Task 1 : Introduction

Let's start learning!

Task 2 : Deploy the VM

Let's discuss the common network infrastructure in the next Task!

Task 3 : Network Infrastructure

use the netstat command to check open ports:

PS C:\Users\Administrator> netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2179           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING

arp table:

PS C:\Users\Administrator> arp -a

Interface: 10.10.185.128 --- 0x9
  Internet Address      Physical Address      Type
  10.10.0.1             02-c8-85-b5-5a-aa     dynamic
  10.10.255.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Task 4 : Active Directory (AD) environment

Question: If it is part of an AD environment, what is the domain name of the AD?

Way 1:

PS C:\Users\Administrator> net time /domain
Current time at \\ad.thmredteam.com is 9/20/2023 10:31:44 AM

The command completed successfully.

Way 2:

PS C:\Users\Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ad
   Primary Dns Suffix  . . . . . . . : thmredteam.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com
                                       eu-west-1.compute.internal

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 02-D0-03-96-E1-B1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3468:9753:5f6:bee2%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.185.128(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Wednesday, September 20, 2023 10:15:13 AM
   Lease Expires . . . . . . . . . . : Wednesday, September 20, 2023 11:15:13 AM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 134353458
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-76-DA-21-02-6E-E9-AB-64-C7
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Way 3:

PS C:\Users\Administrator> systeminfo | findstr Domain
OS Configuration:          Primary Domain Controller
Domain:                    thmredteam.com

Task 5 : Users and Groups Management

The following PowerShell command is to get all active directory user accounts.

PS C:\Users\Administrator> Get-ADUser -Filter *

DistinguishedName : CN=Administrator,CN=Users,DC=thmredteam,DC=com
Enabled           : True
GivenName         :
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 4094d220-fb71-4de1-b5b2-ba18f6583c65
SamAccountName    : Administrator
SID               : S-1-5-21-1966530601-3185510712-10604624-500
Surname           :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=thmredteam,DC=com
Enabled           : False
GivenName         :
Name              : krbtgt
ObjectClass       : user
ObjectGUID        : 001ec69b-76a0-456a-b8bb-a5648f624a23
SamAccountName    : krbtgt
SID               : S-1-5-21-1966530601-3185510712-10604624-502
Surname           :
UserPrincipalName :

DistinguishedName : CN=Pierre Pittman,OU=THM,DC=thmredteam,DC=com
GivenName         : Pierre
Name              : Pierre Pittman
ObjectClass       : user
ObjectGUID        : 34febcdd-49dc-4160-b88e-7e6323f40dba
SamAccountName    : ppittman
SID               : S-1-5-21-1966530601-3185510712-10604624-1113
Surname           : Pittman
UserPrincipalName : [email protected]

Question: Use the Get-ADUser -Filter * -SearchBase command to list the available user accounts within THM OU in the thmredteam.com domain. How many users are available?

Answer: 6

We can use the following crafted query in powershell :

PS C:\Users\Administrator> Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"

DistinguishedName : CN=Pierre Pittman,OU=THM,DC=thmredteam,DC=com
GivenName         : Pierre
Name              : Pierre Pittman
ObjectClass       : user
ObjectGUID        : 34febcdd-49dc-4160-b88e-7e6323f40dba
SamAccountName    : ppittman
SID               : S-1-5-21-1966530601-3185510712-10604624-1113
Surname           : Pittman
UserPrincipalName : [email protected]

DistinguishedName : CN=Dario Philips,OU=THM,DC=thmredteam,DC=com
GivenName         : Dario
Name              : Dario Philips
ObjectClass       : user
ObjectGUID        : 3cc9cfc7-3c62-4d46-8a83-b8c02f45efbb
SamAccountName    : dphilips
SID               : S-1-5-21-1966530601-3185510712-10604624-1114
Surname           : Philips
UserPrincipalName : [email protected]

......

Question: Once you run the previous command, what is the UserPrincipalName (email) of the admin account?

Answer: [email protected]

Task 6 : Host Security Solution #1

Antivirus Software (AV)

We can enumerate AV software using Windows built-in tools, such as wmic.

