2025-07-20

# Directory Writeup — TryHackMe

This blog post is a writeup of the
[Directory](https://tryhackme.com/room/directorydfirroom) challenge on
[TryHackMe](https://tryhackme.com)

**What ports did the threat actor initially find open? Format: from lowest to
highest, separated by a comma.**

We can see that the attacker is scanning ports on the target system. If there
would be an open port on the target system, the answer would include SYN/ACK,
which is a flag of `0x12`.

```sh
tshark -r ./traffic-1725627206938.pcap \
-T fields -Y tcp.flags == 0x12 \
-e tcp.srcport -e ip.dst_host \
| sort -n | uniq | sort -rn
```

**The threat actor found four valid usernames, but only one username allowed
the attacker to achieve a foothold on the server. What was the username?
Format: Domain.TLD\username**

After extracting all HTTP files, the result shows that there are some potential usernames
to be crafted from the names of the people mentioned on the page, which the
adversary
could try to login.

Filtering for Kerberos packages, it is clearly visible that the attacker tried
to bruteforce the usernames

<p><img alt="Wireshark, listing kerberos packages"
src="../../static/images/usernames-kerberos.jpg"  title="SureStore DAT40"
/></p>

Only two requests did not end up in an error as a response. These contain the username
we are looking for.

We need the `CNameString` as well as the `SNameString` in combination to get
the correct login name.

**The threat actor captured a hash from the user in question 2. What are the
last 30 characters of that hash?**

The same `AS-REP` response package from the previous question contains an
encrypted part, which contains the hash as a cipher of type
`eType-ARFOUR-HMAC-MD5 (23)`. This is the hash we are looking for.

**What is the user's password?**

We can use
[Krb5RoastParser](https://github.com/jalvarezz13/Krb5RoastParser.git) to
extract the AS-REP hash and crack it.

```
$krb5asrep$23$larry.doe@DIRECTORY.THM:f8716efbaa984508ddde606756441480$805ab8be8cfb018a282718f7c040cd43924c6f9afeb6171230bbd3dccc79294dcf2f877a44c1a0981aadb7bb7a9510dd52d8dda4039ef4dcb444f18c9902be1623035e10aebf16ce4bdf5f7064f480e67e96ec2eb32bad95c5a1247bd7a241273fe80e281f4e6a99926f7969fcf803190c7096b947a33407f8578d4c0fb8b52d2aa8d0405a44b72bd21e014563cb71e82aee0e12538d0d440c930b98abf766e18ddc99a964e6e812ecf8dc8994a912a02074d40e5e6906915c1d216653d45df88636b51656f2c37de2020a2fd86ee7ecf6f0afe3f509fd31144e1573f9587155616532b664cd0b50cda8d4ba469f
```

Use john or hashcat to decrypt the password.

```sh
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ../kerb.hash
```

**What were the second and third commands that the threat actor executed on the
system? Format: command1,command2**

There is a script to decrypt winrm traffic  on [jborean93's github
page](https://gist.github.com/jborean93/d6ff5e87f8a9f5cb215cd49826523045/).
Using the password we aquired before, the traffic can be decoded.

```sh
python winrm_decrypt.py ./traffic-1725627206938.pcap --password '********' > winrm.output
```

The parts we are interested in are the Powershell commands. We need to decode
the commands, since these are b64 encoded.

```sh
grep "AAAAAA" winrm.output | cut -d '>' -f2 | cut -d '<' -f1 | base64 -d >> decoded.out
```

Now we can take e look at the commands using less or some other tool.

**What is the flag?**

We already decoded the commands in the previous step, just do a search for the
flag structure in the already decoded output.

```
THM{***************}
```