thm-postexploitation-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s post-exploit at

https://tryhackme.com/room/postexploit

This room will cover all of the basics of post-exploitation; we’ll talk everything from post-exploitation enumeration with powerview and bloodhound, dumping hashes and golden ticket attacks with mimikatz, basic information gathering using windows server tools and logs, and then we will wrap up this room talking about the basics of maintaining access with the persistence metaploit module and creating a backdoor into the machine to get an instant meterpreter shell if the system is ever shutdown or reset.

This room will be related to very real world applications and will most likely not help with any ctfs however this room will give you great starting knowledge of how to approach a network after you have gained a shell on a machine.

To start this room deploy the machine and start the next section on enumerating with powerview.

This Machine can take up to 10 minutes to boot

and up to 10 minutes to ssh or rdp into the machine


#1 Deploy the Machine

To start this room you will need to rdp or ssh into the machine your credentials are – user:Administrator pass:P@$$W0rd domain:controller.local

Your machine IP is MACHINE_IP

Powerview is a powerful powershell script from powershell empire that can be used for enumerating a domain after you have already gained a shell in the system.

We’ll be focusing on how to start up and get users and groups from PowerView.

I have already taken the time and put PowerView on the machine

1.) Start Powershell – powershell -ep bypass -ep bypasses the execution policy of powershell allowing you to easily run scripts

2.) Start PowerView – . .\Downloads\PowerView.ps1

3.) Enumerate the domain users – Get-NetUser | select cn

4.) Enumerate the domain groups – Get-NetGroup -GroupName *admin*

Now enumerate the domain further on your own

Here’s a cheatsheet to help you with commands: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Cheatsheet Credit: HarmJ0y


#1 What is the shared folder that is not set by default?
#2 What operating system is running inside of the network besides Windows Server 2019?
#3 I’ve hidden a flag inside of the users find it
Author : Puckiestyle
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *