In this post, we will cover the answers of TryHackMe Breaching Active Directory room in addition to demonstrating the concepts of Active Directory Penetration Testing.

We also covered the answers for TryHackMe Enumerating Active Directory , TryHackMe Lateral Movement and Pivoting ,TryHackMe Exploiting Active Directory and TryHackMe Active Directory Credential Harvesting rooms.

OSCP Study Notes

Windows Active Directory Penetration Testing Study Notes

Active Directory Credential Harvesting Methods

Before we can exploit AD misconfigurations for privilege escalation, lateral movement, and goal execution, you need initial access first. You need to acquire an initial set of valid AD credentials. Due to the number of AD services and features, the attack surface for gaining an initial set of AD credentials is usually significant.

When looking for that first set of credentials, we don’t focus on the permissions associated with the account; thus, even a low-privileged account would be sufficient. We are just looking for a way to authenticate to AD, allowing us to do further enumeration on AD itself.

The following techniques to recover AD credentials in a network:

  • NTLM Authenticated Services
  • LDAP Bind Credentials
  • Authentication Relays
  • Microsoft Deployment Toolkit
  • Configuration Files

Understanding NTLM andNetNTLM

The set of security protocols called New Technology LAN Manager (NTLM) is what allows users to validate their identities in Active Directory. NetNTLM is a challenge-response-based method that leverages NTLM for authentication. The services on a network make extensive use of this authentication technique. NetNTLM-using services, however, may also be open to the internet. Listed below are a few well-known examples:

  • Exchange (Mail) servers hosted internally that provide an Outlook Web App (OWA) login page.
  • A server’s Remote Desktop Protocol (RDP) service that is available over the internet.
  • VPN endpoints that were connected to AD were made public.
  • Web apps that use NetNTLM and are accessible over the internet.

NetNTLM, also often referred to as Windows Authentication or just NTLM Authentication, allows the application to play the role of a middle man between the client and AD. When a challenge is successfully performed, all authentication material is sent to a Domain Controller, and the application will authenticate the user.

This means that the application is authenticating on behalf of the user and not authenticating the user directly on the application itself. This prevents the application from storing AD credentials, which should only be stored on a Domain Controller.

Credentials Brute Force Attacks on Active Directory

These exposed services offer a great place to test credentials that have been found in other ways. To retrieve a first set of legitimate AD credentials, these services can also be accessed directly. If during our first red team recon we were able to recover information like working email addresses, we might try using these for brute force attacks.

We won’t be able to conduct a full brute-force attack because account lockout is implemented in the majority of AD environments. Rather, we must execute a password-spraying attack. Rather than trying a number of different passwords, which could set off the account lockout mechanism, we select one password, utilize it, and try to authenticate with every username we have collected. It should be mentioned, though, that because of how many unsuccessful authentication attempts these attacks will produce, they can be identified and detected.

Task Description

You have been provided with a list of usernames discovered during a red team OSINT exercise. The OSINT exercise also indicated the organisation’s initial onboarding password, which seems to be “Changeme123”. Although users should always change their initial password, we know that users often forget. We will be using a custom-developed script to stage a password spraying against the web application hosted at this URL: http://ntlmauth.za.tryhackme.com.

If you are using the AttackBox, the password spraying script and usernames textfile is provided under the /root/Rooms/BreachingAD/task3/ directory. We can run the script using the following command:

python ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>

We provide the following values for each of the parameters:

  • <userfile> – Textfile containing our usernames – “usernames.txt”
  • <fqdn> – Fully qualified domain name associated with the organisation that we are attacking – “za.tryhackme.com”
  • <password> – The password we want to use for our spraying attack – “Changeme123”
  • <attackurl> – The URL of the application that supports Windows Authentication – “http://ntlmauth.za.tryhackme.com”

LDAP Pass-back Attack

NTLM authentication and LDAP authentication are comparable. On the other hand, the program authenticates the user’s credentials directly while using LDAP authentication. The program can query LDAP using its pair of AD credentials before confirming the credentials of the AD user.

Below services are example of services that use LDAP authentication

  • Gitlab
  • Jenkins
  • Custom-developed web applications
  • Printers
  • VPNs

If you could gain a foothold on the correct host, such as a Gitlab server, it might be as simple as reading the configuration files to recover these AD credentials. These credentials are often stored in plain text in configuration files since the security model relies on keeping the location and storage configuration file secure rather than its contents.

