TryHackMe — Attacktive Directory Walkthrough

This is a practical walkthrough of “Attacktive Directory” on TryHackMe. This room is created Sq00ky and it’s free room to try your skills, already 7800+ users are joined and tried it. Highest point so far achieved is 740 by s3ns3. This room has three flags to retrieve from target.


AD DS (Active Directory Domain Services) is widely used in corporate network environment to manage their users and services and allow system administrators to organize the data into logical hierarchies. PenTesters must understand the ways to compromise AD DS, as it can be found is 99% client IT environment.

There are eight tasks to complete, first two are about setting up the environment for attack and remaining six are actual Enumeration to Exploitation to Escalation to Flag retrieval. We will directly jump to Task three.
Note: If you are using Kali Linux 2020.4, then you can skip task two.

Task is Enumerate the DC

This task consist of gathering Information about domain controller of target machine. We can start our quest with initial nmap scan to find out what ports/services are open/running on target machine.

Nmap Scan

I ran nmap with flags no ping, service version and TCP scan on target IP address. As you can see the result, there are couple of ports which interests us, like 88 (Kerberos), 139 (NetBios), 445 (SMB) and 3389 (RDP). Although it’s not a bad idea to look into other ports, if necessary. There’s a local domain running on target machine, probably named spookysec.local and in task three section, they have also mentioned about it. Let’s enumerate 88, 135, 139, 3389 and 445 further to get more information by running scripts (NSE).

Nmap Script Scan

The above nmap command with perform default script scan (-sC) on specified ports.

Nmap Script Scan Result

As you can see we got some interesting information, first it’s domain name (as we suspected earlier), second NetBIOS Domain Name. (I have redacted it as it is answer to one of the question)

We can also try enumerating from Windows and Samba systems using another application. Although this application didn’t give any fruitful information other than NetBios Domain Name, however it’s really an amazing tool to have in your arsenal.


At this moment we got all the answers for this third task. However, it’s wise to try other enumeration methods on remaining open ports.

Task is Enumerate the DC Part 2

From previous task we gathered hostname, domain name, ports and it’s services. As this room is about Active Directory challenges, so we concentrate on related ports/services. Like Kerberos.

Kerberos port is open on target machine (Port 88), we can try further enumeration with another well known application called, Kerbrute.

Kali Linux doesn't come with this application, so we need to download this. THM has already given the link in this room, still I will leave it here too.

Download Kerbrute

The above command will download the Kerbrute_linux_amd64 application and renames to Kerbrute in your present working directory.

Now, we need to give this new application execution rights.

Execution Rights
Kerbrute Help

You can check the help section of Kerbrute to find out flags/switches for enumeration.

Now we need to use one of the flag to enumerate valid domain usernames.

Couple of things before we move to Kerbrute, First, is to add spookysec.local to our hosts file. Use your favorite text editor to modify hosts file.

Modify Hosts
spookysec IP and domain

Second, download user list and password list specified by THM for this room.
Link: username and password

download password list
download username list
Kerbrute user enumeration

To enumerate users, you can run above command with different flags. (I have redacted one sub-command, because it is an answer to one of the question).

Enumeration result

As you can see, there are 5+ valid usernames are available on target domain. Out of all, 3 domain usernames which interests us and surely we will use these domain usernames in further tasks.

Now we need to copy these domain usernames to a new text file for further usage. I call it collected_users.txt.

At this moment we have all the answers for this fourth task. Let’s move to next task.

Task is Exploiting Kerberos

With all the Information we have collected so far, using that we can exploit Kerberos feature called ‘ASREPRoasting’.

For this attack we have to use one of the tool from Impacket Library

Note: If you want to know more details about all the tools of Impacket then you can visit the following link.

We are going to use Impacket’s ‘” tool to allow us to query ASReproastable accounts from the Key Distribution Center. Location

Above is the location of Impacket and its all tools. We need python3 to run the tools. Make sure to look into help menu of GetNPUsers.

Getnpusers Command

We have to provide domain name, username file and output format (hashcat or john). Make sure to use username file which we created recently after enumerating domain usernames.

getNPuser result

As you can see the result, we got hash from one domain account which do not require Kerberos pre-authentication. We need to save this hash in a text file for cracking purpose.

Let’s crack this hash using HashCat application.

HashCat is shipped with Kali Linux, you can run below command to get help menu.

hashcat help

Before we start cracking blindly the collected hash, we need to find which cracking we have to use. For this you can use below command.

hashcat modes

Once you figure out which mode to use for cracking, then run below command.

hashcat command to crack

We have to provide hash mode, actual hash and password list to crack the hash. (I have redacted the mode, because it is an answer to one of the question).

Hashcat result

Once it’s finished cracking, you would see the result as mine.

At this moment we have all the answers for this task. Let’s move to next task.

Task is Enumerate the DC Part 3

In previous task we cracked the password for a specific domain user, now we use this user credentials to enumerate further.

Enumeration with domain user credentials

As you can see, I have redacted application name, it’s flag and username, because it is an answer some of the questions. But, I can explain what we are exactly trying to do here. We are querying the target IP address with recently collected username to find SMB shares. If any share are accessible then look into them for any information, probably flags or passwords or something like that.

SMB Share information

Now we need to manually try to access any of the shared folders/drive using same application.

Access Shared Folders

As you can see, we have access to one of the shared folder/drive, now we list the content of this folder/drive.

Content of shared folder/drive

Now read the txt file using ‘more’ command.

Encoded Creds

So, there’s a file and it has encoded credentials for one of the account. Now we need to decode it. It looks like it is encoded with base64. Let’s decode this by running below command.


We have now another accounts credentials. We will use it for further exploitation.

At this moment, we have all the answers for this task. Let’s move to next task.

Task is Elevating Privileges

This task is about elevating privileges by taking advantage of previously collected Information, specifically credentials which we have collected of two different domain accounts.

For this task, we are going to use another tool from Impackets Library, called ‘’.

Secretdump help

From above location you can get the secretdump tool and make sure to check the help menu to flags.

This application works locally if we have required files, check below section. As well as works remotely if we have required user credentials.

SecretDump Command

As you can see the above command, we have to run this using sudo and flag, as well as the domain account name which we previously collected from smbshare. Upon execution, first it will ask your kali linux password (sudo) and next it will ask you to enter target domain account passeword.

SecretDump result

As you can see we dumped hashes for all the available account from target machine. This was possible because the account which we used to dump has unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

So, now we have hash of the admin account of the domain controller, now can crack the hash to get the password or we can us pass the hash technique to access the machine using Evil-WinRM application.

At this moment we have all the answers for the questions of this task. Let’s move to final task of this room.

Task is Flags

This is the final task, we need to collect flags from target machine using previously collected information.

At this stage we can use Evil-WinRM or PsExec tool to get the shell/cmd of target machine by passing the hash.

I am going to use Evil-WinRM for this task, I use PsExec all the time and I want to try this application. First we need to install this Evil-WinRM using below command.

Install Evil-WinRM

You must use sudo to install this ruby gem. Once installed now you can use below command to get the shell.

Evil-WinRM Command

I have redacted the user name as well as hash of the user. All the flags are lying around in Desktop of all user required user account. Submit all the flags and verify.

Root flag
User flag
PrivEsc Flag




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store