https://tryhackme.com/room/adenumeration
Configure DNS by adding THMDC's IP to the DNS
Network Manager > Advanced Network Configuration > Your Connection > IPv4 Settings
Then restart the resolved service
sudo systemctl restart NetworkManager
For SSH access - Getting credentials from http://distributor.za.tryhackme.com/creds
ssh za.tryhackme.com\\\\<AD_Username>@thmjmp1.za.tryhackme.com
This room will introduce the built in Microsoft cmd tools called runas.exe
If we have the AD credentials in the format of <username>:<password>, we can use runas.exe
runas.exe /netonly /user:<domain>\\<username> cmd.exe
/netonly - Since we are not domain-joined, we want to load the credentials for network authentication but not authenticate against a domain controller. So commands executed locally on the computer will run in the context of your standard Windows account, but any network connections will occur using the account specified here./user - Here, we provide the details of the domain and the username. It is always a safe bet to use the Fully Qualified Domain Name (FQDN) instead of just the NetBIOS name of the domain since this will help with resolution.cmd.exe - This is the program we want to execute once the credentials are injected. This can be changed to anything, but the safest bet is cmd.exe since you can then use that to launch whatever you want, with the credentials injected.Once you run this command, you will be prompted to supply a password. Note that since we added the /netonly parameter, the credentials will not be verified directly by a domain controller so that it will accept any password. We still need to confirm that the network credentials are loaded successfully and correctly.
$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
Then viewing the SYSVOL directory