Learn how to exploit Windows Active Directory vulnerabilities in this comprehensive Vulnnet-Roasted TryHackMe walkthrough covering SMB enumeration, Kerberos attacks, and privilege escalation techniques.

Initial Reconnaissance with Nmap

The first step in any penetration test is thorough reconnaissance. We start with a comprehensive Nmap scan to identify open ports and services:

nmap -A -T4 -Pn -p- 10.10.242.93 -oA vulnnet-roasted
Starting Nmap 7.93 ( https://nmap.org ) at 2023–02–14 08:44 EST
Nmap scan report for 10.10.242.93
Host is up (0.19s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023–02–14 13:55:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI…