HTB LDAP SKILLS ASSESMENT

A few commands that could com in handy in the near future. This might just be a skills assessment however they are useful once we filter out the Good and bad and categorize into a better payload

Find the one user who has a useraccountcontrol attribute equivalent to 262656.

Get-ADUser -Filter {UserAccountControl -eq 262656} -Properties UserAccountControl

Using built-in tools enumerate a user that has the PASSWD_NOTREQD UAC value set.

Get-ADuser -filter 'protected -eq "False"'

What group is the IT Support group nested into?

Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf

Who is a part of this group through nested group membership?

function Get-NestedGroupMembers {
    param(
        [string]$GroupName
    )

    $group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf

    if ($group -eq $null) {
        Write-Host "Group '$GroupName' not found."
        return
    }

    $members = Get-ADGroupMember -Identity $group.DistinguishedName

    foreach ($member in $members) {
        if ($member.objectClass -eq "group") {
            Write-Host "Nested Group: $($member.Name)"
            Get-NestedGroupMembers -GroupName $member.Name
        } else {
            Write-Host "User: $($member.Name)"
        }
    }
}

# Specify the group name you're interested in
$groupName = "Server Technicians"

# Get the Server Technicians group and its nested members
Write-Host "Checking Nested Group Memberships for: $groupName"
Get-NestedGroupMembers -GroupName $groupName

Find out nested groups

function Get-NestedGroupMembers {
    param(
        [string]$GroupName
    )

    $group = Get-ADGroup -Filter { Name -eq $GroupName } -Properties MemberOf

    if ($group -eq $null) {
        Write-Host "Group '$GroupName' not found."
        return
    }

    $members = Get-ADGroupMember -Identity $group.DistinguishedName

    foreach ($member in $members) {
        if ($member.objectClass -eq "group") {
            Write-Host "Nested Group: $($member.Name)"
            Get-NestedGroupMembers -GroupName $member.Name
        } else {
            Write-Host "User: $($member.Name)"
        }
    }
}

# Get all groups with their direct members
$groups = Get-ADGroup -Filter * -Properties MemberOf | Where-Object { $_.MemberOf -ne $null } | Select-Object Name, MemberOf

foreach ($group in $groups) {
    Write-Host "Group: $($group.Name)"
    Get-NestedGroupMembers -GroupName $group.Name
    Write-Host ""
}

How many users are in the Former Employees OU?

#Find Former Employees
# Search for the "Former Employees" OU
$ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" }

# Check if the OU is found
if ($ou -eq $null) {
    Write-Host "OU 'Former Employees' not found."
} else {
    # Display the DistinguishedName of the "Former Employees" OU
    Write-Host "DistinguishedName of 'Former Employees' OU: $($ou.DistinguishedName)"
}


#SPECIFIC SEARCH FOR Former Employees
# Search for the "Former Employees" OU
$ou = Get-ADOrganizationalUnit -Filter { Name -eq "Former Employees" }

# Check if the OU is found
if ($ou -eq $null) {
    Write-Host "OU 'Former Employees' not found."
} else {
    # Display the DistinguishedName of 'Former Employees' OU
    $ouDistinguishedName = $ou.DistinguishedName
    Write-Host "DistinguishedName of 'Former Employees' OU: $ouDistinguishedName"

    # Get the users in the 'Former Employees' OU
    $users = Get-ADUser -Filter * -SearchBase $ouDistinguishedName

    # Display the count of users
    Write-Host "Number of Users in 'Former Employees' OU: $($users.Count)"
}

What is the name of the computer that starts with RD? (Submit the FQDN in all capital letters)

Get-ADComputer -Filter {Name -like 'RD*'} -Properties Name | ForEach-Object { "Computer Name: $($_.Name)`nFQDN: $($_.Name).INLANEFREIGHTENUM1.LOCAL`n" }

How many groups exist where the admincount attribute is set to 1?

# Get groups where the adminCount attribute is set to 1
$groups = Get-ADGroup -Filter { adminCount -eq 1 }

# Display the count of groups
Write-Host "Number of groups with adminCount set to 1: $($groups.Count)"

What is the samaccountname of the one SPN set in the domain?

FIRST FIND OUT THE SPN

# Specify the username or computer name
$accountName = "mssqlprod"  # Replace with the actual username or computer name

# Get the user or computer account
$account = Get-ADObject -Filter { sAMAccountName -eq $accountName } -Properties servicePrincipalName

# Check if the account is found
if ($account -eq $null) {
    Write-Host "Account '$accountName' not found."
} else {
    # Display the SPNs associated with the account
    $spns = $account.servicePrincipalName
    if ($spns -eq $null) {
        Write-Host "No SPNs found for the account '$accountName'."
    } else {
        Write-Host "SPNs for the account '$accountName':"
        foreach ($spn in $spns) {
            Write-Host "  $spn"
        }
    }
}



We Enumerate the domain

# Specify the Service Principal Name (SPN)
$spn = "HTTP/server.example.com"  # Replace with the SPN you're interested in

# Get the user associated with the SPN
$user = Get-ADUser -Filter { servicePrincipalName -eq $spn } -Properties sAMAccountName

# Check if the user is found
if ($user -eq $null) {
    Write-Host "No user found for the SPN '$spn'."
} else {
    # Display the samAccountName of the user
    Write-Host "samAccountName for SPN '$spn': $($user.sAMAccountName)"
}

#Answer is found here
# Get all user accounts and display associated SPNs
Get-ADUser -Filter * -Properties servicePrincipalName | Select-Object SamAccountName, servicePrincipalName

#This command fetches all user accounts in Active Directory and displays their SamAccountName along with the associated SPNs. If a user doesn't have any SPNs, the `servicePrincipalName` property will be empty for that user.

#Ensure that you run this command in a PowerShell environment with the Active Directory module loaded and with the necessary permissions to query user information.

What user could be subjected to an ASREPRoasting attack and is NOT a protected user? (first.last)

#Prior to this happening you need to run POWERVIEW then execute this command
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

What non-default privilege does the htb-student user have?

Be Admin
run 

whoami /priv