LDAP Pass-back attacks can be performed when we gain access to a device’s configuration where the LDAP parameters are specified. This can be, for example, the web interface of a network printer. Usually, the credentials for these interfaces are kept to the default ones, such as admin:admin or admin:password.

Here, we won’t be able to directly extract the LDAP credentials since the password is usually hidden. However, we can alter the LDAP configuration, such as the IP or hostname of the LDAP server.


In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials.

Task Description

There is a network printer in this network where the administration website does not even require credentials. Navigate to http://printer.za.tryhackme.com/settings.aspx to find the settings page of the printer.

You can follow through with the room to execute this task’s commands and get the answers shown below.

Understanding Server Message Block (SMB)

Clients (like workstations) and servers (like file shares) can communicate with each other over the Server Message Block (SMB) protocol. SMB controls everything in networks that make use of Microsoft AD, including remote administration and file sharing across networks. The SMB protocol is even responsible for the “out of paper” notification that appears on your computer when you attempt to print a document.

Nevertheless, it was determined that earlier iterations of the SMB protocol lacked adequate security. Numerous flaws and exploits that might be used to obtain code execution on devices or even retrieve credentials were found. Despite the fact that some of these vulnerabilities have been fixed in more recent protocol versions, organizations frequently do not mandate the use of these versions because outdated systems do not support them. We’ll examine two distinct attacks for SMB-based NetNTLM authentication:

  • Since the NTLM Challenges can be intercepted, we can use offline cracking techniques to recover the password associated with the NTLM Challenge. However, this cracking process is significantly slower than cracking NTLM hashes directly.
  • We can use our rogue device to stage a man in the middle attack, relaying the SMB authentication between the client and server, which will provide us with an active authenticated session and access to the target server.

Attacking Microsoft Deployment Toolkit

One Microsoft service that helps with automating the deployment of Microsoft Operating Systems (OS) is Microsoft Deployment Toolkit (MDT). Since base images can be updated and maintained centrally, large organizations employ services like MDT to help deploy new images in their estate more efficiently.

The System Center Configuration Manager (SCCM) from Microsoft, which controls all updates for all Microsoft services, operating systems, and apps, is typically connected with MDT. For fresh deployments, MDT is employed. In essence, it enables boot image preconfiguration and management for the IT staff. As a result, all users have to do to configure a new system is plug in a network wire; the rest happens on its own. They have the ability to modify the boot image in a number of ways, including pre-installing Office 365 and the preferred antivirus program for the company. Additionally, it may guarantee that the first installation to run uses the upgraded build.

One may consider SCCM to be MDT’s older brother and practically an extension of it. After the software is installed, what happens to it? In any case, SCCM handles this kind of patching. It enables all software installed throughout the estate to have its available upgrades reviewed by the IT team. Prior to centrally delivering these changes to every machine that has joined the domain, the team can additionally test them in a sandbox setting to make sure they are reliable. The IT team’s life is much made easier by it.

On the other hand, attackers may target anything that offers central management of infrastructure, such MDT and SCCM, in an effort to seize control of significant amounts of vital tasks within the estate. While there are other ways to setup MDT, for the sake of this job, we will only be focusing on a configuration known as Preboot Execution Environment (PXE) boot.

PXE boot is used by large organizations to enable new devices connected to the network to load and install the operating system directly over a network connection. PXE boot images can be created, managed, and hosted using MDT. Since PXE boot is typically integrated with DHCP, the host is permitted to request the PXE boot image and begin the network operating system installation procedure if DHCP grants an IP lease.

After the procedure is finished, the client will download the PXE boot image over a TFTP connection. The PXE boot image can be used for two distinct purposes:

After the PXE boot is finished, inject a privilege escalation vector, like a Local Administrator account, to obtain Administrative access to the OS.
Use password scraping techniques to obtain the AD credentials that were used for the installation.

Task Description

The first piece of information regarding the PXE Boot preconfigure you would have received via DHCP is the IP of the MDT server. In our case, you can recover that information from the TryHackMe network diagram.