PS C:\Users\Administrator> wmic /namespace:\\root\securitycenter2 path antivirusproduct
displayName       instanceGuid                            pathToSignedProductExe  pathToSignedReportingExe                     productState  timestamp
Windows Defender  {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}  windowsdefender://      %ProgramFiles%\Windows Defender\MsMpeng.exe  397568        Tue, 19 Sep 2023 14:49:19 GMT

This also can be done using PowerShell, which gives the same result.

PS C:\Users\Administrator> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
timestamp                : Tue, 19 Sep 2023 14:49:19 GMT
PSComputerName           :

Microsoft Windows Defender

As a result, there is a Windows Defender installed on the computer. Note that Windows servers may not have SecurityCenter2 namespace, which may not work on the attached VM. Instead, it works for Windows workstations!

We can use the following PowerShell command to check the service state of Windows Defender:

PS C:\Users\Administrator> Get-Service WinDefend

Status   Name               DisplayName
------   ----               -----------
Running  WinDefend          Windows Defender Antivirus Service

Next, we can start using the Get-MpComputerStatus cmdlet to get the current Windows Defender status. However, it provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc. We can use select to specify what we need for as follows:

PS C:\Users\Administrator> Get-MpComputerStatus | select RealTimeProtectionEnabled

RealTimeProtectionEnabled
-------------------------
                     True

As a result, MpComputerStatus highlights whether Windows Defender is enabled or not.

Host-based Firewall

Check the firewall profile:

PS C:\Users\Administrator> Get-NetFirewallProfile | Format-Table Name, Enabled

Name    Enabled
----    -------
Domain     True
Private    True
Public     True

If we have admin privileges on the current user we logged in with, then we try to disable one or more than one firewall profile using the Set-NetFirewallProfile cmdlet.

PS C:\Users\Administrator> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
PS C:\Users\Administrator> Get-NetFirewallProfile | Format-Table Name, Enabled

Name    Enabled
----    -------
Domain    False
Private   False
Public    False

We can also learn and check the current Firewall rules, whether allowing or denying by the firewall.

PS C:\Users\Administrator> Get-NetFirewallRule | select DisplayName, Enabled, Description

DisplayName                                                                Enabled Description
-----------                                                                ------- -----------
Virtual Machine Monitoring (DCOM-In)                                         False Allow DCOM traffic for remote Windows Management Instrumentation.
Virtual Machine Monitoring (Echo Request - ICMPv4-In)                        False Echo Request messages are sent as ping requests to other nodes.
Virtual Machine Monitoring (Echo Request - ICMPv6-In)                        False Echo Request messages are sent as ping requests to other nodes.
Virtual Machine Monitoring (NB-Session-In)                                   False Allow NetBIOS Session Service connections.
Virtual Machine Monitoring (RPC)                                             False Allow Task Scheduler service to be remotely managed via RPC/TCP.
SNMP Trap Service (UDP In)                                                   False Inbound rule for the SNMP Trap Service to allow SNMP traps. [UDP 162]
SNMP Trap Service (UDP In)                                                   False Inbound rule for the SNMP Trap Service to allow SNMP traps. [UDP 162]
WFD Driver-only (TCP-In)                                                      True Inbound rule for drivers to communicate over WFD (TCP-In)
WFD Driver-only (TCP-Out)                                                     True Inbound rule for drivers to communicate over WFD (TCP-Out)
WFD Driver-only (UDP-In)                                                      True Inbound rule for drivers to communicate over WFD (UDP-In)
WFD Driver-only (UDP-Out)                                                     True Inbound rule for drivers to communicate over WFD (UDP-Out)

During the red team engagement, we have no clue what the firewall blocks. However, we can take advantage of some PowerShell cmdlets such as Test-NetConnection and TcpClient. Assume we know that a firewall is in place, and we need to test inbound connection without extra tools, then we can do the following:

PS C:\Users\Administrator> Test-NetConnection -ComputerName 127.0.0.1 -Port 80


ComputerName     : 127.0.0.1
RemoteAddress    : 127.0.0.1
RemotePort       : 80
InterfaceAlias   : Loopback Pseudo-Interface 1
SourceAddress    : 127.0.0.1
TcpTestSucceeded : True

As a result, we can confirm the inbound connection on port 80 is open and allowed in the firewall. Note that we can also test for remote targets in the same network or domain names by specifying in the -ComputerName argument for the Test-NetConnection.

