# Operation Endgame | Pentest Report {% embed url="" %} {% embed url="" %} *** ### Internal Active Directory Penetration Test ### THM Infrastructure | Field | Value | | --------------- | --------------------------------- | | Client | TryHackMe Lab | | Assessment Type | Internal Network Penetration Test | | Testing Model | Black Box | | Environment | Active Directory Lab | | Assessor | Dragkob | | Date | February 2026 | *** ## Table of Contents 1. Executive Summary 2. Scope of Engagement 3. Business Impact 4. Methodology 5. Risk Rating Methodology 6. Attack Path Overview 7. Summary of Findings * F-01 – Anonymous SMB Enumeration * F-02 – RID Brute Force User Enumeration * F-03 – AS-REP Roasting Attempt * F-04 – Kerberoastable Service Account * F-05 – Password Reuse (Password Spraying) * F-06 – Active Directory ACL Misconfiguration (GenericWrite) * F-07 – SPN Manipulation Leading to Kerberoasting * F-08 – Hardcoded Domain Administrator Credentials 8. Tools Used 9. Conclusion *** ## Executive Summary An internal penetration test was conducted against the THM Active Directory environment to evaluate the security posture of the domain infrastructure. During the assessment, the tester successfully compromised the Domain Administrator account through a chain of vulnerabilities and misconfigurations including: * Anonymous SMB enumeration * RID brute force user discovery * Kerberos ticket abuse * Password reuse across accounts * Active Directory ACL misconfigurations * Service Principal Name manipulation * Hardcoded credentials in administrative scripts These weaknesses allowed a simulated attacker to escalate privileges from unauthenticated network access to full domain compromise. If exploited by a real attacker, these issues could allow: * Unauthorized access to internal systems * Lateral movement across the domain * Privilege escalation to Domain Administrator * Deployment of ransomware or malware * Persistent access within the environment Immediate remediation is recommended. *** ## Scope of Engagement | Asset | Role | IP | Domain | | ------------ | ----------------- | ------------- | --------- | | ad.thm.local | Domain Controller | 10.113.175.83 | thm.local | *** ## Business Impact The vulnerabilities identified during this assessment allow an attacker to progress from unauthenticated network access to full domain compromise. Successful exploitation could enable attackers to: * Access sensitive internal data * Compromise domain accounts * Escalate privileges to domain administrator * Move laterally between systems * Deploy malicious payloads * Maintain persistence within the domain Because the Domain Controller manages authentication and authorization across the environment, compromise of this system results in complete control over the domain infrastructure. Failure to remediate these issues may expose the organization to data breaches, operational disruption, and reputational damage. *** ## Methodology Testing followed industry-standard penetration testing methodologies aligned with: * PTES * OWASP Testing Guide * NIST SP 800-115 | Phase | Description | | -------------------- | ------------------------------------------- | | Reconnaissance | Identification of live hosts and services | | Enumeration | Discovery of domain users and services | | Exploitation | Exploitation of misconfigurations | | Credential Access | Password cracking and credential harvesting | | Lateral Movement | Moving between domain accounts | | Privilege Escalation | Obtaining administrative privileges | | Post-Exploitation | Demonstrating full domain compromise | *** ## Risk Rating Methodology Vulnerabilities were assessed using **CVSS v3.1**. | Severity | CVSS Score | | -------- | ---------- | | Critical | 9.0 – 10.0 | | High | 7.0 – 8.9 | | Medium | 4.0 – 6.9 | | Low | 0.1 – 3.9 | Severity ratings consider: * Attack Complexity * Privilege Requirements * User Interaction * Confidentiality Impact * Integrity Impact * Availability Impact *** ## Attack Path Overview The domain compromise occurred through the following chain: ``` Anonymous SMB Enumeration ↓ F-01 SMB Share Discovery ↓ F-02 RID Brute Force User Enumeration ↓ F-03 AS-REP Roasting Attempt ↓ Guest Account Authentication ↓ F-04 Kerberoasting Attack ↓ Compromise of Service Account ↓ Password Spraying ↓ F-05 Password Reuse ↓ Compromise of Additional User ↓ Active Directory Enumeration (BloodHound) ↓ F-06 ACL Misconfiguration (GenericWrite) ↓ SPN Manipulation ↓ F-07 Kerberoasting Secondary Account ↓ Credential Discovery in Script ↓ F-08 Hardcoded Domain Admin Credentials ↓ Domain Administrator Compromise ``` *** ## Summary of Findings | ID | Vulnerability | Severity | CVSS | | ---- | ------------------------------------------ | -------- | ---- | | F-01 | Anonymous SMB Enumeration | Medium | 5.3 | | F-02 | RID Brute Force Enumeration | Medium | 5.5 | | F-03 | AS-REP Roasting | Medium | 5.9 | | F-04 | Kerberoastable Service Account | High | 8.0 | | F-05 | Password Reuse | High | 7.5 | | F-06 | Active Directory ACL Misconfiguration | Critical | 9.3 | | F-07 | SPN Manipulation Leading to Kerberoasting | High | 8.1 | | F-08 | Hardcoded Domain Administrator Credentials | Critical | 9.8 | *** ## F-01 – Anonymous SMB/LDAP Enumeration **Severity:** Medium\ **CVSS:** 5.3\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ### Description The Domain Controller allowed anonymous SMB/LDAP access, enabling enumeration of network shares without authentication. Although access was limited to the IPC$ share, this allowed the attacker to interact with SMB services and perform further enumeration. ### Technical Evidence Enumeration performed using SMBClient and NetExec: ```zsh nxc smb 10.113.175.83 -u 'a' -p '' --shares ```
### Impact Anonymous SMB enumeration enables attackers to: * Identify accessible services * Discover domain structure * Perform user enumeration * Prepare credential attacks ### Remediation * Disable anonymous SMB access * Restrict null sessions * Monitor SMB enumeration attempts *** ## F-02 – RID Brute Force User Enumeration **Severity:** Medium\ **CVSS:** 5.5\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ### Description Using RID brute forcing, the attacker successfully enumerated domain users without authentication. This technique leverages predictable Relative Identifier (RID) values appended to a domain SID to identify valid user accounts. ### Technical Evidence Enumeration performed using NetExec: ```zsh nxc smb 10.113.175.83 -u 'a' -p '' --rid-brute ``` The attack revealed multiple valid domain users.