The second piece of information you would have received was the names of the BCD files. These files store the information relevant to PXE Boots for the different types of architecture. To retrieve this information, you will need to connect to this website: http://pxeboot.za.tryhackme.com. It will list various BCD files:

Usually, you would use TFTP to request each of these BCD files and enumerate the configuration for all of them. However, in the interest of time, we will focus on the BCD file of the x64 architecture. Copy and store the full name of this file. For the rest of this exercise, we will be using this name placeholder x64{7B...B3}.bcd since the files and their names are regenerated by MDT every day. Each time you see this placeholder, remember to replace it with your specific BCD filename. Note as well that if the network has just started, these file names will only update after 10 mintes of the network being active.

With this initial information now recovered from DHCP (wink wink), we can enumerate and retrieve the PXE Boot image. We will be using our SSH connection on THMJMP1 for the next couple of steps, so please authenticate to this SSH session using the following:

ssh thm@THMJMP1.za.tryhackme.com

and the password of Password1@.

Follow along with the room’s instructions so that you get the answers shown below

Harvesting Active Directory Credentials from Config Files

 Suppose you were lucky enough to cause a breach that gave you access to a host on the organisation’s network.
 In that case, configuration files are an excellent avenue to explore in an attempt to recover AD credentials.
 
Below configuration files usually contain many AD credentials.

  • Web application config files
  • Service configuration files
  • Registry keys
  • Centrally deployed applications

For example, McAfee embeds the credentials used during installation to connect back to the orchestrator in a file called ma.db. This database file can be retrieved and read with local access to the host to recover the associated AD service account and with below command we can open the database file

sqlitebrowser ma.db

Understanding Active Directory Lateral Movement

Simply put, lateral movement is the group of techniques used by attackers to move around a network. Once an attacker has gained access to the first machine of a network, moving is essential for many reasons, including the following: – Reaching our goals as attackers – Bypassing network restrictions in place – Establishing additional points of entry to the network – Creating confusion and avoid detection.

While many cyber kill chains reference lateral movement as an additional step on a linear process, it is actually part of a cycle. During this cycle, we use any available credentials to perform lateral movement, giving us access to new machines where we elevate privileges and extract credentials if possible. With the newfound credentials, the cycle starts again.

Room Answers | TryHackMe Breaching Active Directory

HWhat popular website can be used to verify if your email address or password has ever been exposed in a publicly disclosed data breach?

HaveIBeenPwned

What are the status of the agents mWhat is the name of the challenge-response authentication mechanism that uses NTLM?

NetNtlm

What is the username of the third valid credential pair found by the password spraying script?

Gordon.Stevens

How many valid credentials pairs were found by the password spraying script?

4

What is the message displayed by the web application when authenticating with a valid credential pair?

Hello World

What type of attack can be performed against LDAP Authentication systems not commonly found against Windows Authentication systems?

LDAP Pass-back attack

What application do we use on LinuWhat two authentication mechanisms do we allow on our rogue LDAP server to downgrade the authentication and make it clear text?

LOGIN,PLAIN

WWhat is the password associated with the svcLDAP account?

Tryhackmeldappass1@

WhaWhat is the name of the tool we can use to poison and capture authentication requests on the network?

Responder

What is the username associated with the challenge that was captured?

svcFileCopy

What is the value of the cracked password associated with the challenge that was captured?

FPassword1!

What Microsoft tool is used to create and host PXE Boot images in organisations?

Microsoft Deployment Toolkit

What network protocol is used for recovery of files from the MDT server?

TFTP

What is the username associated with the account that was stored in the PXE Boot image?

svcMDT

What is the password associated with the account that was stored in the PXE Boot image?

PXEBootSecure1@

What type of files often contain stored credentials on hosts?

configuration files

What is the name of the McAfee database that stores configuration including credentials used to connect to the orchestrator?

ma.db

What table in this database stores the credentials of the orchestrator?

AGENT_REPOSITORIES

What is the username of the AD account associated with the McAfee service?

What is the username of the AD account associated with the McAfee service?

svcAV

What is the password of the AD account associated with the McAfee service?

What is the password of the AD account associated with the McAfee service?

MyStrongPassword!

Room Answers | TryHackMe Enumerating Active Directory

What native Windows binary allows us to inject credentials legitimately into memory?

runas.exe

What parameter option of the runas binary will ensure that the injected credentials are used for all network connections?

/netonly

What network folder on a domain controller is accessible by any authenticated AD account and stores GPO information?

SYSVOL

When performing dir \\za.tryhackme.com\SYSVOL, what type of authentication is performed by default?

