IP
10.10.11.75

Configure Domain/Hosts
dc.rustykey.htb rustykey.htb

And Kerberos Config

GNU nano 8.4
 /etc/krb5.conf
 k[libdefaults]
 default_realm = RUSTYKEY.HTB
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 [realms]
 RUSTYKEY.HTB = {
 kdc = 10.10.11.75
 }
 [domain_realm]
 .rustykey.htb = RUSTYKEY.HTB
 rustykey.htb = RUSTYKEY.HTB

Nmap Results

Host is up, received conn-refused (0.091s latency).
Scanned at 2025-06-29 00:28:38 IST for 77s

PORT      STATE    SERVICE       REASON      VERSION
53/tcp    open     domain        syn-ack     Simple DNS Plus
88/tcp    open     kerberos-sec  syn-ack     Microsoft Windows Kerberos (server time: 2025-06
135/tcp   open     msrpc         syn-ack     Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack     Microsoft Windows netbios-ssn
389/tcp   open     ldap          syn-ack     Microsoft Windows Active Directory LDAP (Domain:
445/tcp   open     microsoft-ds? syn-ack
464/tcp   open     kpasswd5?     syn-ack
593/tcp   open     ncacn_http    syn-ack     Microsoft Windows RPC over HTTP 1.0
636/tcp   filtered ldapssl       no-response
3268/tcp  open     ldap          syn-ack     Microsoft Windows Active Directory LDAP (Domain:
3269/tcp  open     tcpwrapped    syn-ack
5985/tcp  open     http          syn-ack     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open     mc-nmf        syn-ack     .NET Message Framing
47001/tcp open     http          syn-ack     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49665/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49666/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49667/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49669/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49670/tcp open     ncacn_http    syn-ack     Microsoft Windows RPC over HTTP 1.0
49671/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49672/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49673/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49676/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49689/tcp open     msrpc         syn-ack     Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

User Enumeration

Despite many Active Directory environments that require
pure Kerberos authentication, the LDAP server in this environment allows login via Simple Bind with a username and password.

With the following command, we were able to successfully query all user objects, including userPrincipalName

ldapsearch -x -H ldap://10.10.11.75 -D '[email protected]' -w '8#t5HE8L!W3A' -b
 'dc=rustykey,dc=htb' "(objectClass=user)" userPrincipalName

We successfully authenticate ourselves via Simple Bind with username and password

An image to describe post

Bloodhound Enumeration

We request a Ticket via Kerberos

 getTGT.py -dc-ip 10.10.11.75 rustykey.htb/rr.parker:'8#t5HE8L!W3A'

We set the Kerberos ticket as the active session

 export KRB5CCNAME=rr.parker.ccache

We are checking the active Kerberos ticket

klist

An image to describe post

We run BloodHound with Kerberos authentication

bloodhound-python -u 'rr.parker' -p '8#t5HEL!W3A' -c All -d rustykey.htb -ns 10.10.11.75 --zip-k

An image to describe post

The computer ACC IT_COMPUTER3$ can add itself to the HELPDESK GROUP
An image to describe post

The HELPDESK group can change the password of the following four users

  • bb.morgan
  • gg.anderson
  • dd.ali
  • ee.reed
    An image to describe post