Question: Using PowerShell cmdlets such Get-MpThreat can provide us with threats details that have been detected using MS Defender. Run it and answer the following: What is the file name that causes this alert to record?

Executing the command Get-MpThreat, get the answer in this case :

Answer: powerview.ps1

Question: Enumerate the firewall rules of the attached Windows machine. What is the port that is allowed under the THM-Connection rule?

PS C:\Users\kkidd> Get-NetFirewallRule | select DisplayName, Enabled, Description | findstr "THM-Connection"
THM-Connection                                                                  True THM-Connection inbound to 17337 Port!

Answer: 17337

Task 7 : Host Security Solution #2

Security Event Logging and Monitoring

use the Get-EventLog cmdlet get a list of available event logs on the local machine:

PS C:\Users\kkidd> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
     512      7 OverwriteOlder             95 Active Directory Web Services
  20,480      0 OverwriteAsNeeded         650 Application
  15,168      0 OverwriteAsNeeded          97 DFS Replication
     512      0 OverwriteAsNeeded         224 Directory Service
 102,400      0 OverwriteAsNeeded          98 DNS Server
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
                                              Security
  20,480      0 OverwriteAsNeeded       5,357 System
  15,360      0 OverwriteAsNeeded       2,093 Windows PowerShell

System Monitor (Sysmon)

looking for a process or service that has been named "Sysmon" within the current process or services as follows,

PS C:\Users\kkidd> Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    372      15    17440      28948              2664   0 Sysmon

or look for services as follows,

PS C:\Users\kkidd> Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"

ProcessId Name   StartMode State   Status ExitCode
--------- ----   --------- -----   ------ --------
2664      Sysmon Auto      Running OK     0


PS C:\Users\kkidd> Get-Service | where-object {$_.DisplayName -like "*sysm*"}

Status   Name               DisplayName
------   ----               -----------
Running  SysMain            SysMain
Running  Sysmon             Sysmon

It also can be done by checking the Windows registry:S

PS C:\Users\kkidd> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
    OwningPublisher    REG_SZ    {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
    Enabled    REG_DWORD    0x1
    Isolation    REG_DWORD    0x2
    ChannelAccess    REG_SZ    O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)
    MaxSize    REG_DWORD    0x4000000
    MaxSizeUpper    REG_DWORD    0x0
    Type    REG_DWORD    0x1

find the sysmon configuration file:

PS C:\Users\kkidd> findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*
C:\tools\Sysmon\sysmonconfig.xml:      <ProcessCreate onmatch="include">
C:\tools\Sysmon\sysmonconfig.xml:      <ProcessCreate onmatch="exclude">

Host-based Intrusion Detection/Prevention System (HIDS/HIPS)

HIDS stands for Host-based Intrusion Detection System. It is software that has the ability to monitor and detect abnormal and malicious activities in a host. The primary purpose of HIDS is to detect suspicious activities and not to prevent them. There are two methods that the host-based or network intrusion detection system works, including:

Signature-based IDS - it looks at checksums and message authentication.

Anomaly-based IDS looks for unexpected activities, including abnormal bandwidth usage, protocols, and ports.

Host-based Intrusion Prevention Systems (HIPS) works by securing the operating system activities which where is installed. It is a detecting and prevention solution against well-known attacks and abnormal behaviors. HIPS is capable of auditing log files of the host, monitoring processes, and protecting system resources. HIPS is a mixture of best product features such as antivirus, behavior analysis, network, application firewall, etc.

Endpoint Detection and Response (EDR)

It is also known as Endpoint Detection and Threat Response (EDTR). The EDR is a cybersecurity solution that defends against malware and other threats. EDRs can look for malicious files, monitor endpoint, system, and network events, and record them in a database for further analysis, detection, and investigation. EDRs are the next generation of antivirus and detect malicious activities on the host in real-time.