Kerberos Authentication

How many Computer objects are part of the Servers OU?

2

How many Computer objects are part of the Workstations OU?

1

How many departments (Organisational Units) does this organisation consist of?

7

How many Admin tiers does this organisation have?

3

What is the value of the flag stored in the description attribute of the t0_tinus.green account?

THM{Enumerating.Via.MMC}

Apart from the Domain Users group, what other group is the aaron.harris account a member of?

Internet Access

Is the Guest account active? (Yay,Nay)

Nay

How many accounts are a member of the Tier 1 Admins group?

7

What is the account lockout duration of the current password policy in minutes?

30

What is the value of the Title attribute of Beth Nolan (beth.nolan)?

Senior

What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?

CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com

When was the Tier 2 Admins group created?

2/24/2022 10:04:41 PM

What is the value of the SID attribute of the Enterprise Admins group?

S-1-5-21-3330634377-1326264276-632209373-519

Which container is used to store deleted AD objects?

CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?

Sharphound.exe –CollectionMethods Session –Domain za.tryhackme.com –ExcludeDCs

Apart from the krbtgt account, how many other accounts are potentially kerberoastable?

4

How many machines do members of the Tier 1 Admins group have administrative access to?

2

How many users are members of the Tier 2 Admins group?

Room Answers | TryHackMe Lateral Movement and Pivoting

After running the “flag.exe” file on t1_leonard.summers desktop on THMIIS, what is the flag?

THM{MOVING_WITH_SERVICES}

After running the “flag.exe” file on t1_corine.waters desktop on THMIIS, what is the flag?

THM{MOVING_WITH_WMI_4_FUN}

What is the flag obtained from executing “flag.exe” on t1_toby.beck’s desktop on THMIIS?

THM{NO_PASSWORD_NEEDED}

What flag did you get from hijacking t1_toby.beck’s session on THMJMP2?

THM{NICE_WALLPAPER}

What is the flag obtained from executing “flag.exe” on t1_thomas.moore’s desktop on THMIIS?

THM{SIGHT_BEYOND_SIGHT}

What is the flag obtained using the Rejetto HFS exploit on THMDC?

THM{FORWARDING_IT_ALL}

Room Answers | TryHackMe Exploiting Active Directory

Which ACE would allow you to update any non-protected parameter of a target object?

GenericWrite

What is the value of the flag stored on the Desktop of the Administrator user on THMWRK1 (flag1.txt)?

THM{Permission.Delegation.FTW!}

Which Kerberos Delegation type allows for delegation of all services?

Unconstrained Delegation

Which Kerberos Delegation type allows the service to specify who is allowed to delegate to it?

Resource-Based Constrained Delegation

Which Constrained Delegation service allows access to the file system of the system via delegation?

CIFS

What is the value of the flag stored in the Desktop directory of the Administrator user on THMSERVER1 (flag2.txt)?

THM{Constrained.Delegation.Can.Be.Very.Bad}

How often (in days) are the passwords of Windows machine accounts rotated by default?

30

What should not be enforced if we want to relay an SMB authentication attempt?

SMB Signing

What is the value of the flag stored in the Desktop directory of the Administrator.ZA user on THMSERVER1 (flag3.txt)?

THM{Printing.Some.Shellz}

What application is used to open the kdbx credential database?

Keepass

What meterpreter command do we use to move from SYSTEM to user context?

migrate

What is the password of the credential database?

Imreallysurenoonewillguessmypassword

What is the value of the flag stored in the credential database?

THM{AD.Users.Can.Give.Up.Good.Secrets}

What object allows users to configure Windows policies?

Group Policy Object

What AD feature allows us to configure GPOs for the entire AD structure?

Group Policy Management

What is the name of the GPO that our compromised AD account owns?

Management Server Pushes

What is the value of the flag stored on THMSERVER2 in the Administrator’s Desktop directory (flag4.txt)?

THM{Exploiting.GPOs.For.Fun.And.Profit}

What does the user create to ask the CA for a certificate?

Certificate Signing Request

What is the name of Microsoft’s PKI implementation?

Active Directory Certificate Services

What is the value of the flag stored on THMDC in the Administrator’s Desktop directory (flag5.txt)?

THM{AD.Certs.Can.Get.You.DA}

What domain trust relationship is by default configured between a parent and a child domain?

