Home Enumeration
Post
Cancel

Enumeration

This room is an introduction to enumeration when approaching an unknown corporate environment.

THM Room https://tryhackme.com/room/enumerationpe

TASK 1 : Introduction

What command would you use to start the PowerShell interactive command line?

If you don’t know this, you can find the answer from the text : “We just issued the command powershell.exe to start the PowerShell interactive command line in the terminal below.”

Answer : powershell.exe

TASK 2 : Purpose

In SSH key-based authentication, which key does the client need?

Again, this question is trivial when you knows ssh but from the text : “ the public key is installed on a server. Consequently, the server would trust any system that can prove knowledge of the related private key.”

Answer : private key

TASK 3 : Linux Enumeration

What is the Linux distribution used in the VM?

Connecting on the target machine via SSH and printing the /etc/os-release file :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@ip-10-10-120-247:~# ssh user@10.10.204.207
The authenticity of host '10.10.204.207 (10.10.204.207)' can't be established.
ECDSA key fingerprint is SHA256:IFP+sTfHTDm72Ta2zfK9XjKASr30+ya4ic/ApEIziio.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.204.207' (ECDSA) to the list of known hosts.
user@10.10.204.207's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-120-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 21 Aug 07:36:37 UTC 2022

  System load:  0.08              Processes:             121
  Usage of /:   62.2% of 6.53GB   Users logged in:       0
  Memory usage: 26%               IPv4 address for eth0: 10.10.204.207
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

user@red-linux-enumeration:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

We can now see the linux distribution and the version number

Answer : Ubuntu

What is its version number?

Answer : 20.04.4

What is the name of the user who last logged in to the system?

Wen can view the last logged on user by typing the command “last” in linux :

1
2
3
4
5
6
user@red-linux-enumeration:~$ last
user     pts/0        10.10.120.247    Sun Aug 21 07:36   still logged in
reboot   system boot  5.4.0-120-generi Sun Aug 21 07:23   still running
reboot   system boot  5.4.0-120-generi Mon Jun 20 13:10 - 13:13  (00:02)
randa    pts/0        10.20.30.1       Mon Jun 20 11:00 - 11:01  (00:00)
reboot   system boot  5.4.0-120-generi Mon Jun 20 09:58 - 11:01  (01:03)

Answer : randa

What is the highest listening TCP port number?

We can see the listening connection with netstat command. First, let’s see the help :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
user@red-linux-enumeration:~$ netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }

        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB
        -Z, --context            display SELinux security context for sockets

  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) 
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) 
    x25 (CCITT X.25) 
user@red-linux-enumeration:~$

There are several interesting switches to use :

1
2
3
4
5
6
7
-l to display only listenning connection

-v for verbose

-a to display all sockets

-t to print only tcp sockets
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
user@red-linux-enumeration:~$ netstat -lva -t
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 ip-10-10-204-207:domain 0.0.0.0:*               LISTEN     
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:953           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ldap            0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ircd          0.0.0.0:*               LISTEN     
tcp        0    280 ip-10-10-204-207.eu:ssh ip-10-10-120-247.:53368 ESTABLISHED
tcp        0      1 ip-10-10-204-207.:59010 api.snapcraft.io:https  SYN_SENT   
tcp        0      1 ip-10-10-204-207.:37082 api.snapcraft.io:https  SYN_SENT   
tcp        0      1 ip-10-10-204-207.:42706 api.snapcraft.io:https  SYN_SENT   
tcp        0      1 ip-10-10-204-207.:42708 api.snapcraft.io:https  SYN_SENT   
tcp6       0      0 red-linux-enumer:domain [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:domain    [::]:*                  LISTEN     
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:953       [::]:*                  LISTEN     
tcp6       0      0 [::]:ldap               [::]:*                  LISTEN 

We can see that some ports is not displayed in numeric, so we can add the -n switch to our command :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
user@red-linux-enumeration:~$ netstat -lvan -t | grep "LISTEN"
tcp        0      0 10.10.204.207:53        0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN     
tcp6       0      0 fe80::e5:24ff:fe6d:7:53 :::*                    LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN     
tcp6       0      0 :::21                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:953                 :::*                    LISTEN     
tcp6       0      0 :::389                  :::*                    LISTEN 

We now have the highest TCP port listening.

Answer : 6667

What is the program name of the service listening on it?

We can add the -p for printing programs informations :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
user@red-linux-enumeration:~$ sudo netstat -lvanp -t
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.10.204.207:53        0.0.0.0:*               LISTEN      611/named           
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      611/named           
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      580/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      683/sshd: /usr/sbin 
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      611/named           
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      722/slapd           
tcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN      712/inspircd        
tcp        0    304 10.10.204.207:22        10.10.120.247:53368     ESTABLISHED 1000/sshd: user [pr 
tcp6       0      0 fe80::e5:24ff:fe6d:7:53 :::*                    LISTEN      611/named           
tcp6       0      0 ::1:53                  :::*                    LISTEN      611/named           
tcp6       0      0 :::21                   :::*                    LISTEN      635/vsftpd          
tcp6       0      0 :::22                   :::*                    LISTEN      683/sshd: /usr/sbin 
tcp6       0      0 ::1:953                 :::*                    LISTEN      611/named           
tcp6       0      0 :::389                  :::*                    LISTEN      722/slapd 

Answer : inspircd

There is a script running in the background. Its name starts with THM. What is the name of the script?

To check the processes running in background, we can use the “ps” command :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
user@red-linux-enumeration:~$ ps -aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.9  1.1 102716 11484 ?        Rs   07:23   0:08 /sbin/init auto automatic-ubiquity noprompt
root           2  0.0  0.0      0     0 ?        S    07:23   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   07:23   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   07:23   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I    07:23   0:00 [kworker/0:0-memcg_kmem_cache]
root           6  0.0  0.0      0     0 ?        I<   07:23   0:00 [kworker/0:0H-kblockd]
root           8  0.0  0.0      0     0 ?        I    07:23   0:00 [kworker/u30:0-events_unbound]
root           9  0.0  0.0      0     0 ?        I<   07:23   0:00 [mm_percpu_wq]
root          10  0.0  0.0      0     0 ?        S    07:23   0:00 [ksoftirqd/0]
root          11  0.0  0.0      0     0 ?        I    07:23   0:00 [rcu_sched]
root          12  0.0  0.0      0     0 ?        S    07:23   0:00 [migration/0]
root          13  0.0  0.0      0     0 ?        S    07:23   0:00 [idle_inject/0]
root          14  0.0  0.0      0     0 ?        S    07:23   0:00 [cpuhp/0]
root          15  0.0  0.0      0     0 ?        S    07:23   0:00 [kdevtmpfs]
root          16  0.0  0.0      0     0 ?        I<   07:23   0:00 [netns]
root          17  0.0  0.0      0     0 ?        S    07:23   0:00 [rcu_tasks_kthre]
root          18  0.0  0.0      0     0 ?        S    07:23   0:00 [kauditd]
root          19  0.0  0.0      0     0 ?        S    07:23   0:00 [khungtaskd]
root          20  0.0  0.0      0     0 ?        S    07:23   0:00 [oom_reaper]
root          21  0.0  0.0      0     0 ?        I<   07:23   0:00 [writeback]
root          22  0.0  0.0      0     0 ?        S    07:23   0:00 [kcompactd0]
root          23  0.0  0.0      0     0 ?        SN   07:23   0:00 [ksmd]
root          24  0.0  0.0      0     0 ?        SN   07:23   0:00 [khugepaged]
root          70  0.0  0.0      0     0 ?        I<   07:23   0:00 [kintegrityd]
root          71  0.0  0.0      0     0 ?        I<   07:23   0:00 [kblockd]
root          72  0.0  0.0      0     0 ?        I<   07:23   0:00 [blkcg_punt_bio]
