DarkZero
HackTheBox DarkZero machine writeup — reconnaissance and enumeration walkthrough.
🎯 Overview
DarkZero presents a sophisticated Active Directory environment with two separate domains connected via trust relationships. The attack chain involves exploiting MSSQL linked server misconfigurations, pivoting into an internal network using Ligolo-ng, escalating privileges through a kernel exploit, and finally capturing Kerberos tickets to compromise the domain controller.
What makes this machine unique?
- Multihomed architecture with split-horizon DNS
- Cross-domain trust exploitation
- Modern pivoting techniques with Ligolo-ng
- Real-world Kerberos ticket theft scenario
📡 Phase 1: Reconnaissance - Mapping the Attack Surface
Initial Port Scan
Let’s start by discovering what services are running:
1
nmap -p 1-65535 -T4 -A -v 10.10.11.89
🔍 What are we looking for?
- Active Directory services (LDAP, Kerberos, DNS)
- Database services (potential entry points)
- Remote access services (WinRM, RDP)
Key Discoveries:
| Port | Service | Why It Matters |
|---|---|---|
| 1433 | MS-SQL Server | Entry point for command execution |
| 88 | Kerberos | Domain authentication - ticket capture opportunity |
| 389/636 | LDAP/LDAPS | Active Directory queries |
| 5985 | WinRM | Remote shell access (if we get creds) |
| 445 | SMB | File sharing, potential relay attacks |
💡 Learning Moment: Notice port 1433 (MSSQL)? This is often overlooked but can be a goldmine. SQL servers frequently have elevated privileges and interesting configurations like linked servers.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →