On the 11th of May, 2023, TryHackMe launched the Red Team Capstone Challenge, a milestone challenge with 20 flags to collect, spread across 10 different phases, with 6912 possible path combinations!
Throughout the challenge event, we received an overwhelming number of fantastic challenge report write-ups from our users, with awesome prizes awarded to users with winning submissions and swag vouchers gifted to all runners-up.
Today, we’d like to share the first winning write-up submission from Azkrath, a dedicated TryHackMe user who has worked in cyber security for the past four years and IT for over 18 years. As an Application Security Engineer and Penetration Tester, Azkrath loves hacking, computers, and everything technology-related!
As the second user to complete the Red Team Capstone Challenge Network, Azkrath compromised the entire domain and achieved goal execution in the first four days of the challenge.
In the write-up submission, Azkrath said: “This is, hands down, one of the best labs and challenges I’ve made in TryHackMe since I registered in August 2020. I’ve learned a lot since there were a couple of attack venues I never had the chance to try.
“In the end, I’ve had a blast doing this engagement, and I hope that TryHackMe continues to release this type of content due to the learning and practicality that it provides.”
Congratulations, Azkrath! Check out the winning write-up submission, or scroll down to discover the attack paths Azkrath took.
Azkrath’s Attack Paths
After performing OSINT and discovering the three main web applications exposed on the perimeter, Azkrath leveraged the discovered information to gain access through the corporate VPN! Since the VPN service was linked to Active Directory, this also provided the initial compromise of the corporate workstations.
Azkrath performed privileged escalation on the workstation leveraging a misconfigured scheduled task before performing a Kerberoasting attack to compromise the corporate server range!
Azkrath leveraged a delegation misconfiguration to perform an unconstrained delegation attack to entice a domain controller to authenticate to an attacker-controlled server to gain administrative access to the entire corporate domain.
Leveraging a golden ticket attack, Azkrath took full control of the Parent domain, thus fully compromising the entire TheReserve AD forest!
To show impact, Azkrath has to facilitate a SWIFT payment. To compromise a payment capturer, Azkrath cracked the AD password of a SWIFT capturer. To compromise payment approver, Azkrath recovered an approver’s credentials from their browser. With both capturer and approver compromised, Azkrath could make the payment transfer!
Ben Spring