# TryHackMe-THROWBACK-WS01 (10.200.34.222)
## NMAP
```
No ports open on this machine
```
We can get `user.txt` flag from here
And for `root.txt`
Since we have ran `autoroute` on `THROWBACK-WS01` we can access machines on the network as we were not able to run nmap scan on this machine
We can ssh into the machine with BlaireJ's plain text password
Now that we have gained inital foothold on WS-01 again we need to do some enumeration with `Bloodhound`.
After installing it on kali machine we can the GUI interface on browser
Now we need to download a file called `Sharphound.ps1` a powershell script to be transfered on WS-01 machine
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
To run the script we need to disable antivirus or windows defender on the target machine
https://www.itechtics.com/enable-disable-windows-defender/
`Set-MpPreference -DisableRealtimeMonitoring $true`
Then run this command to get a map of the AD environment
`Invoke-Bloodhound -CollectionMethod All -Domain THROWBACK.local -ZipFileName loot.zip`
Now we need to get this `20210227114234_loot.zip` on our machine
I messed up with the credentials and didn't found a way to reset so I disabled the authentication
`subl /etc/neo4j/neo4j.conf`
Copy that zip file from the target to our local machine
Simply drag and drop to bloodhound GUI and run quries example get all admins
Run the query `Map Domain Trusts`
Run the query `List all Kerberoastable Accounts`
Run the query `Find Shortest Paths to Domain Admins`
Now in order to get kerbroast ticket we need the impacket version 0.9.19
https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19
Reason is if we run with latest version
We won't get the kerbroast ticket of SQLSERVICE account so on running with older version
On getting that kerbroast hash we need to crack it using `hashcat`
