DEV Community

Cover image for TryHackMe: Active Directory Basics Writeup
Riviru Eren
Riviru Eren

Posted on

TryHackMe: Active Directory Basics Writeup

#cybersecurity #security #beginners #tutorial

Difficulty: Easy | Path: Jr. Penetration Tester

What is Active Directory?

If you are going into pentesting or working in any corporate IT environment, Active Directory is something you absolutely need to understand. Almost every medium to large company runs it. It is basically the backbone of Windows-based networks.

Active Directory (AD) is a service that lets organisations manage all their users, computers, and resources from one central place. Instead of setting up each computer individually, the IT team can control everything from one server called the Domain Controller.

Think of it like this. Imagine a university with thousands of students and staff. Instead of giving each student a separate login for every computer on campus, AD lets them log in with one account from any machine on the network. The Domain Controller handles all of that.

Windows Domains

A Windows domain is a group of users and computers under the administration of a business. The main idea is to centralise management.

Without a domain, if you have 100 computers and you want to change a password policy, you have to go to each machine individually. With a domain, you do it once from the Domain Controller and it applies everywhere.

Key things credentials are stored in: Active Directory

The server running Active Directory services is called: Domain Controller (DC)

What is Inside Active Directory?

AD stores objects. An object can be anything on the network:

Users are the most common objects. They represent people in the organisation like employees or contractors. Each user gets a single account they use to log into any machine on the domain.

Machines are also objects in AD. Every computer that joins the domain gets its own machine account. You can spot these because the account name ends with a dollar sign, so a computer called TOM-PC would have the machine account TOM-PC$.

Security Groups let you assign permissions to a whole group of users at once instead of one by one. For example if you want 50 people to access a shared folder, you put them all in a group and give the group access rather than setting permissions for each person individually.

The most important default group to know is Domain Admins. Members of this group have admin rights over the entire domain including the Domain Controller itself.

Organisational Units (OUs)

OUs are containers inside AD that you use to organise users, computers, and other objects. They also let you apply Group Policies to specific groups of people.

For example a company might have OUs for each department:

thm.local
├── IT
├── Management
├── Marketing
├── Sales
└── Students
Enter fullscreen mode Exit fullscreen mode

If you want all IT staff to have a different password policy to everyone else, you put them in the IT OU and apply the policy there.

One thing to note: if you try to delete an OU and it fails, go to View > Advanced Features in Active Directory Users and Computers, find the OU, go to its properties, and uncheck "Protect object from accidental deletion". That is on by default.

Delegation

Delegation is where it gets interesting from a security perspective. Instead of giving someone full Domain Admin access just because they need to do one specific task, you can delegate that specific permission to them.

For example, you can give the IT support team the ability to reset passwords for users in the Sales OU without giving them any other admin rights. This is the principle of least privilege in action.

In the room you use Phillip's account to reset Sophie's password via PowerShell:

Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Enter fullscreen mode Exit fullscreen mode

And to force Sophie to change her password on next login:

Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose
Enter fullscreen mode Exit fullscreen mode

Group Policy Objects (GPOs)

This is what you can see in my screenshots at the top. GPOs are sets of rules that get applied to users or computers in the domain. They are managed through the Group Policy Management tool.

GPOs can do things like:

  • Block access to Control Panel (which is exactly what the BLOCK CP GPO in my screenshot does)
  • Enforce a minimum password length
  • Disable USB ports on all machines
  • Set a desktop wallpaper across the whole company
  • Map network drives automatically on login

GPOs are linked to OUs. So if you link a GPO to the IT OU, it only applies to users and computers in that OU. You can also link a GPO to the whole domain so it applies to everyone.

In the second screenshot you can see linking an existing GPO to a container by right clicking the OU and choosing "Link an Existing GPO". The list shows the GPOs already applied to the IT OU along with their precedence order. Higher precedence number means it was applied first but lower numbers win conflicts, so GPO with precedence 1 overrides GPO with precedence 2.

Authentication in Active Directory

There are two main protocols AD uses for authentication and both are worth understanding.

Kerberos

Kerberos is the default and more modern protocol. The process works like this:

  1. You log in and your credentials go to the Domain Controller (specifically the Key Distribution Center, KDC)
  2. The KDC gives you a Ticket Granting Ticket (TGT) which proves who you are
  3. When you want to access a service like a file share, you give the KDC your TGT and ask for a Ticket Granting Service (TGS) for that specific service
  4. The KDC gives you the TGS and you use it to access the service

The important thing here is your password never gets sent across the network after that first login. Everything works through encrypted tickets.

NetNTLM

NetNTLM is the older protocol and still used in some situations. It works as a challenge-response mechanism:

  1. Client sends an authentication request to a server
  2. Server sends back a random number as a challenge
  3. Client combines their NTLM password hash with the challenge and sends it back
  4. Server forwards both to the Domain Controller to verify

NetNTLM is considered weaker than Kerberos and is a common target in attacks like Pass the Hash.

Trees, Forests and Trusts

As companies grow, they sometimes need multiple domains. AD handles this with trees and forests.

A tree is when you have a root domain with child domains branching off it. For example thm.local could have uk.thm.local and us.thm.local as child domains.

A forest is a collection of multiple trees. If two companies merge they might keep their separate AD trees but join them into a forest.

Trusts are what allow users in one domain to access resources in another. A two-way trust means users from both domains can access each other's resources. A one-way trust only goes in one direction.

From an attacker's perspective, trusts are interesting because if you compromise one domain in a forest, you might be able to pivot to other domains depending on how the trusts are configured.

Final Thoughts

Active Directory is everywhere in the real world. Understanding how it works is not just useful for the blue team, it is essential knowledge for pentesting too. Most AD attacks like Pass the Hash, Kerberoasting, and Golden Ticket attacks only make sense once you understand the fundamentals this room covers.

If you are going for OSCP or any corporate pen-testing work, this is required knowledge.

Furthermore if you are planning onto take the SEC01 this knowledge is essential in my opinion.

Rvr_Eren

TryHackMe | RvREren

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

favicon tryhackme.com

Room link: https://tryhackme.com/room/winadbasics

Top comments (0)