THM Enumerating Active Directory done

Enumerating_Active_Directory¶

OS:¶

Windows Active Directory

Technology:¶

Active Directory

Users and pass:¶

First creds from: http://distributor.za.tryhackme.com/creds
Username: phillip.reid
Password: Scooter1987

Lab schema¶

Setup VM - setup DNS¶

root@ip-10-10-70-177:~# systemd-resolve --interface enumad --set-dns 10.200.18.101 --set-domain za.tryhackme.com
root@ip-10-10-70-177:~# nslookup thmdc.za.tryhackme.com
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   thmdc.za.tryhackme.com
Address: 10.200.18.101

Get first credentials¶

Open the webiste: http://distributor.za.tryhackme.com/creds
Your credentials have been generated: Username: phillip.reid Password: Scooter1987

root@ip-10-10-70-177:~# ssh za.tryhackme.com\\[email protected]
The authenticity of host 'thmjmp1.za.tryhackme.com (10.200.18.248)' can't be established.
ECDSA key fingerprint is SHA256:HTvSA1Qt987SOP3SRopzSQ22Q8lPttrUzTwuTyGDLck.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'thmjmp1.za.tryhackme.com,10.200.18.248' (ECDSA) to the list of known hosts.
za.tryhackme.com\[email protected]'s password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

za\phillip.reid@THMJMP1 C:\Users\phillip.reid>

Force a network-based listing of the SYSVOL¶

root@ip-10-10-70-177:~# ssh za.tryhackme.com\\[email protected]
za.tryhackme.com\[email protected]'s password: 

Microsoft Windows [Version 10.0.17763.1098]
(c) 2018 Microsoft Corporation. All rights reserved.

za\phillip.reid@THMJMP1 C:\Users\phillip.reid>dir \\za.tryhackme.com\SYSVOL\ 
 Volume in drive \\za.tryhackme.com\SYSVOL is Windows 
 Volume Serial Number is 1634-22A9

 Directory of \\za.tryhackme.com\SYSVOL

02/24/2022  09:57 PM    <DIR>          .
02/24/2022  09:57 PM    <DIR>          ..
02/24/2022  09:57 PM    <JUNCTION>     za.tryhackme.com [C:\Windows\SYSVOL\domai
n]
               0 File(s)              0 bytes
               3 Dir(s)  51,587,862,528 bytes free

Connect via RDP to thmjmp1.za.tryhackme.com¶

root@ip-10-10-70-177:~# xfreerdp /u:phillip.reid /p:Scooter1987 /v:thmjmp1.za.tryhackme.com /cert-ignore
connected to thmjmp1.za.tryhackme.com:3389

Open MMC¶

Add three Active Directory Snap-in in MMC¶

Read description attribute of the t0_tinus.green¶

Check member of for aaron.harris account¶

net user aaron.harris /domain

Check how many account in "Tier 1 Admins"¶

net group "Tier 1 Admins" /domain

Check password policy¶

net accounts /domain

What is the value of the Title attribute of Beth Nolan (beth.nolan)?¶

Get-ADUser -Identity beth.nolan -Server za.tryhackme.com -Properties *

What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?¶

Get-ADUser -Identity annette.manning -Server za.tryhackme.com -Properties DistinguishedName

When was the Tier 2 Admins group created?¶

PS C:\Users\jasmine.stanley> Get-ADGroup -Identity "Tier 2 Admins" -Server za.tryhackme.com -Properties *


CanonicalName                   : za.tryhackme.com/Groups/Tier 2 Admins
CN                              : Tier 2 Admins
Created                         : 2/24/2022 10:04:41 PM
createTimeStamp                 : 2/24/2022 10:04:41 PM

What is the value of the SID attribute of the Enterprise Admins group?¶

PS C:\Users\jasmine.stanley> Get-ADGroup -Identity "Enterprise Admins" -Server za.tryhackme.com -Properties SID


DistinguishedName : CN=Enterprise Admins,CN=Users,DC=za,DC=tryhackme,DC=com 
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : 93846b04-25b9-4915-baca-e98cce4541c6
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-519

Which container is used to store deleted AD objects?¶

PS C:\Users\jasmine.stanley> Get-ADDomain -Server za.tryhackme.com

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=za,DC=tryhackme,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=za,DC=tryhackme,DC=com
DistinguishedName                  : DC=za,DC=tryhackme,DC=com
DNSRoot                            : za.tryhackme.com
DomainControllersContainer         : OU=Domain Controllers,DC=za,DC=tryhackme,DC=com
DomainMode                         : Windows2012R2Domain

What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?¶

Sharphound.exe --CollectionMethods Session --Domain za.tryhackme.com --ExcludeDCs

THM Enumerating Active Directory done

Enumerating_Active_Directory¶

OS:¶

Technology:¶

Users and pass:¶

Lab schema¶

Setup VM - setup DNS¶

Get first credentials¶

Force a network-based listing of the SYSVOL¶

Connect via RDP to thmjmp1.za.tryhackme.com¶

Open MMC¶

Add three Active Directory Snap-in in MMC¶

Read description attribute of the t0_tinus.green¶

Check member of for aaron.harris account¶

Check how many account in "Tier 1 Admins"¶

Check password policy¶

What is the value of the Title attribute of Beth Nolan (beth.nolan)?¶

What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?¶

When was the Tier 2 Admins group created?¶

What is the value of the SID attribute of the Enterprise Admins group?¶

Which container is used to store deleted AD objects?¶

What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?¶

Apart from the krbtgt account, how many other accounts are potentially kerberoastable?¶

How many machines do members of the Tier 1 Admins group have administrative access to?¶

How many users are members of the Tier 2 Admins group?¶

THM Enumerating Active Directory done

Enumerating_Active_Directory¶

OS:¶

Technology:¶

Users and pass:¶

Lab schema¶

Setup VM - setup DNS¶

Get first credentials¶

Login to thmjmp1.za.tryhackme.com¶

Force a network-based listing of the SYSVOL¶

Connect via RDP to thmjmp1.za.tryhackme.com¶

Open MMC¶

Add three Active Directory Snap-in in MMC¶

Read description attribute of the t0_tinus.green¶

Check member of for aaron.harris account¶

Check how many account in "Tier 1 Admins"¶

Check password policy¶

What is the value of the Title attribute of Beth Nolan (beth.nolan)?¶

What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?¶

When was the Tier 2 Admins group created?¶

What is the value of the SID attribute of the Enterprise Admins group?¶

Which container is used to store deleted AD objects?¶

What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?¶

Apart from the krbtgt account, how many other accounts are potentially kerberoastable?¶

How many machines do members of the Tier 1 Admins group have administrative access to?¶

How many users are members of the Tier 2 Admins group?¶