Task 8 : Network Security Solutions

Network Security Solutions

Network security solutions could be software or hardware appliances used to monitor, detect and prevent malicious activities within the network. It focuses on protecting clients and devices connected to the cooperation network. The network security solution includes but is not limited to:

  • Network Firewall
  • SIEM
  • IDS/IPS

Network Firewall

A firewall is the first checkpoint for untrusted traffic that arrives at a network. The firewall filters the untrusted traffic before passing it into the network based on rules and policies. In addition, Firewalls can be used to separate networks from external traffic sources, internal traffic sources, or even specific applications. Nowadays, firewall products are built-in network routers or other security products that provide various security features. The following are some firewall types that enterprises may use.

  • Packet-filtering firewalls
  • Proxy firewalls
  • NAT firewalls
  • Web application firewalls Web

Security Information and Event Management (SIEM)

SIEM combines Security Information Management (SIM) and Security Event Management (SEM) to monitor and analyze events and track and log data in real-time. SIEM helps system administrators and blue teamers to monitor and track potential security threats and vulnerabilities before causing damage to an organization.

SIEM solutions work as log data aggregation center, where it collects log files from sensors and perform functions on the gathered data to identify and detect security threats or attacks. The following are some of the functions that a SIEM may offer:

  • Log management: It captures and gathers data for the entire enterprise network in real-time.
  • Event analytics: It applies advanced analytics to detect abnormal patterns or behaviors, available in the dashboard with charts and statistics.
  • Incident monitoring and security alerts: It monitors the entire network, including connected users, devices, applications, etcetera, and as soon as attacks are detected, it alerts administrators immediately to take appropriate action to mitigate.
  • Compliance management and reporting: It generates real-time reports at any time.

The following are some of the SIEM products that are commonly seen in many enterprises:

  • Splunk
  • LogRhythm NextGen SIEM Platform
  • SolarWinds Security Event Manager
  • SolarWinds
  • Datadog Security Monitoring
  • many others

Intrusion Detection System and Intrusion Prevention System (NIDS/NIPS)

Network-based IDS/IPS have a similar concept to the host-based IDS/IPS. The main difference is that the network-based products focus on the security of a network instead of a host. The network-based solution will be based on sensors and agents distributed in the network devices and hosts to collect data. IDS and IPS are both detection and monitoring cybersecurity solutions that an enterprise uses to secure its internal systems. They both read network packets looking for abnormal behaviors and known threats pre-loaded into a previous database. The significant difference between both solutions is that the IDS requires human interaction or 3rd party software to analyze the data to take action. The IPS is a control system that accepts or rejects packets based on policies and rules.

The following are common enterprise IDS/IPS products:

  • Palo Alto Networks
  • Cisco's Next-Generation
  • McAfee Network Security Platform (NSP)
  • Trend Micro TippingPoint
  • Suricata

Task 9 : Applications and Services

Installed Applications

Using the wmic Windows command to list all installed applications and their version.

PS C:\Users\kkidd> wmic product get name,version
Name                                                            Version
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910     14.28.29910
AWS Tools for Windows                                           3.15.1248
Amazon SSM Agent                                                3.0.529.0
aws-cfn-bootstrap                                               2.0.5
AWS PV Drivers                                                  8.3.4
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910  14.28.29910

Another interesting thing is to look for particular text strings, hidden directories, backup files. Then we can use the PowerShell cmdlets, Get-ChildItem, as follow:

PS C:\Users\kkidd> Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop\

    Directory: C:\Users\kkidd\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-        12/1/2021   4:53 PM            282 desktop.ini

Services and Process

Listing the running services using the Windows command prompt net start to check if there are any interesting running services.

PS C:\Users\kkidd> net start
These Windows services are started:

   Active Directory Web Services
   Amazon SSM Agent
   Application Host Helper Service
   Background Tasks Infrastructure Service
   Base Filtering Engine
   Certificate Propagation
   Client License Service (ClipSVC)
   CNG Key Isolation
   COM+ Event System
   Connected Devices Platform Service
   ......

looking for the exact service name, which we need to find more information:

PS C:\Users\kkidd> wmic service get Name,PathName |findstr "THM"
THM Service                               c:\Windows\thm-service.exe

We find the file name and its path; now let's find more details using the Get-Process cmdlet:

PS C:\Users\kkidd> Get-Process -Name thm-service

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     78       9    12668       5728              2552   0 thm-service

Once we find its process ID, let's check if providing a network service by listing the listening ports within the system.

