Ra Writeup (TryHackMe Hard Machine)
You have found WindCorp’s internal network and their Domain Controller. Can you pwn their network? Overview Ra is a hard Windows/Active Directory machine from TryHackMe. It has three stages/flags, each one has interesting vulnerability, and a lot of users. So buckle up! We start by enumerating the domain and associated web server. We abuse weak password reset functionality to compromise our first user. Then, we identify vulnerable version of Spark client. We exploit it and capture NTLMv2 hash with Responder. Next, after gaining initial access, we find Powershell script vulnerable to command injection. We hijack important file and add our user to Admin group, and thus compromise the domain. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A -p- 10.112 .147 .122 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06 13 :27 -0500 Warning: 10.112 .147 .122 giving up on port because retransmission cap hit (2). Nmap scan report ...