# HTB LDAP SKILLS ASSESMENT Find the one user who has a useraccountcontrol attribute equivalent to 262656. ```powershell Get-ADUser -Filter {UserAccountControl -eq 262656} -Properties UserAccountControl ``` Using built-in tools enumerate a user that has the PASSWD\_NOTREQD UAC value set. ```powershell Get-ADuser -filter 'protected -eq "False"' ``` What group is the IT Support group nested into? ```powershell Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf ``` Who is a part of this group through nested group membership? ```powershell function Get-NestedGroupMembers { param( [string]$GroupName ) $group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf if ($group -eq $null) { Write-Host "Group '$GroupName' not found." return } $members = Get-ADGroupMember -Identity $group.DistinguishedName foreach ($member in $members) { if ($member.objectClass -eq "group") { Write-Host "Nested Group: $($member.Name)" Get-NestedGroupMembers -GroupName $member.Name } else { Write-Host "User: $($member.Name)" } } } # Specify the group name you're interested in $groupName = "Server Technicians" # Get the Server Technicians group and its nested members Write-Host "Checking Nested Group Memberships for: $groupName" Get-NestedGroupMembers -GroupName $groupName ``` Find out nested groups ```Powershell function Get-NestedGroupMembers { param( [string]$GroupName ) $group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf if ($group -eq $null) { Write-Host "Group '$GroupName' not found." return } $members = Get-ADGroupMember -Identity $group.DistinguishedName foreach ($member in $members) { if ($member.objectClass -eq "group") { Write-Host "Nested Group: $($member.Name)" Get-NestedGroupMembers -GroupName $member.Name } else { Write-Host "User: $($member.Name)" } } } # Get all groups with their direct members $groups = Get-ADGroup -Filter * -Properties MemberOf | Where-Object { $_.MemberOf -ne $null } | Select-Object Name, MemberOf foreach ($group in $groups) { Write-Host "Group: $($group.Name)" Get-NestedGroupMembers -GroupName $group.Name Write-Host "" } ``` How many users are in the Former Employees OU? ```powershell #Find Former Employees # Search for the "Former Employees" OU $ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" } # Check if the OU is found if ($ou -eq $null) { Write-Host "OU 'Former Employees' not found." } else { # Display the DistinguishedName of the "Former Employees" OU Write-Host "DistinguishedName of 'Former Employees' OU: $($ou.DistinguishedName)" } #SPECIFIC SEARCH FOR Former Employees # Search for the "Former Employees" OU $ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" } # Check if the OU is found if ($ou -eq $null) { Write-Host "OU 'Former Employees' not found." } else { # Display the DistinguishedName of 'Former Employees' OU $ouDistinguishedName = $ou.DistinguishedName Write-Host "DistinguishedName of 'Former Employees' OU: $ouDistinguishedName" # Get the users in the 'Former Employees' OU $users = Get-ADUser -Filter * -SearchBase $ouDistinguishedName # Display the count of users Write-Host "Number of Users in 'Former Employees' OU: $($users.Count)" } ``` What is the name of the computer that starts with RD? (Submit the FQDN in all capital letters) ```powershell Get-ADComputer -Filter {Name -like 'RD*'} -Properties Name | ForEach-Object { "Computer Name: $($_.Name)`nFQDN: $($_.Name).INLANEFREIGHTENUM1.LOCAL`n" } ``` How many groups exist where the admincount attribute is set to 1? ```powershell # Get groups where the adminCount attribute is set to 1 $groups = Get-ADGroup -Filter { adminCount -eq 1 } # Display the count of groups Write-Host "Number of groups with adminCount set to 1: $($groups.Count)" ``` What is the samaccountname of the one SPN set in the domain? ```powershell FIRST FIND OUT THE SPN # Specify the username or computer name $accountName = "mssqlprod" # Replace with the actual username or computer name # Get the user or computer account $account = Get-ADObject -Filter { sAMAccountName -eq $accountName } -Properties servicePrincipalName # Check if the account is found if ($account -eq $null) { Write-Host "Account '$accountName' not found." } else { # Display the SPNs associated with the account $spns = $account.servicePrincipalName if ($spns -eq $null) { Write-Host "No SPNs found for the account '$accountName'." } else { Write-Host "SPNs for the account '$accountName':" foreach ($spn in $spns) { Write-Host " $spn" } } } We Enumerate the domain # Specify the Service Principal Name (SPN) $spn = "HTTP/server.example.com" # Replace with the SPN you're interested in # Get the user associated with the SPN $user = Get-ADUser -Filter { servicePrincipalName -eq $spn } -Properties sAMAccountName # Check if the user is found if ($user -eq $null) { Write-Host "No user found for the SPN '$spn'." } else { # Display the samAccountName of the user Write-Host "samAccountName for SPN '$spn': $($user.sAMAccountName)" } #Answer is found here # Get all user accounts and display associated SPNs Get-ADUser -Filter * -Properties servicePrincipalName | Select-Object SamAccountName, servicePrincipalName #This command fetches all user accounts in Active Directory and displays their SamAccountName along with the associated SPNs. If a user doesn't have any SPNs, the `servicePrincipalName` property will be empty for that user. #Ensure that you run this command in a PowerShell environment with the Active Directory module loaded and with the necessary permissions to query user information. ``` What user could be subjected to an ASREPRoasting attack and is NOT a protected user? (first.last) ```powershell #Prior to this happening you need to run POWERVIEW then execute this command Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView ``` What non-default privilege does the htb-student user have? ``` Be Admin run whoami /priv ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://h4ck0.gitbook.io/h4ck0-blog/powershell/active-directory-enumeration/ldap-enumeration-strategy/htb-ldap-skills-assesment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.