Active Directory Basics WriteUp – TryHackMe

In this article, I tried to prepare a write-up for the “Active Directory Basics” room on tryhackme.

[Task 1] Introduction

Active Directory is the directory service for Windows Domain Networks. It is used by many of today’s top companies and is a vital skill to comprehend when attacking Windows.

#1 I understand what Active Directory is and why it is used.

ANSWER: No answer needed

[Task 2] Physical Active Directory

#1 What database does the AD DS contain?

Contains the NTDS.dit – a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users.


#2 Where is the NTDS.dit stored?

Stored by default in %SystemRoot%\NTDS.

ANSWER: %SystemRoot%\NTDS

#3 What type of machine can be a domain controller?

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. 

ANSWER: Windows Server

[Task 3] The Forest

#1 What is the term for a hierarchy of domains in a network?

Trees: A hierarchy of domains in Active Directory Domain Services.


#2 What is the term for the rules for object creation?

Domain Schema: Rules for object creation.

ANSWER: Domain Schema

#3 What is the term for containers for groups, computers, users, printers, and other OUs?

Organizational Units: Containers for groups, computers, users, printers and other OUs

ANSWER: Organizational Units

[Task 4] Users + Groups

#1 Which type of groups specify user permissions?

Security Groups: These groups are used to specify permissions for a large number of users.

ANSWER: Security Groups

#2 Which group contains all workstations and servers joined to the domain?

Domain Computers: All workstations and servers joined to the domain.

ANSWER: Domain Computers

#3 Which group can publish certificates to the directory?

Cert Publishers: Members of this group are permitted to publish certificates to the directory.

ANSWER: Cert Publishers

#4 Which user can make changes to a local machine but not to a domain controller?

Local Administrators: These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller.

ANSWER: Local Administrators

#5 Which group has their passwords replicated to read-only domain controllers?

Allowed RODC Password Replication Group: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.

ANSWER: Allowed RODC Password Replication Group

[Task 5] Trusts + Policies

#1 What type of trust flows from a trusting domain to a trusted domain?

Directional: The direction of the trust flows from a trusting domain to a trusted domain.

ANSWER: Directional

#2 What type of trusts expands to include other trusted domains?

Transitive: The trust relationship expands beyond just two domains to include other trusted domains.

ANSWER: Transitive

[Task 6] Active Directory Domain Services + Authentication

#1 What type of authentication uses tickets? 

Kerberos: The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.

ANSWER: Kerberos

#2 What domain service can create, validate, and revoke public key certificates?

Certificate Services: allows the domain controller to create, validate, and revoke public key certificates.

ANSWER: Certificate Services

[Task 7] AD in the Cloud

#1 What is the Azure AD equivalent of LDAP?


#2 What is the Azure AD equivalent of Domains and Forests?

ANSWER: Tenants

#3 What is the Windows Server AD equivalent of Guests?

ANSWER: Trusts

[Task 8] Hands-On Lab

I connected machine with ssh connection.

#1 Deploy the Machine

ANSWER: No answer needed

#2 What is the name of the Windows 10 operating system?

I used this command:

Get-NetComputer -fulldata | select operatingsystem

You can see the answer.

ANSWER: Windows 10 Enterprise Evaluation

#3 What is the second “Admin” name?

I used this command:

Get-NetUser | select cn

You can see the answer in this picture.

ANSWER: Admin2

#4 Which group has a capital “V” in the group name?

I used this command:

net localgroup

You can see the answer in the picture:

ANSWER: Hyper-V Administrators

#5 When was the password last set for the SQLService user?

You can use this command:

Get-ADUser -identity SQLService -properties *

You can see the answer in second image.

ANSWER: 5/13/2020 8:26:58 PM

[Task 9] Conclusion

ANSWER: No answer needed

So far, I have tried to explain the solutions of the questions as detailed as I can. I hope it helped you. See you in my next write-up.

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın: Logosu hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Connecting to %s'da Blog Oluşturun.

Yukarı ↑

%d blogcu bunu beğendi: