TryHackMe · Red Team

TryHackMe Red Team Capstone

A practical capstone exercise simulating an objective-based red team engagement against a multi-host Active Directory lab. The writeup focuses on planning discipline, low-noise execution, and the operational lessons that translate directly into real engagements.

TryHackMe Red Team Pivoting Active Directory Published 14 Jun 2025

Planning & Objectives

Defined a clear mission statement, prioritized objectives, and rules of engagement before any packet hit the wire. Success criteria were documented up front so the engagement could be called complete (or pivoted) on data, not on vibe.

  • Mission: validate ability to reach Tier-0 from external foothold within scope.
  • Constraints: minimal noisy recon; no destructive actions; preserve forensic evidence.
  • Deliverables: timeline, attack-path map, sanitized PoC, debrief-ready findings.

Execution Highlights

  1. External recon → discovery of an exposed web service with a path to authenticated access.
  2. Web foothold → privileged-account credential harvest via misconfigured admin endpoint.
  3. Pivot into the internal network using a tunnel through the foothold host.
  4. Internal AD enumeration with low-noise BloodHound collection.
  5. Kerberoasting + ACL abuse path identified and exploited to reach Tier-0.

Lessons Learned

  • Communicate detection expectations with the blue team prior to exercise — surprises are noise, not value.
  • Document pivot paths and timestamps as they happen — reconstruction after the fact is always less accurate.
  • Stop the moment objectives are achieved. "One more pivot" is how engagements get burned.
  • Capture cleanup notes alongside attack notes — leaving artifacts is unprofessional and risky.
Operator takeaway: A red team engagement is a writing exercise that occasionally involves a shell. Document everything.
← Back to Writeups Read: AD Enumeration Workflow