Task 1 Introduction

Question: What command would you use to start the PowerShell interactive command line?
Answer: powershell.exe

Task 2 Purpose

Question: In SSH key-based authentication, which key does the client need?
Answer: private key

Task 3 Linux Enumeration

user@red-linux-enumeration:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Question: What is the name of the Linux distribution used in the VM?
Answer: Ubuntu

Question: What is its version number?
Answer: 20.04.4

Question: What is the name of the user who last logged in to the system?
Answer: randa

user@red-linux-enumeration:~$ last
user     pts/0        10.11.52.229     Wed Sep 20 14:19   still logged in
reboot   system boot  5.4.0-120-generi Wed Sep 20 14:15   still running
reboot   system boot  5.4.0-120-generi Mon Jun 20 13:10 - 13:13  (00:02)
randa    pts/0        10.20.30.1       Mon Jun 20 11:00 - 11:01  (00:00)
reboot   system boot  5.4.0-120-generi Mon Jun 20 09:58 - 11:01  (01:03)

wtmp begins Mon Jun 20 09:58:27 2022

Question: What is the highest listening TCP port number?
Answer: 6667

user@red-linux-enumeration:~$ netstat -lvnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN
tcp        0      0 10.10.207.151:53        0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
tcp6       0      0 fe80::df:1eff:fed3:3:53 :::*                    LISTEN
tcp6       0      0 ::1:53                  :::*                    LISTEN
tcp6       0      0 :::21                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:953                 :::*                    LISTEN
tcp6       0      0 :::389                  :::*                    LISTEN

Question: What is the program name of the service listening on it?
Answer: inspircd

user@red-linux-enumeration:~$ sudo netstat -lvntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN      737/inspircd
tcp        0      0 10.10.207.151:53        0.0.0.0:*               LISTEN      608/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      608/named
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      582/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      705/sshd: /usr/sbin
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      608/named
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      725/slapd
tcp6       0      0 fe80::df:1eff:fed3:3:53 :::*                    LISTEN      608/named
tcp6       0      0 ::1:53                  :::*                    LISTEN      608/named
tcp6       0      0 :::21                   :::*                    LISTEN      638/vsftpd
tcp6       0      0 :::22                   :::*                    LISTEN      705/sshd: /usr/sbin
tcp6       0      0 ::1:953                 :::*                    LISTEN      608/named
tcp6       0      0 :::389                  :::*                    LISTEN      725/slapd

Question: There is a script running in the background. Its name starts with THM. What is the name of the script?
Answer: THM-24765.sh

user@red-linux-enumeration:~$ ps aux|grep THM
randa        642  0.0  0.0   2608   600 ?        Ss   14:16   0:00 /bin/sh -c /home/randa/THM-24765.sh
randa        644  0.0  0.3   6892  2992 ?        S    14:16   0:00 /bin/bash /home/randa/THM-24765.sh
user        2688  0.0  0.0   8160   724 pts/0    S+   14:30   0:00 grep --color=auto THM

Task 4 Windows Enumeration

On Windows we can look at the system informations with the "systeminfo" comand :

PS C:\Users\user> systeminfo

Host Name:                 RED-WIN-ENUM
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00430-00000-00000-AA155
Original Install Date:     3/17/2021, 2:59:06 PM
System Boot Time:          9/20/2023, 2:35:24 PM
System Manufacturer:       Amazon EC2
System Model:              t3a.small
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version:              Amazon EC2 1.0, 10/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     2,016 MB
Available Physical Memory: 649 MB
Virtual Memory: Max Size:  2,400 MB
Virtual Memory: Available: 1,021 MB
Virtual Memory: In Use:    1,379 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\RED-WIN-ENUM
Hotfix(s):                 30 Hotfix(s) Installed.
                           [01]: KB5015731
                           [02]: KB4470502
                           [03]: KB4470788
                           [04]: KB4480056
                           [05]: KB4486153
                           [06]: KB4493510
                           [07]: KB4499728
                           [08]: KB4504369
                           [09]: KB4512577
                           [10]: KB4512937
                           [11]: KB4521862
                           [12]: KB4523204
                           [13]: KB4535680
                           [14]: KB4539571
                           [15]: KB4549947
                           [16]: KB4558997
                           [17]: KB4562562
                           [18]: KB4566424
                           [19]: KB4570332
                           [20]: KB4577586
                           [21]: KB4577667
                           [22]: KB4587735
                           [23]: KB4589208
                           [24]: KB4598480
                           [25]: KB4601393
                           [26]: KB5000859
                           [27]: KB5015811
                           [28]: KB5012675
                           [29]: KB5014031
                           [30]: KB5014797
Network Card(s):           1 NIC(s) Installed.
                           [01]: Amazon Elastic Network Adapter
                                 Connection Name: Ethernet 3
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.194.132
                                 [02]: fe80::152e:6067:290:7344
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Question: What is the full OS Name?
Answer: Microsoft Windows Server 2019 Datacenter

Question: What is the OS Version?
Answer: 10.0.17763

Question: How many hotfixes are installed on this MS Windows Server?
Answer: 30

Question: What is the lowest TCP port number listening on the system?
Answer: 22

PS C:\Users\user> netstat -ano -p TCP

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2088
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       844
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       972
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       492
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1020
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       964
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1912
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       924
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       608
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING       628
  TCP    10.10.194.132:53       0.0.0.0:0              LISTENING       924
  TCP    10.10.194.132:139      0.0.0.0:0              LISTENING       4
  TCP    10.10.194.132:3389     10.11.52.229:50076     ESTABLISHED     972
  TCP    10.10.194.132:49741    20.114.59.183:443      SYN_SENT        4592
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       924

Question: What is the name of the program listening on that port?
Answer: sshd.exe

PS C:\Users\user> tasklist|findstr "2088"
sshd.exe                      2088 Services                   0      6,932 K

Task 5 DNS, SMB, and SNMP

Question: Knowing that the domain name on the MS Windows Server of IP 10.10.194.132 is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?

Answer: THM{DNS_ZONE}

❯ dig -t AXFR redteam.thm @10.10.194.132

; <<>> DiG 9.10.6 <<>> -t AXFR redteam.thm @10.10.194.132
;; global options: +cmd
redteam.thm.		3600	IN	SOA	red-win-enum. hostmaster. 5 900 600 86400 3600
redteam.thm.		3600	IN	NS	red-win-enum.
first.redteam.thm.	3600	IN	A	10.10.254.1
flag.redteam.thm.	3600	IN	TXT	"THM{DNS_ZONE}"
second.redteam.thm.	3600	IN	A	10.10.254.2
tryhackme.redteam.thm.	3600	IN	CNAME	tryhackme.com.
redteam.thm.		3600	IN	SOA	red-win-enum. hostmaster. 5 900 600 86400 3600
;; Query time: 259 msec
;; SERVER: 10.10.194.132#53(10.10.194.132)
;; WHEN: Thu Sep 21 00:01:44 CST 2023
;; XFR size: 7 records (messages 1, bytes 295)

Question: What is the name of the share available over SMB protocol and starts with THM?
Answer: THM{829738}

PS C:\Users\user> net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
Internal     C:\Internal Files               Internal Documents
THM{829738}  C:\Users\user\Private           Enjoy SMB shares
Users        C:\Users
The command completed successfully.

Question: Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.194.132. What is the location specified?
Answer:

Install snmpcheck with the following commands:

git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
❯ ./snmpcheck-1.9.rb 10.10.194.132 -c public
snmpcheck.rb v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.194.132:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.194.132
  Hostname                      : RED-WIN-ENUM
  Description                   : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
  Contact                       : TryHackMe
  Location                      : THM{SNMP_SERVICE}
  Uptime snmp                   : 01:34:58.79
  Uptime system                 : 01:34:42.52
  System date                   : 2023-9-20 16:10:22.3
  Domain                        : WORKGROUP

Task 6 More Tools for Windows

Question: What utility from Sysinternals Suite shows the logged-in users?
Answer: PsLoggedOn

文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
TryHackMe RedTeam
喜欢就支持一下吧