Login
Hack The Box: DarkCorp Machine Walkthrough – Insane Difficulity
Introduction to DarkCorp:
In this writeup, we will explore the “DarkCorp” machine from Hack The Box, categorized as an Insane difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “DarkCorp” machine from Hack The Box by achieving the following objectives:
User Flag:
Gained initial foothold via the webmail/contact vector, registered an account, abused the contact form, and executed a payload to spawn a reverse shell. From the shell, read user.txt to capture the user flag.
Root Flag:
Performed post-exploitation and credential harvesting (SQLi → hashes → cracked password thePlague61780, DPAPI master key recovery and Pack_beneath_Solid9! recovered), used recovered credentials and privilege escalation techniques to obtain root, then read root.txt to capture the root flag.
Enumerating the DarkCorp Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.54Nmap Output:
┌─[dark@parrot]─[~/Documents/htb/darkcorp]
└──╼ $nmap -sC -sV -oA initial 10.10.11.54
# Nmap 7.94SVN scan initiated Sun Aug 17 03:07:38 2025 as: nmap -sC -sV -oA initial 10.10.11.54
Nmap scan report for 10.10.11.54
Host is up (0.18s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
|_ 256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
80/tcp open http nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 17 03:08:04 2025 -- 1 IP address (1 host up) scanned in 25.73 seconds
┌─[dark@parrot]─[~/Documents/htb/darkcorp]
└──╼ $
Analysis:
- Port 22 (SSH): OpenSSH 9.2p1 on Debian — secure remote access; check for password authentication or weak credentials.
- Port 80 (HTTP): nginx 1.22.1 — web server serving GET/HEAD only; perform directory and file enumeration for further insights.
Web Enumeration:
Nothing noteworthy was found on the website itself.
A subdomain was discovered that leads to the DripMail Webmail interface.
Register a new account and enter the email
As a next step, proceed to register a new account.
Enter the required information to create the new account.
We successfully created the account, confirming that the DripMail Webmail portal’s registration process works correctly. This indicates that user registration is open; therefore, we can interact with the mail system. Consequently, this may enable further exploration, including login, email sending, and service enumeration.
Check your email inbox
A new email appeared in the inbox from no-reply@drip.htb, indicating that the system had sent an automated message; moreover, it may contain a verification notice, onboarding information, or credential-related details, all of which are worth reviewing for further clues.
However, it turned out to be just a welcome email from no-reply@drip.htb, providing no useful information.
Contact Form Exploitation
The site includes a contact form that attackers could potentially exploit.
We entered a non-deterministic key value into the input.
We sent the message successfully, confirming that the contact form works and accepts submissions.
CVE‑2024‑42009 — Web Enumeration with Burp Suite
Burp shows the contact form submission (POST) carrying the random key and payload, followed by a successful response.
We modified the contact-form recipient field and replayed the POST via Burp Repeater; the server returned 200 OK, and it delivered the message to admin@drip.htb.
We received a request for customer information.
Let’s start our listener
Contact Form Payload
Insert the base64-encoded string into the message.
The Burp Suite trace looks like the following.
A staff member sent an email.
Resetting the password
We need to change the password.
After setting the payload, we received a password reset link.
Let’s change the password as needed
We are provide with a dashboard
SQL injection discovered on dev-a3f1-01.drip.htb.
We accessed the user overview and discovered useful information.
The application is vulnerable to SQL injection.
SQLi Payload for Table Enumeration
The input is an SQL injection payload that closes the current query and injects a new one: it terminates the original statement, runs
SELECT table_name FROM information_schema.tables WHERE table_schema=’public’;
and uses — to comment out the remainder. This enumerates all table names in the public schema; the response (Users, Admins) shows the database exposed those table names, confirming successful SQLi and information disclosure.
The payload closes the current query and injects a new one:
SELECT column_name FROM information_schema.columns WHERE table_name=’Users’;–
which lists all column names for the Users table. The response (id, username, password, email, host_header, ip_address) confirms successful SQLi-driven schema enumeration and reveals sensitive columns (notably password and email) that could enable credential or user-data disclosure.
Obtained password hashes from the Users table (Users.password). These values are opaque; we should determine their type, attempt to crack only with authorisation, and protect them securely.
PostgreSQL File Enumeration
The SQL command SELECT pg_ls_dir('./'); invokes PostgreSQL’s pg_ls_dir() function to list all files and directories in the server process’s current directory (typically the database data or working directory). Because pg_ls_dir() exposes the filesystem view, it can reveal configuration files or other server-side files accessible to the database process — which is why it’s often used during post‑exploitation or SQLi-driven reconnaissance. Importantly, this function requires superuser privileges; therefore, a non‑superuser connection will be denied. Consequently, successful execution implies that the user has elevated database permissions.
The SQL command SELECT pg_read_file('PG_VERSION', 0, 200); calls PostgreSQL’s pg_read_file() to read up to 200 bytes starting at offset 0 from the file PG_VERSION on the database server. PG_VERSION normally contains the PostgreSQL version string, so a successful call discloses the DB version to the attacker — useful for fingerprinting — and typically requires superuser privileges, making its successful execution an indicator of elevated database access and a potential information‑disclosure risk.
