Journey to OSCP-TryHackMe Active Direcotry Basics Walkthrough - Christopher Boedicker's

This my attempt to create a walk through on TryHackMe’s Active Directory:

[Task 1] Introduction

Active Directory is the directory service for Windows Domain Networks. It is used by many of today’s top companies and is a vital skill to comprehend when attacking Windows.

#1 I understand what Active Directory is and why it is used.

ANSWER: No answer needed

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

Learning objectives:

Impacket
Kerbrute
AD Enumeration
Kerberos
Cracking Hashes
Hashcat
Privilege Scalation

[Task 2] Physical Active Directory

#1 What database does the AD DS contain?

Contains the NTDS.dit — a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users.

ANSWER: NTDS.dit

#2 Where is the NTDS.dit stored?

Stored by default in %SystemRoot%\NTDS.

ANSWER: %SystemRoot%\NTDS

#3 What type of machine can be a domain controller?

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest.

ANSWER: Windows Server

[Task 3] The Forest

#1 What is the term for a hierarchy of domains in a network?

Trees: A hierarchy of domains in Active Directory Domain Services.

ANSWER: Tree

#2 What is the term for the rules for object creation?

Domain Schema: Rules for object creation.

ANSWER: Domain Schema

#3 What is the term for containers for groups, computers, users, printers, and other OUs?

Organizational Units: Containers for groups, computers, users, printers and other OUs

ANSWER: Organizational Units

[Task 4] User + Groups

#1 Which type of groups specify user permissions?

SecurityGroups: These groups are used to specify permissions for a large number of users.

ANSWER: SecurityGroups

#2 Which group contains all workstations and servers joined to the domain?

DomainComputers: All workstations and servers joined to the domain

ANSWER: DomainComputers

#3 Which group can publish certificates to the directory?

CertPublishers: Members of this group are permitted to publish certificates to the directory.

ANSWER: CertPublishers

#4 Which user can make changes to a local machine but not to a domain controller?

LocalAdministrators: These users can make changes to localmachines as an administrator and may even be able to control other normal users, but they cannot access the domain controller.

ANSWER: LocalAdministrators

#5 Which group has their passwords replicated to read only domain controllers?

Allowed RODC Password Replication Group: Members in this gropu can have their passwords replicated to all read-only domain controllers in the domain.

ANSWER: Allowed RODC Password Replication Group

[Task 5] User + Groups

#1 What type of trust flows from a trusting domain to a trusted domain?

Directional: The direction of the trust flows from a trusting domain to a trusted domain.

ANSWER:Directional

#2 What type of trusts expands to include other trusted domains?

Transitive: The trust relationship expands beyond just two domains to include other trusted domains.

ANSWER:Transitive

[Task 6] Active Directory Domain Services + Authentication

#1 What type of authentication uses tickets?

Kerberos: The default authentication service for Active Directory uses ticket granting tickets and service tickets to authenticate users and give users access to other resources across the domain.

ANSWER:Kerberos

#2 What domain service can create, validate, and revoke public key certificates?

Certificate Services: allows the domain controller to create, validate, and revoke public key certificates.

ANSWER: Certificate Services

[Task 7] AD in the Cloud

#1 What is the Azure AD equivalent of LDAP?

ANSWER:Rest APIs

#2 What is the Azure AD equivalent of Domains and Forests?

ANSWER: Tenants

#3 What is the Windows Server AD equivalent of Guests?

ANSWER: Trusts

[Task 8] Hands- On Lab

I connected machine with ssh connection after failing to connect with RDP

#1: Deploy the Machine:

No Answer needed

#2: What is the name of the Windows 10 operating system:

I used this command:

1	Get-NetComputer -fulldata \| select operatingsystem

Answer: Windows 10 Enterprise Evaluation

#3: What is the second “Admin” name:

Get-NetUser | select cn

Answer: Admin2

#4: Witch group has a capital “V” in the group name?

| net localgroup

Answer: Hyper-V Administrators

#5: What was the password last set for the SQLService user?:

Get-ADUser -identity SQLService -properties *

Answer: 5/13/2020 8:26:58 PM

#9 Conclusion:

No Answer Required