root          73  0.0  0.0      0     0 ?        S    07:23   0:00 [xen-balloon]
root          74  0.0  0.0      0     0 ?        I<   07:23   0:00 [tpm_dev_wq]
root          75  0.0  0.0      0     0 ?        I<   07:23   0:00 [ata_sff]
root          76  0.0  0.0      0     0 ?        I<   07:23   0:00 [md]
root          77  0.0  0.0      0     0 ?        I<   07:23   0:00 [edac-poller]
root          78  0.0  0.0      0     0 ?        I<   07:23   0:00 [devfreq_wq]
root          79  0.0  0.0      0     0 ?        S    07:23   0:00 [watchdogd]
root          80  0.0  0.0      0     0 ?        I    07:23   0:00 [kworker/u30:1-events_power_efficient]
root          84  0.0  0.0      0     0 ?        S    07:23   0:00 [kswapd0]
root          85  0.0  0.0      0     0 ?        S    07:23   0:00 [ecryptfs-kthrea]
root          87  0.0  0.0      0     0 ?        I<   07:23   0:00 [kthrotld]
root          88  0.0  0.0      0     0 ?        I<   07:23   0:00 [acpi_thermal_pm]
root          89  0.0  0.0      0     0 ?        S    07:23   0:00 [xenbus]
root          90  0.0  0.0      0     0 ?        S    07:23   0:00 [xenwatch]
root          91  0.0  0.0      0     0 ?        S    07:23   0:00 [scsi_eh_0]
root          92  0.0  0.0      0     0 ?        I<   07:23   0:00 [scsi_tmf_0]
root          93  0.0  0.0      0     0 ?        S    07:23   0:00 [scsi_eh_1]
root          94  0.0  0.0      0     0 ?        I<   07:23   0:00 [scsi_tmf_1]
root          96  0.0  0.0      0     0 ?        I<   07:23   0:00 [vfio-irqfd-clea]
root          97  0.0  0.0      0     0 ?        I<   07:23   0:00 [ipv6_addrconf]
root         106  0.0  0.0      0     0 ?        I<   07:23   0:00 [kworker/0:1H-kblockd]
root         107  0.0  0.0      0     0 ?        I<   07:23   0:00 [kstrp]
root         110  0.0  0.0      0     0 ?        I<   07:23   0:00 [kworker/u31:0]
root         123  0.0  0.0      0     0 ?        I<   07:23   0:00 [charger_manager]
root         157  0.0  0.0      0     0 ?        I<   07:23   0:00 [cryptd]
root         197  0.0  0.0      0     0 ?        I<   07:23   0:00 [kdmflush]
root         226  0.0  0.0      0     0 ?        I<   07:23   0:00 [raid5wq]
root         273  0.0  0.0      0     0 ?        S    07:23   0:00 [jbd2/dm-0-8]
root         274  0.0  0.0      0     0 ?        I<   07:23   0:00 [ext4-rsv-conver]
root         344  0.1  1.3  60316 13404 ?        S<s  07:23   0:01 /lib/systemd/systemd-journald
root         363  0.0  0.0      0     0 ?        I<   07:23   0:00 [ipmi-msghandler]
root         374  0.4  0.6  22728  6160 ?        Ss   07:23   0:03 /lib/systemd/systemd-udevd
root         482  0.0  0.0      0     0 ?        I<   07:24   0:00 [kaluad]
root         483  0.0  0.0      0     0 ?        I<   07:24   0:00 [kmpath_rdacd]
root         484  0.0  0.0      0     0 ?        I<   07:24   0:00 [kmpathd]
root         485  0.0  0.0      0     0 ?        I<   07:24   0:00 [kmpath_handlerd]
root         486  0.0  1.8 280196 17996 ?        SLsl 07:24   0:00 /sbin/multipathd -d -s
root         495  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop0]
root         498  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop1]
root         499  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop2]
root         502  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop3]
root         503  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop4]
root         506  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop5]
root         507  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop6]
root         511  0.0  0.0      0     0 ?        S<   07:24   0:00 [loop7]
root         515  0.0  0.0      0     0 ?        S    07:24   0:00 [jbd2/xvda2-8]
root         516  0.0  0.0      0     0 ?        I<   07:24   0:00 [ext4-rsv-conver]
systemd+     531  0.0  0.6  90872  6108 ?        Ssl  07:24   0:00 /lib/systemd/systemd-timesyncd
systemd+     578  0.0  0.7  27256  7468 ?        Ss   07:24   0:00 /lib/systemd/systemd-networkd
