all domains missing June 2025 patch to go from Domain User to Admin 1:03:40 - Showing the June 2025 patch does fix the weird bug where we can duplicate DNS Names with the 1UWhRC... thing appended 1:10:30 - Showing Privesc Method #3 (recovering the original token of our session, so we can get SeImpersonate after the MSSQL Shell 1:23:00 - Privesc Method #4, the intended way. If we can get (or reset) the password to MSSQL its allowed to login as a service, which gives us SeImpersonate