HackTheBox - DarkZero
00:00 - Introduction
01:00 - Start of nmap, mention VMRDP (2179), not important but just interesting
04:00 - Running NetExec to test the Assume Breach credentials and seeing we can connect to MSSQL
05:30 - Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to us with a machien account, can't crack this
06:55 - Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switching to it and then noticing we are DBO, enable + run XP_CMDSHELL
12:30 - Shell returned on HyperV Machine, showing how to identify patch level on Windows with HKLM:\SOFTWARE\Microsoft\Win…
Watch on YouTube ↗
(saves to browser)
Chapters (16)
Introduction
1:00
Start of nmap, mention VMRDP (2179), not important but just interesting
4:00
Running NetExec to test the Assume Breach credentials and seeing we can connec
5:30
Using MSSQL.PY to login, then using XP_DIRTREE to see the box connects back to
6:55
Running enum_links, seeing a second MSSQL Server (DC02.darkzero.ext), switchin
12:30
Shell returned on HyperV Machine, showing how to identify patch level on Windo
14:20
Loading up Meterpreter and Metasploit to use local_exploit_suggester and then
20:00
Enumerating Domains to show we can abuse TGT Delegation to pivot to the adjace
24:30
Looking at Rusthound/Bloodhound (another good way to enumerate the domains)
29:30
Explaining the TGT Delegation we will abuse and why we can't just golden ticke
34:50
Using Meterpreter to run Rubeus, which will get us that ticket
38:45
Grabbing the DC01 Ticket, then using it to connect to DARKZERO.HTB and getting
46:30
Showing PRIVESC Method #2, NTLMRelay with remove-mic-partial. Works on all dom
1:03:40
Showing the June 2025 patch does fix the weird bug where we can duplicate DNS
1:10:30
Showing Privesc Method #3 (recovering the original token of our session, so we
1:23:00
Privesc Method #4, the intended way. If we can get (or reset) the password to
DeepCamp AI