Bidirectional Trust

What is the name of the AD account used by the KDC to encrypt and sign TGTs?

KRBTGT

What is the name of the TGT that grants access to resources outside of our current domain?

Inter-Realm TGT

What is the value of the flag stored on THMROOTDC in the Administrator’s Desktop folder (flag6.txt)?

THM{Full.EA.Compromise}

Room Answers | TryHackMe Persisting Active Directory

What is the Mimikatz command to perform a DCSync for the username of test on the za.tryhackme.loc domain?

lsadump::dcsync /domain:za.tryhackme.loc /user:test

What is the NTLM hash associated with the krbtgt user?

16f9af38fca3ada405386b3b57366082

Which AD account’s NTLM hash is used to sign Kerberos tickets?

krbtgt

What is the name of a ticket that impersonates a legitimate TGT?

Golden ticket

What is the name of a ticket that impersonates a legitimate TGS?

Silver ticket

What is the default lifetime (in years) of a golden ticket generated by Mimikatz?

10

What key is used to sign certificates to prove their authenticity?

private key

What application can we use to forge a certificate if we have the CA certificate and private key?

ForgeCert.exe

What is the Mimikatz command to pass a ticket from a file with the name of ticket.kirbi?

kerberos::ptt ticket.kirbi

What AD object attribute is normally used to specify SIDs from the object’s previous domain to allow seamless migration to a new domain?

SIDHistory

What is the database file on the domain controller that stores all AD information?

ntds.dit

What is the PowerShell command to restart the ntds service after we injected our SID history values?

Start-Service -Name ntds

What is the term used to describe AD groups that are members of other AD groups?

Group Nesting

What is the command to add a new member, thmtest, to the AD group, thmgroup?

Add-ADGroupMember -Identity “thmgroup” -Members “thmtest”

What AD group’s ACLs are used as a template for the ACLs of all Protected Groups?

AdminSDHolder

What AD service updates the ACLs of all Protected Groups to match that of the template?

SDProp

What ACL permission allows the user to perform any action on the AD object?

Full Control

What MMC snap-in can be used to manage GPOs?

Group Policy Management

What sub-GPO is used to grant users and groups access to local groups on the hosts that the GPO applies to?

Restricted Groups

What tab is used to modify the security permissions that users and groups have on the GPO?

Delegation

Room Answers | TryHackMe Credentials Harvesting

Using the “reg query” command, search for the value of the “flag” keyword in the Windows registry?

7tyh4ckm3

Enumerate the AD environment we provided. What is the password of the victim user found in the description section?

Passw0rd!@#

Follow the technique discussed in this task to dump the content of the SAM database file. What is the NTLM hash for the Administrator account?

98d3a787a80d08385cea7fb4aa2a4261

Is the LSA protection enabled? (Y|N)

Y

Apply the technique for extracting clear-text passwords from Windows Credential Manager. What is the password of the THMuser for internal-app.thm.red?

E4syPassw0rd

Use Mimikatz to memory dump the credentials for the 10.10.237.226 SMB share which is stored in the Windows Credential vault. What is the password?

jfxKruLkkxoPjwe3

Run cmd.exe under thm-local user via runas and read the flag in “c:\Users\thm-local\Saved Games\flag.txt”. What is the flag?

THM{RunA5S4veCr3ds}

Apply the technique discussed in this task to dump the NTDS file locally and extract hashes. What is the target system bootkey value? Note: Use thm.red/thm as an Active Directory user since it has administrator privileges!

0x36c8d26ec0df8b23ce63bcefa6e2d821

What is the clear-text password for the bk-admin username?

Passw0rd123

Which group has ExtendedRightHolder and is able to read the LAPS password?

LAPsReader

Follow the technique discussed in this task to get the LAPS password. What is the LAPs Password for Creds-Harvestin computer?

Follow the technique discussed in this task to get the LAPS password. What is the LAPs Password for Creds-Harvestin computer?

THMLAPSPassw0rd

Which user is able to read LAPS passwords?

bk-admin

Enumerate for SPN users using the Impacket GetUserSPNs script. What is the Service Principal Name for the Domain Controller?

svc-thm

After finding the SPN account from the previous question, perform the Kerberoasting attack to grab the TGS ticket and crack it. What is the password?

Passw0rd1

Free Active Directory Penetration Testing Training

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles