Post Compromise - 02 Enumeration | TryHackMe
Task 1 Introduction
Question: What command would you use to start the PowerShell interactive command line?
Answer: powershell.exe
Task 2 Purpose
Question: In SSH key-based authentication, which key does the client need?
Answer: private key
Task 3 Linux Enumeration
user@red-linux-enumeration:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Question: What is the name of the Linux distribution used in the VM?
Answer: Ubuntu
Question: What is its version number?
Answer: 20.04.4
Question: What is the name of the user who last logged in to the system?
Answer: randa
user@red-linux-enumeration:~$ last
user pts/0 10.11.52.229 Wed Sep 20 14:19 still logged in
reboot system boot 5.4.0-120-generi Wed Sep 20 14:15 still running
reboot system boot 5.4.0-120-generi Mon Jun 20 13:10 - 13:13 (00:02)
randa pts/0 10.20.30.1 Mon Jun 20 11:00 - 11:01 (00:00)
reboot system boot 5.4.0-120-generi Mon Jun 20 09:58 - 11:01 (01:03)
wtmp begins Mon Jun 20 09:58:27 2022
Question: What is the highest listening TCP port number?
Answer: 6667
user@red-linux-enumeration:~$ netstat -lvnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:6667 0.0.0.0:* LISTEN
tcp 0 0 10.10.207.151:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp6 0 0 fe80::df:1eff:fed3:3:53 :::* LISTEN
tcp6 0 0 ::1:53 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
tcp6 0 0 :::389 :::* LISTEN
Question: What is the program name of the service listening on it?
Answer: inspircd
user@red-linux-enumeration:~$ sudo netstat -lvntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6667 0.0.0.0:* LISTEN 737/inspircd
tcp 0 0 10.10.207.151:53 0.0.0.0:* LISTEN 608/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 608/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 582/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 705/sshd: /usr/sbin
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 608/named
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 725/slapd
tcp6 0 0 fe80::df:1eff:fed3:3:53 :::* LISTEN 608/named
tcp6 0 0 ::1:53 :::* LISTEN 608/named
tcp6 0 0 :::21 :::* LISTEN 638/vsftpd
tcp6 0 0 :::22 :::* LISTEN 705/sshd: /usr/sbin
tcp6 0 0 ::1:953 :::* LISTEN 608/named
tcp6 0 0 :::389 :::* LISTEN 725/slapd
Question: There is a script running in the background. Its name starts with THM
. What is the name of the script?
Answer: THM-24765.sh
user@red-linux-enumeration:~$ ps aux|grep THM
randa 642 0.0 0.0 2608 600 ? Ss 14:16 0:00 /bin/sh -c /home/randa/THM-24765.sh
randa 644 0.0 0.3 6892 2992 ? S 14:16 0:00 /bin/bash /home/randa/THM-24765.sh
user 2688 0.0 0.0 8160 724 pts/0 S+ 14:30 0:00 grep --color=auto THM
Task 4 Windows Enumeration
On Windows we can look at the system informations with the "systeminfo" comand :
PS C:\Users\user> systeminfo
Host Name: RED-WIN-ENUM
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00430-00000-00000-AA155
Original Install Date: 3/17/2021, 2:59:06 PM
System Boot Time: 9/20/2023, 2:35:24 PM
System Manufacturer: Amazon EC2
System Model: t3a.small
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version: Amazon EC2 1.0, 10/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 2,016 MB
Available Physical Memory: 649 MB
Virtual Memory: Max Size: 2,400 MB
Virtual Memory: Available: 1,021 MB
Virtual Memory: In Use: 1,379 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\RED-WIN-ENUM
Hotfix(s): 30 Hotfix(s) Installed.
[01]: KB5015731
[02]: KB4470502
[03]: KB4470788
[04]: KB4480056
[05]: KB4486153
[06]: KB4493510
[07]: KB4499728
[08]: KB4504369
[09]: KB4512577
[10]: KB4512937
[11]: KB4521862
[12]: KB4523204
[13]: KB4535680
[14]: KB4539571
[15]: KB4549947
[16]: KB4558997
[17]: KB4562562
[18]: KB4566424
[19]: KB4570332
[20]: KB4577586
[21]: KB4577667
[22]: KB4587735
[23]: KB4589208
[24]: KB4598480
[25]: KB4601393
[26]: KB5000859
[27]: KB5015811
[28]: KB5012675
[29]: KB5014031
[30]: KB5014797
Network Card(s): 1 NIC(s) Installed.
[01]: Amazon Elastic Network Adapter
Connection Name: Ethernet 3
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.194.132
[02]: fe80::152e:6067:290:7344
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Question: What is the full OS Name?
Answer: Microsoft Windows Server 2019 Datacenter
Question: What is the OS Version?
Answer: 10.0.17763
Question: How many hotfixes are installed on this MS Windows Server?
Answer: 30
Question: What is the lowest TCP port number listening on the system?
Answer: 22
PS C:\Users\user> netstat -ano -p TCP
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2088
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 844
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 972
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1020
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1912
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 608
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 628
TCP 10.10.194.132:53 0.0.0.0:0 LISTENING 924
TCP 10.10.194.132:139 0.0.0.0:0 LISTENING 4
TCP 10.10.194.132:3389 10.11.52.229:50076 ESTABLISHED 972
TCP 10.10.194.132:49741 20.114.59.183:443 SYN_SENT 4592
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 924
Question: What is the name of the program listening on that port?
Answer: sshd.exe
PS C:\Users\user> tasklist|findstr "2088"
sshd.exe 2088 Services 0 6,932 K
Task 5 DNS, SMB, and SNMP
Question: Knowing that the domain name on the MS Windows Server of IP 10.10.194.132
is redteam.thm
, use dig
to carry out a domain transfer. What is the flag that you get in the records?
Answer: THM{DNS_ZONE}
❯ dig -t AXFR redteam.thm @10.10.194.132
; <<>> DiG 9.10.6 <<>> -t AXFR redteam.thm @10.10.194.132
;; global options: +cmd
redteam.thm. 3600 IN SOA red-win-enum. hostmaster. 5 900 600 86400 3600
redteam.thm. 3600 IN NS red-win-enum.
first.redteam.thm. 3600 IN A 10.10.254.1
flag.redteam.thm. 3600 IN TXT "THM{DNS_ZONE}"
second.redteam.thm. 3600 IN A 10.10.254.2
tryhackme.redteam.thm. 3600 IN CNAME tryhackme.com.
redteam.thm. 3600 IN SOA red-win-enum. hostmaster. 5 900 600 86400 3600
;; Query time: 259 msec
;; SERVER: 10.10.194.132#53(10.10.194.132)
;; WHEN: Thu Sep 21 00:01:44 CST 2023
;; XFR size: 7 records (messages 1, bytes 295)
Question: What is the name of the share available over SMB protocol and starts with THM
?
Answer: THM{829738}
PS C:\Users\user> net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
Internal C:\Internal Files Internal Documents
THM{829738} C:\Users\user\Private Enjoy SMB shares
Users C:\Users
The command completed successfully.
Question: Knowing that the community string used by the SNMP service is public
, use snmpcheck
to collect information about the MS Windows Server of IP 10.10.194.132
. What is the location specified?
Answer:
Install snmpcheck with the following commands:
git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
❯ ./snmpcheck-1.9.rb 10.10.194.132 -c public
snmpcheck.rb v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.194.132:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.194.132
Hostname : RED-WIN-ENUM
Description : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : TryHackMe
Location : THM{SNMP_SERVICE}
Uptime snmp : 01:34:58.79
Uptime system : 01:34:42.52
System date : 2023-9-20 16:10:22.3
Domain : WORKGROUP
Task 6 More Tools for Windows
Question: What utility from Sysinternals Suite shows the logged-in users?
Answer: PsLoggedOn