TryHackMe BLIND Walkthrough! -- SoupeDecode Part 2

We finally Pwn SoupeDecode! Enjoy the ups, downs, and everything in between as I tackle SoupeDecode with no preparation... again. Resources: TryHackMe Room: https://tryhackme.com/room/soupedecode01 My Github: https://github.com/NTHSec/ My Medium: https://medium.com/@NTHSec -------------------------------------------------------------------------------------------------- Time Stamps: 0:00 - Intro 1:20 - Re-enumerating LDAP stuff, including asreproast and kerberoasting 2:55 - Cracking the file_svc hash and continuing enumeration. 4:40 - Enumerating the "Users" SMB share that ybob has access to. We can find the user.txt flag here 7:40 - Doing enumeration with the file_svc credentials we uncovered to discover the backup share. I also spend time trying to get bloodhound working. 14:15 - Finding backup machine hashes, attempting to crack but end up simply using pass-the-hash (pth) techniques to authenticate. 16:50 - Authenticating as FileServer$ and finding that we have "Pwn3d!" on SMB. This means we can dump secrets. 19:25 - Trying to use the domain administrator hash to obtain a shell on the machine. This take a ton of time after attempting impacket tools, RDP, etc. 36:30 - Eventually manage to successfully pop a shell via pth-winexe. 38:00 - Outro