PS C:\Users\kkidd> netstat -ano |findstr "LISTENING" |findstr "2552"
  TCP    0.0.0.0:13337          0.0.0.0:0              LISTENING       2552
  TCP    [::]:13337             [::]:0                 LISTENING       2552

Question: Finally, we can see it is listening on port 8080. Now try to apply what we discussed and find the port number for THM Service. What is the port number?
Answer: 13337

Question: Visit the localhost on the port you found in Question #1. What is the flag?

Just curl the localhost:

PS C:\Users\kkidd> curl 127.0.0.1:13337


StatusCode        : 200
StatusDescription : OK
Content           : Hi the flag is: THM{S3rv1cs_1s_3numerat37ed}
RawContent        : HTTP/1.1 200 OK
                    Content-Length: 44
                    Content-Type: text/plain; charset=utf-8
                    Date: Wed, 20 Sep 2023 13:55:26 GMT

                    Hi the flag is: THM{S3rv1cs_1s_3numerat37ed}
Forms             : {}
Headers           : {[Content-Length, 44], [Content-Type, text/plain; charset=utf-8], [Date, Wed, 20 Sep 2023 13:55:26 GMT]}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 44

Answer: THM{S3rv1cs_1s_3numerat37ed}

Question: Now enumerate the domain name of the domain controller, thmredteam.com, using the nslookup.exe, and perform a DNS zone transfer. What is the flag for one of the records?

Let's look on dns record with nslookup :

PS C:\Users\kkidd> nslookup.exe
Default Server:  ip-10-0-0-2.eu-west-1.compute.internal
Address:  10.0.0.2

> server 10.10.234.189
Default Server:  ip-10-10-234-189.eu-west-1.compute.internal
Address:  10.10.234.189

> ls -d thmredteam.com
[ip-10-10-234-189.eu-west-1.compute.internal]
 thmredteam.com.                SOA    ad.thmredteam.com hostmaster.thmredteam.com. (749 900 600 86400 3600)
 thmredteam.com.                A      10.10.129.59
 thmredteam.com.                NS     ad.thmredteam.com
 _msdcs                         NS     ad.thmredteam.com
 _gc._tcp.Default-First-Site-Name._sites SRV    priority=0, weight=100, port=3268, ad.thmredteam.com
 _kerberos._tcp.Default-First-Site-Name._sites SRV    priority=0, weight=100, port=88, ad.thmredteam.com
 _ldap._tcp.Default-First-Site-Name._sites SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 _gc._tcp                       SRV    priority=0, weight=100, port=3268, ad.thmredteam.com
 _kerberos._tcp                 SRV    priority=0, weight=100, port=88, ad.thmredteam.com
 _kpasswd._tcp                  SRV    priority=0, weight=100, port=464, ad.thmredteam.com
 _ldap._tcp                     SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 _kerberos._udp                 SRV    priority=0, weight=100, port=88, ad.thmredteam.com
 _kpasswd._udp                  SRV    priority=0, weight=100, port=464, ad.thmredteam.com
 ad                             A      10.10.234.189
 DomainDnsZones                 A      10.10.129.59
 _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 _ldap._tcp.DomainDnsZones      SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 flag                           TXT             "THM{DNS-15-Enumerated!}"

 ForestDnsZones                 A      10.10.129.59
 _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 _ldap._tcp.ForestDnsZones      SRV    priority=0, weight=100, port=389, ad.thmredteam.com
 www                            A      10.10.141.51
 thmredteam.com.                SOA    ad.thmredteam.com hostmaster.thmredteam.com. (749 900 600 86400 3600)

Answer: THM{DNS-15-Enumerated!}

文章作者: z0sen
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 z0sen's Blog
TryHackMe RedTeam
喜欢就支持一下吧