Difficulty: Hard
Target IP: 10.10.11.89
Attack Vector: MSSQL Linked Server Exploitation → Internal Network Pivoting → Kerberos Credential Theft
🎯 Overview
DarkZero presents a sophisticated Active Directory environment with two separate domains connected via trust relationships. The attack chain involves exploiting MSSQL linked server misconfigurations, pivoting into an internal network using Ligolo-ng, escalating privileges through a kernel exploit, and finally capturing Kerberos tickets to compromise the domain controller.
What makes this machine unique?
Multihomed architecture with split-horizon DNS
Cross-domain trust exploitation
Modern pivoting techniques with Ligolo-ng
Real-world Kerberos ticket theft scenario
📡 Phase 1: Reconnaissance - Mapping the Attack Surface
Initial Port Scan
Let's start by discovering what services are running:
nmap -p 1-65535 -T4 -A -v 10.10.11.89
🔍 What are we looking for?
Active Directory services (LDAP, Kerberos, DNS)
Database services (potential entry points)
Remote access services (WinRM, RDP)
Key Discoveries:
Port | Service | Why It Matters |
|---|---|---|
1433 | MS-SQL Server | Entry point for command execution |
88 | Kerberos | Domain authentication - ticket capture opportunity |
389/636 | LDAP/LDAPS | Active Directory queries |
5985 | WinRM | Remote shell access (if we get creds) |
445 | SMB | File sharing, potential relay attacks |
💡 Learning Moment: Notice port 1433 (MSSQL)? This is often overlooked but can be a goldmine. SQL servers frequently have elevated privileges and interesting configurations like linked servers.
