HTB RustyKey — Timeroast → Helpdesk abuse → 7‑Zip CLSID Hija...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/11/08/htb-rustykey.html
• Blog Title: HTB: RustyKey — Timeroast → Helpdesk abuse → 7‑Zip CLSID Hijack → RBCD to DA
• Suggested Section: Active Directory -> Kerberos Attacks -> Timeroast (MS-SNTP machine account roast); cross-link from Windows -> Persistence/Privilege Escalation -> COM/CLSID Hijacking (Shell Extensions) and Active Directory -> Delegation -> Resource-Based Constrained Delegation (RBCD)

🎯 Content Summary

Scenario
Windows AD lab (Domain: RUSTYKEY.HTB, DC host: DC/dc.rustykey.htb). Initial low-priv user creds provided: rr.parker / 8#t5HE8L!W3A. NTLM is disabled/rejected; Kerberos works. Objective: move from low-priv user to DA by chaining AD misconfigs and a registry-based COM CLSID hijack.

Recon and Kerberos setup
- Port scan shows a DC footprint with Kerberos/LDAP/WinRM (26 open TCP ports including 53, 88, 389, 445, 5985/47001, 9389). TTL=127 (Windows ...

🔧 Technical Details

Timeroasting machine accounts: Query the DC with unauthenticated SNTP requests crafted per computer RID to obtain $sntp-ms$ MACs keyed by machine NT hashes. Crack offline with hashcat mode 31300 (v7.1.2+) using wordlists; weak, manually-set machine passwords fall quickly, yielding computer-account credentials.

Chaining AD rights for credential takeover: If an attacker-controlled principal has AddSelf into a helpdesk-like group that holds ForceChangePassword, add the attacker principal, reset target users’ passwords, then request Kerberos TGTs. If Protected Users/Objects constraints block auth, remove the blocking group from Protected Objects (using AddMember/Remove rights) and re-request the ticket.

CLSID hijack of shell context handlers: Enumerate context menu handlers under HKCR\*|Directory|Folder\shellex\ContextMenuHandlers, resolve the handler CLSID to HKCR\CLSID\{GUID}\InProc...

🤖 Agent Actions

I analyzed the blog and HackTricks repository, confirmed that Timeroasting exists but lacked practical, end-to-end attack guidance, and then updated the single most relevant page with concise, highly technical steps and cross-links to the related techniques.

What I changed

• Updated: src/windows-hardening/active-directory-methodology/TimeRoasting.md
  • Added a practical, unauthenticated collection and cracking workflow:
    • NetExec timeroast module usage to obtain $sntp-ms$ blobs
    • Hashcat cracking (mode 31300) with --username and usage notes
    • Kerberos-only environment handling (-k) and time synchronization tips
  • Added post-roast chaining examples:
    • AddSelf → Helpdesk → ForceChangePassword with BloodyAD usage
    • Note on Protected Users constraints and link to HackTricks Protected Users section
    • Obtaining TGT and using evil-winrm with Kerberos
  • Added a concise “Pivot: Shell extension CLSID hijack (7‑Zip example)”:
    • Enumerate context handlers and resolve CLSID → InProcServer32
    • Overwrite default DLL path if ACL allows, for user-context code exec
    • Cross-link to COM Hijacking page for full details:
      • {{#ref}} ../windows-local-privilege-escalation/com-hijacking.md {{#endref}}
  • Added “Finish: RBCD” overview:
    • Briefed msDS-AllowedToActOnBehalfOfOtherIdentity abuse and S4U steps
    • Cross-link to full RBCD content:
      • {{#ref}} resource-based-constrained-delegation.md {{#endref}}
  • Added a proper References section (as mandated), including:
    • The blog URL
    • Secura Timeroasting whitepaper
    • NetExec docs
    • Hashcat example hashes page
    • Impacket getTGT and evil-winrm

Why this location

• The blog’s core, novel piece is Timeroasting of machine accounts chained to AD rights abuse, COM CLSID hijacking, and RBCD. The best central place is the Timeroasting page, and I added cross-links to the existing COM Hijacking and RBCD pages instead of duplicating content (per “one file modified” constraint).

Repository checks and related files read

• Active Directory Timeroasting page (updated)
• Windows COM Hijacking page (referenced)
• Active Directory RBCD page (referenced)
• Credentials protections (Protected Users) (linked)
• AD ACL abuse (ForceChangePassword etc.) (verified exists)

No other files were modified to comply with the “only one file” constraint and to avoid duplicating existing HackTricks coverage.

Notes

• The update focuses on actionable steps, operational nuances (Kerberos-only, time sync), and chaining to DA via RBCD, while keeping content succinct and technical.
• Internal references with {{#ref}} use correct relative paths and were checked.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/11/08/htb-rustykey.html

Content Categories: Based on the analysis, this content was categorized under "Active Directory -> Kerberos Attacks -> Timeroast (MS-SNTP machine account roast); cross-link from Windows -> Persistence/Privilege Escalation -> COM/CLSID Hijacking (Shell Extensions) and Active Directory -> Delegation -> Resource-Based Constrained Delegation (RBCD)".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0