Nooff's Cyber Blog

You just landed in an internal network. You scan the network and there’s only the Domain Controller… Overview Enterprise is a hard Windows / Active Directory machine from TryHackMe. This room showcases couple common misconfigurations and bad practices. We start with deep enumeration. We discover credentials on SMB share and Github repo. Then we crack password gained by Kerberoasting attack and get RDP access. Next, we perform post exploitation enumeration and find unquoted service path. We deliver our malicious program and get privileged shell, which we stabilize afterwards by migrating to stable process. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A -p- enterprise.thm -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-29 07 :20 -0400 Warning: 10.112 .140 .190 giving up on port because retransmission cap hit (2). Nmap scan report for enterprise.thm (10.112.140.190) Host is up (0.023s latency). Not shown: 65504 ...

You have found WindCorp’s internal network and their Domain Controller. Can you pwn their network? Overview Ra is a hard Windows/Active Directory machine from TryHackMe. It has three stages/flags, each one has interesting vulnerability, and a lot of users. So buckle up! We start by enumerating the domain and associated web server. We abuse weak password reset functionality to compromise our first user. Then, we identify vulnerable version of Spark client. We exploit it and capture NTLMv2 hash with Responder. Next, after gaining initial access, we find Powershell script vulnerable to command injection. We hijack important file and add our user to Admin group, and thus compromise the domain. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A -p- 10.112 .147 .122 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06 13 :27 -0500 Warning: 10.112 .147 .122 giving up on port because retransmission cap hit (2). Nmap scan report ...