TryHackMe | Active Directory Basics

This post is a write-up of the TryHackMe room “Active Directory Basics”. It is rated as an easy room and should take around 30 minutes.

Task 1: Introduction

Q1: Click and continue learning!

A1: No answer needed.

Task 2: Windows Domains

Q1: In a Windows domain, credentials are stored in a centralised repository called…

Come on man, its the name of the room. We can handle harder questions. This answer is in the 3rd paragraph of the task text.

A1: active directory

Q2: The server in charge of running the Active Directory services is called…

The answer is in the same paragraph as the last answer.

A2: domain controller

Task 3: Active Directory

Q1: Which group normally administrates all computers and resources in a domain?

This answer is in the first row of the table in the task text.

A1: domain admins

Q2: What would be the name of the machine account associated with a machine named TOM-PC?

The answer is in the 5th or 6th paragraph of the text.

For example, a machine named DC01 will have a machine account called DC01$.

TryHackMe | Active Directory Basics


Q3: Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

Suppose we find the answer about midway through the text:

These objects are organised in Organizational Units (OUs) which are container objects that allow you to classify users and machines. OUs are mainly used to define sets of users with similar policing requirements. The people in the Sales department of your organisation are likely to have a different set of policies applied than the people in IT, for example. Keep in mind that a user can only be a part of a single OU at a time.

TryHackMe | Active Directory Basics

A3: organizational unit

Task 4: Managing Users in AD

Q1: What was the flag found on Sophie’s desktop?

Well, well, well. We made it all the way to task 4 without turning on the VM. Time to roll up your sleeves and do some hands on. For some reason this VM didn’t open in split view for me, so remember there is a button at the top of the page where you can “Show SplitView”.

We want to access Sophie’s desktop so we need to set up delegate control on the Sales group, and make phillip, whose password we are given, that control.

When the next window shows up hit next, then Add… and type in phillip, then hit Check Names.

Next window select the following:

Then hit Next and Finish.

Now we switch over to our attack box.

Open freerdp with the following command, use the IP of the target VM not the attackbox.

Command is:

xfreerdp [target machine ip]

Once in we will open powershell. And use the commands the task text gives you.

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

Set a new easy to remember password.

Sign Out and logback in via freerpd using user name sophie and the password you just set for her.

Now we have the flag:

A1: THM{thanks_for_contacting_support}

Q2: The process of granting privileges to a user over some OU or other AD Object is called…

Hopefully, you know this since we just did it. This is in the section headed “Delegation” in the task text.

A2: delegation

Task 5: Managing Computers in AD

Q1: After organising the available computers, how many ended up in the Workstations OU?

Go back to task 4 and count the users in the pretty diagram at the top to the task text.

A1: 7

Q2: Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

They text says this is part of tidying up so, yes or…

A2: yay

Task 6: Group Policies

Q1: What is the name of the network share used to distribute GPOs to domain machines?

This is in the task text under GPO distribution.

GPOs are distributed to the network via a network share called SYSVOL,

TryHackMe | Active Directory Basics


Q2: Can a GPO be used to apply settings to users and computers? (yay/nay)

Answers in the second paragraph of the text.

A2: yay

Task 7: Authentication Methods

Q1: Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)

Nay, Kerberos is the default.

A1: nay

Q2: When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

The KDC will create and send back a Ticket Granting Ticket (TGT), which will allow the user to request additional tickets to access specific services. The need for a ticket to get more tickets may sound a bit weird, but it allows users to request service tickets without passing their credentials every time they want to connect to a service. Along with the TGT, a Session Key is given to the user, which they will need to generate the following requests.

TryHackMe | Active Directory Basics

Bit of inception there.

A2: ticket granting ticket

Q3: When using NetNTLM, is a user’s password transmitted over the network at any point? (yay/nay)

This one is hidden away in the text as a note:

Note that the user’s password (or hash) is never transmitted through the network for security.

TryHackMe | Active Directory Basics

A3: nay

Task 8: Trees, Forests and Trusts

Q1: What is a group of Windows domains that share the same namespace called?

Answers in the 3rd paragraph.

A1: tree

Q2: What should be configured between two domains for a user in Domain A to access a resource in Domain B?

Answer is just above the question in the Trust Relationships section of the text.

A2: a trust relationship

Task 9: Conclusion

Q1: Click and continue learning!

A1: No answer needed.

One thought on “TryHackMe | Active Directory Basics”

Comments are closed.