### Impact User enumeration enables attackers to: * Launch password spraying attacks * Perform Kerberos attacks * Identify privileged accounts ### Remediation * Restrict anonymous SID enumeration * Monitor enumeration activity * Harden SMB configurations *** ## F-03 – AS-REP Roasting Attempt **Severity:** Medium\ **CVSS:** 5.9\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ### Description An AS-REP roasting attack was performed to identify accounts with Kerberos pre-authentication disabled. Although hashes were retrieved, none were successfully cracked. ### Technical Evidence ```zsh impacket-GetNPUsers thm.local/ -dc-ip 10.113.175.83 -usersfile usersfromRID.txt -no-pass ```
### Impact If cracked, attackers could obtain credentials without authentication. ### Remediation * Ensure Kerberos pre-authentication is enabled * Enforce strong password policies *** ## F-04 – Kerberoastable Service Account **Severity:** High\ **CVSS:** 8.0\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description Using the enabled Guest account, the attacker authenticated to the domain and requested Kerberos service tickets for accounts with SPNs. The retrieved ticket was cracked offline, revealing the password of a service (User with SPN set) account. `CODY_ROY` ### Technical Evidence ```zsh impacket-GetUserSPNs thm.local/Guest: -dc-ip 10.113.175.83 -request -no-pass -outputfile TGS ``` ```zsh john TGS --wordlist=/usr/share/wordlists/rockyou.txt ```
### Impact Kerberoasting allows attackers to: * Recover service account credentials * Authenticate to internal services * Perform lateral movement ### Remediation * Use long complex passwords * Implement **gMSA service accounts** * Monitor Kerberos ticket requests *** ## F-05 – Password Reuse **Severity:** High\ **CVSS:** 7.5\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description The compromised password from `CODY_ROY` was reused across one other user account. Using password spraying techniques, another valid account was discovered: `ZACHARY_HUNT` ### Technical Evidence ```zsh nxc smb 10.113.175.83 -u usersfromRID.txt -p [REDACTED] --continue-on-success ```
### Impact Password reuse allows attackers to escalate privileges across accounts. ### Remediation * Enforce password uniqueness * Implement lockout policies * Monitor authentication attempts *** ## F-06 – Active Directory ACL Misconfiguration (GenericWrite) **Severity:** Critical\ **CVSS:** 9.3\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N ### Description BloodHound analysis revealed that a `ZACHARY_HUNT` possessed GenericWrite permissions over another user account: `JERRI_LANCASTER` . These permissions allowed modification of account attributes. ### Technical Evidence
### Impact ACL misconfigurations allow attackers to: * Modify user objects * Escalate privileges * Compromise additional accounts ### Remediation * Audit AD permissions * Remove unnecessary GenericWrite privileges *** ## F-07 – SPN Manipulation Leading to Kerberoasting **Severity:** High\ **CVSS:** 8.1\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description The attacker abused GenericWrite privileges to assign a Service Principal Name (SPN) to `JERRI_LANCASTER`. This allowed the account to become vulnerable to Kerberoasting, leading to another credential compromise. ### Technical Evidence From the RDP session of `ZACHARY_HUNT` : ```bash setspn -S fake/spn JERRI_LANCASTER ```
From the Kali linux attacker machine: ```zsh impacket-GetUserSPNs thm.local/ZACHARY_HUNT:[REDACTED] -dc-ip 10.113.175.83 -request -outputfile TGS2 john TGS2 --wordlist=/usr/share/wordlists/rockyou.txt ```
### Impact Compromise of additional user accounts. ### Remediation * Monitor SPN changes * Restrict attribute modification permissions *** ## F-08 – Hardcoded Domain Administrator Credentials **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ### Description A PowerShell script within a scripts directory contained hardcoded credentials belonging to a Domain Administrator account. `C:\Scripts\syncer.ps1` . The compromised user was able to read this file and extract the credentials. ### Technical Evidence
Session Elevation:
### Impact Exposure of Domain Administrator credentials results in complete domain compromise. ### Remediation * Remove credentials from scripts * Use credential vaults * Restrict script access * Rotate exposed credentials immediately *** ## Tools Used | Tool | Purpose | | --------------- | ----------------------- | | Nmap | Network discovery | | NetExec | SMB enumeration | | SMBClient | Share interaction | | Impacket | Kerberos attacks | | BloodHound | AD attack path analysis | | John the Ripper | Password cracking | | XFreeRDP | Remote login | *** ## Conclusion The assessment demonstrated that **multiple weaknesses within the Active Directory environment enabled full domain compromise**. The attack chain leveraged: * Kerberos ticket abuse * Password reuse * Active Directory permission misconfigurations * Hardcoded credentials Addressing these issues through strong authentication controls, proper Active Directory permission management, and secure credential handling will significantly improve the organization’s security posture. ***

Copyright © 2026 Dragkob. All Rights Reserved.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dragkob.com/tryhackme/operation-endgame.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.