tryhackme - Jason’s Feed

TryHackMe | Active Directory Basics

This post is a write-up of the TryHackMe room “Active Directory Basics”. It is rated as an easy room and should take around 30 minutes.

Task 1: Introduction
Task 2: Windows Domains
Task 3: Active Directory
Task 4: Managing Users in AD
Task 5: Managing Computers in AD
Task 6: Group Policies
Task 7: Authentication Methods
Task 8: Trees, Forests and Trusts
Task 9: Conclusion

Task 1: Introduction

Q1: Click and continue learning!

A1: No answer needed.

Task 2: Windows Domains

Q1: In a Windows domain, credentials are stored in a centralised repository called…

Come on man, its the name of the room. We can handle harder questions. This answer is in the 3rd paragraph of the task text.

A1: active directory

Q2: The server in charge of running the Active Directory services is called…

The answer is in the same paragraph as the last answer.

A2: domain controller

TryHackMe – Upload Vulnerabilities

The following write up is posted here to show how I worked through this on the TryHackMe platform to learn how to gain access to a webserver.

Task 1 – Getting Started
Task 2 Introduction
Task 3: General Methodology
Task 4: Overwriting Existing Files
Task 5: Remote Code Execution
Task 6: Filtering
Task 7: Bypassing Client-Side Filtering
Task 8: Bypassing Server-Side Filtering: File Extensions
Task 9: Bypassing Server-Side Filtering: Magic Numbers
Task 10: Example Methodology
Task 11: Challenge
Task 12: Conclusion

Task 1 – Getting Started

Start the VM and make the changes to your hosts file outlined in task 1.

cd ..
cd etc
sudo nano hosts

Copy and paste the information from task 1.

Ctrl-X to exit nano, when prompted hit Y to save then Return to save the file has hosts.

Q1: No Answer Needed.

A1: No Answer Needed.

TryHackMe – Hashing – Crypto 101

This is just Task 5 & 6, because those ones were fun for me. I did this on my own VM of Kali and therefore may be different if you use the TryHackMe attackbox.

Task 5: Password Cracking

First step for me was to look up the wordlist and I’m glad I did, because rockyou was zipped.

I used the following to unzip the file in: /usr/share/wordlists/

sudo gzip -d rockyou.txt.gz

Now that is done we will proceed with the question at hand:

Q1: Crack this hash: $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG

Let’s put this in a file:

echo '$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG'> hash.txt

Look at the prefix. This means the hash type is bcrypt. Notice we added the ‘ to the front of the string and we added ‘> to the end of the string. Next, run this command:

john hash.txt --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt

A1: 85208520

This is fun let’s do another…

Q2: Crack this hash: 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1

Again we put it in a file:

echo '9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1'> hash256.txt

This is sha256 so we need to change the format on our command when we run JohntheRipper on it.

john hash256.txt --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt

Our results look like this:

A2: halloween

Q3: Crack this hash: $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0

This one is sha512crypt so we will change our format in the following command, but first we create our file:

echo '$6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0'> hash512crypt.txt

john hash512crypt.txt --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt

A3: spaceman

Q4: Bored of this yet? Crack this hash: b6b0d451bbf6fed658659a9e7e5598fe

This is Md5, but using rockyou won’t work. The hint says use the internet. So, using https://hashes.com/en/decrypt/hash, we find:

A4: funforyou