Returning down the path, I spotted one; it would impress those who have beaten Cerberus…/../../ssssss
SSSD maintains its own local ticket credential caching mechanism (KCM), managed by the SSSD process. It stores a copy of the valid credential cache, while the corresponding encryption key is stored separately in /var/lib/sss/secrets/secrets.ldb and /var/lib/sss/secrets/.secrets.mkey.
Shell as postgres
Finally, we successfully received a reverse shell connection back to our machine; therefore, this confirmed that the payload executed correctly and established remote access as intended.
Nothing of significance was detected.
Discovered the database username and password.
Restore the Old email
Elevate the current shell to an interactive TTY.
The encrypted PostgreSQL backup dev-dripmail.old.sql.gpg is decrypted using the provided passphrase, and the resulting SQL dump is saved as dev-dripmail.old.sql. Consequently, this allows further inspection or restoration of the database for deeper analysis or recovery.
The output resembles what is shown above.
Found three hashes that can be cracked with Hashcat.
Hash Cracking via hashcat
We successfully recovered the password thePlague61780.
Since Hashcat managed to crack only one hash, we’ll therefore use CrackStation to attempt cracking the remaining two.
Bloodhound enumeration
Update the configuration file.
SSH as ebelford user
Established an SSH session to the machine as ebelforrd.
No binary found
Found two IP addresses and several subdomains on the target machine.
Update the subdomain entries in our /etc/hosts file.
Network Tunnelling and DNS Spoofing with sshuttle and dnschef
Use sshuttle to connect to the server and route traffic (like a VPN / port forwarding).
Additionally, dnschef was used to intercept and spoof DNS traffic during testing.
Gathering Information via Internal Status Monitor
Log in using the victor.r account credentials.
Click the check button to get a response
Replace the saved victor.r login details in Burp Suite.
Testing the suspected host and port for reachability.
Begin the NTLM relay/replay attack.
Leverage socatx64 to perform this activity.
Abuse S4U2Self and Gain a Shell on WEB-01
An LDAP interactive shell session is now running.
Run get_user_groups on svc_acc to list their groups.
Retrieved the SID associated with this action.
Retrieved the administrator.ccache Kerberos ticket.
We can read the user flag by typing “type user.txt” command
Escalate to Root Privileges Access on Darkcorp machine
Privilege Escalation:
Transfer sharpdpapi.exe to the target host.
Attempting to evade Windows Defender in a sanctioned test environment
The output reveals a DPAPI-protected credential blob located atC:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E. It references a master key with GUID {6037d071-...} and shows that the blob is protected using system-level DPAPI (CRYPTPROTECT_SYSTEM), with SHA-512 for hashing and AES-256 for encryption. Since the message indicates MasterKey GUID not in cache, the decryption cannot proceed until the corresponding master key is obtained — either from the user’s masterkey file or by accessing a process currently holding it in memory.
This output shows a DPAPI local credential file at C:\Users\Administrator\AppData\Local\Microsoft\Credentials\ with the filename 32B2774DF751FF7E28E78AE75C237A1E. The system protects it using a DPAPI master key (GUID {6037d071-cac5-481e-9e08-c4296c0a7ff7}), applies SHA-512 for hashing, and uses AES-256 for encryption. Because the master key isn’t currently in the cache, we can’t decrypt the credential blob until we obtain that master key (for example from the masterkey file) or access the process that holds it in memory.
Direct file transfer through evil-winrm was unsuccessful.
Transform the file into base64 format.
We successfully recovered the decrypted key; as noted above, this confirms the prior output and therefore enables further analysis.
Access darkcorp machine via angela.w
Successfully recovered the password Pack_beneath_Solid9!
Retrieval of angela.w’s NT hash failed.
Attempt to gain access to the angela.w account via a different method.
Acquired the hash dump for angela.w.
Save the ticket as angela.w.adm.ccache.
Successful privilege escalation to root.
Retrieved password hashes.
Password reset completed and new password obtained.
Exploiting GPOs with pyGPOAbuse
Enumerated several GPOs in the darkcorp.htb domain; additionally, each entry shows the GPO GUID, display name, SYSVOL path, applied extension GUIDs, version, and the policy areas it controls (registry, EFS policy/recovery, Windows Firewall, security/audit, restricted groups, scheduled tasks). Furthermore, the Default Domain Policy and Default Domain Controllers Policy enforce core domain and DC security — notably, the DC policy has many revisions. Meanwhile, the SecurityUpdates GPO appears to manage scheduled tasks and update enforcement. Therefore, map these SYSVOL files to find promising escalation vectors: for example, check for misconfigured scheduled tasks, review EFS recovery settings for exposed keys, and identify privileged group memberships. Also, correlate GPO versions and recent changes to prioritize likely targets.
BloodHound identifies taylor as GPO manager — pyGPOAbuse is applicable, pending discovery of the GPO ID.
Force a Group Policy update using gpupdate /force.
Display the root flag with type root.txt.
The post Hack The Box: DarkCorp Machine Walkthrough – Insane Difficulity appeared first on Threatninja.net.
