A step-by-step walkthrough of a TryHackMe Active Directory challenge, demonstrating how to compromise a Windows Domain Controller starting from zero credentials. The attack chain covers port scanning with RustScan/Nmap, SMB guest enumeration and RID brute-forcing to build a user list, Kerberoasting to crack a service account password, BloodHound graph analysis to map privilege escalation paths, password spraying, targeted Kerberoasting via GenericWrite abuse, RDP access to find hardcoded credentials in a PowerShell script, and finally gaining Domain Admin via smbexec. Each phase includes commands with detailed explanations and concludes with defensive takeaways.
Table of contents
Phase 2 — SMB Enumeration: Knocking on the Door as a GuestWhat is SMB and why try guest?RID Brute-Force: Building a User ListSort: