A few commands that could com in handy in the near future. This might just be a skills assessment however they are useful once we filter out the Good and bad and categorize into a better payload
Find the one user who has a useraccountcontrol attribute equivalent to 262656.
Who is a part of this group through nested group membership?
function Get-NestedGroupMembers {
param(
[string]$GroupName
)
$group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf
if ($group -eq $null) {
Write-Host "Group '$GroupName' not found."
return
}
$members = Get-ADGroupMember -Identity $group.DistinguishedName
foreach ($member in $members) {
if ($member.objectClass -eq "group") {
Write-Host "Nested Group: $($member.Name)"
Get-NestedGroupMembers -GroupName $member.Name
} else {
Write-Host "User: $($member.Name)"
}
}
}
# Specify the group name you're interested in
$groupName = "Server Technicians"
# Get the Server Technicians group and its nested members
Write-Host "Checking Nested Group Memberships for: $groupName"
Get-NestedGroupMembers -GroupName $groupName
Find out nested groups
function Get-NestedGroupMembers {
param(
[string]$GroupName
)
$group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf
if ($group -eq $null) {
Write-Host "Group '$GroupName' not found."
return
}
$members = Get-ADGroupMember -Identity $group.DistinguishedName
foreach ($member in $members) {
if ($member.objectClass -eq "group") {
Write-Host "Nested Group: $($member.Name)"
Get-NestedGroupMembers -GroupName $member.Name
} else {
Write-Host "User: $($member.Name)"
}
}
}
# Get all groups with their direct members
$groups = Get-ADGroup -Filter * -Properties MemberOf | Where-Object { $_.MemberOf -ne $null } | Select-Object Name, MemberOf
foreach ($group in $groups) {
Write-Host "Group: $($group.Name)"
Get-NestedGroupMembers -GroupName $group.Name
Write-Host ""
}
How many users are in the Former Employees OU?
#Find Former Employees
# Search for the "Former Employees" OU
$ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" }
# Check if the OU is found
if ($ou -eq $null) {
Write-Host "OU 'Former Employees' not found."
} else {
# Display the DistinguishedName of the "Former Employees" OU
Write-Host "DistinguishedName of 'Former Employees' OU: $($ou.DistinguishedName)"
}
#SPECIFIC SEARCH FOR Former Employees
# Search for the "Former Employees" OU
$ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" }
# Check if the OU is found
if ($ou -eq $null) {
Write-Host "OU 'Former Employees' not found."
} else {
# Display the DistinguishedName of 'Former Employees' OU
$ouDistinguishedName = $ou.DistinguishedName
Write-Host "DistinguishedName of 'Former Employees' OU: $ouDistinguishedName"
# Get the users in the 'Former Employees' OU
$users = Get-ADUser -Filter * -SearchBase $ouDistinguishedName
# Display the count of users
Write-Host "Number of Users in 'Former Employees' OU: $($users.Count)"
}
What is the name of the computer that starts with RD? (Submit the FQDN in all capital letters)
How many groups exist where the admincount attribute is set to 1?
# Get groups where the adminCount attribute is set to 1
$groups = Get-ADGroup -Filter { adminCount -eq 1 }
# Display the count of groups
Write-Host "Number of groups with adminCount set to 1: $($groups.Count)"
What is the samaccountname of the one SPN set in the domain?
FIRST FIND OUT THE SPN
# Specify the username or computer name
$accountName = "mssqlprod" # Replace with the actual username or computer name
# Get the user or computer account
$account = Get-ADObject -Filter { sAMAccountName -eq $accountName } -Properties servicePrincipalName
# Check if the account is found
if ($account -eq $null) {
Write-Host "Account '$accountName' not found."
} else {
# Display the SPNs associated with the account
$spns = $account.servicePrincipalName
if ($spns -eq $null) {
Write-Host "No SPNs found for the account '$accountName'."
} else {
Write-Host "SPNs for the account '$accountName':"
foreach ($spn in $spns) {
Write-Host " $spn"
}
}
}
We Enumerate the domain
# Specify the Service Principal Name (SPN)
$spn = "HTTP/server.example.com" # Replace with the SPN you're interested in
# Get the user associated with the SPN
$user = Get-ADUser -Filter { servicePrincipalName -eq $spn } -Properties sAMAccountName
# Check if the user is found
if ($user -eq $null) {
Write-Host "No user found for the SPN '$spn'."
} else {
# Display the samAccountName of the user
Write-Host "samAccountName for SPN '$spn': $($user.sAMAccountName)"
}
#Answer is found here
# Get all user accounts and display associated SPNs
Get-ADUser -Filter * -Properties servicePrincipalName | Select-Object SamAccountName, servicePrincipalName
#This command fetches all user accounts in Active Directory and displays their SamAccountName along with the associated SPNs. If a user doesn't have any SPNs, the `servicePrincipalName` property will be empty for that user.
#Ensure that you run this command in a PowerShell environment with the Active Directory module loaded and with the necessary permissions to query user information.
What user could be subjected to an ASREPRoasting attack and is NOT a protected user? (first.last)
#Prior to this happening you need to run POWERVIEW then execute this command
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
What non-default privilege does the htb-student user have?