systemd+     580  0.0  1.2  24532 12044 ?        Ss   07:24   0:00 /lib/systemd/systemd-resolved
root         593  0.0  0.9 239276  9176 ?        Ssl  07:24   0:00 /usr/lib/accountsservice/accounts-daemon
root         594  0.0  1.5 1232040 15784 ?       Ssl  07:24   0:00 /usr/bin/amazon-ssm-agent
root         598  0.0  0.2   6812  2840 ?        Ss   07:24   0:00 /usr/sbin/cron -f
message+     599  0.0  0.4   7568  4656 ?        Ss   07:24   0:00 /usr/bin/dbus-daemon --system --address=systemd: -
root         604  0.0  0.3   8480  3384 ?        S    07:24   0:00 /usr/sbin/CRON -f
bind         611  0.0  2.2 216200 22068 ?        Ssl  07:24   0:00 /usr/sbin/named -f -u bind
root         613  0.1  1.8  29656 18444 ?        Ss   07:24   0:01 /usr/bin/python3 /usr/bin/networkd-dispatcher --ru
root         614  0.0  1.0 238028 10564 ?        Ssl  07:24   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       616  0.0  0.4 224492  4920 ?        Ssl  07:24   0:00 /usr/sbin/rsyslogd -n -iNONE
root         619  0.4  4.0 726824 40484 ?        Ssl  07:24   0:03 /usr/lib/snapd/snapd
root         622  0.0  0.7  17296  7836 ?        Ss   07:24   0:00 /lib/systemd/systemd-logind
root         624  0.0  1.3 395440 13560 ?        Ssl  07:24   0:00 /usr/lib/udisks2/udisksd
daemon       629  0.0  0.2   3792  2400 ?        Ss   07:24   0:00 /usr/sbin/atd -f
root         635  0.0  0.3   6808  3016 ?        Ss   07:24   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
Debian-+     646  0.0  1.0  20580 10708 ?        Ss   07:24   0:00 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp
randa        655  0.0  0.0   2608   532 ?        Ss   07:24   0:00 /bin/sh -c /home/randa/THM-24765.sh
randa        657  0.0  0.3   6892  3208 ?        S    07:24   0:00 /bin/bash /home/randa/THM-24765.sh
randa        658  0.0  0.0   5476   516 ?        S    07:24   0:00 sleep 10000
root         683  0.0  0.7  12172  6992 ?        Ss   07:24   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 sta
root         684  0.0  0.2   5600  2268 ttyS0    Ss+  07:24   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,
root         697  0.0  1.1 314452 11040 ?        Ssl  07:24   0:00 /usr/sbin/ModemManager
root         698  0.0  0.1   5828  1764 tty1     Ss+  07:24   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
irc          712  0.0  0.5   9012  5780 ?        Ss   07:24   0:00 /usr/sbin/inspircd --config=/etc/inspircd/inspircd
openldap     722  0.0  0.5 1159116 5440 ?        Ssl  07:24   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap 
root         732  0.0  2.6 1318008 25948 ?       Sl   07:24   0:00 /usr/bin/ssm-agent-worker
root         770  0.1  2.0 107912 20820 ?        Ssl  07:24   0:01 /usr/bin/python3 /usr/share/unattended-upgrades/un
root         990  0.0  0.0      0     0 ?        I    07:31   0:00 [kworker/0:1-events]
root        1000  0.0  0.9  13924  9080 ?        Ss   07:36   0:00 sshd: user [priv]
user        1020  0.0  0.9  19048  9524 ?        Ss   07:36   0:00 /lib/systemd/systemd --user
root        1021  0.0  0.0      0     0 ?        I    07:36   0:00 [kworker/0:2]
user        1022  0.0  0.3 104072  3416 ?        S    07:36   0:00 (sd-pam)
user        1147  0.0  0.5  14056  5440 ?        S    07:36   0:00 sshd: user@pts/0
user        1148  0.0  0.5   8276  5108 pts/0    Ss   07:36   0:00 -bash
user        1174  0.0  0.3   9080  3572 pts/0    R+   07:38   0:00 ps -aux
root        1175  0.0  0.7  17080  7000 ?        Rs   07:38   0:00 /usr/bin/systemd-tmpfiles --clean

Answer : THM-24765.sh

TASK 4 : Windows Enumeration

What is the full OS Name?

On Windows we can look at the system informations with the “systeminfo” comand :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
PS C:\Users\user> systeminfo

Host Name:                 RED-WIN-ENUM
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00430-00000-00000-AA155
Original Install Date:     3/17/2021, 2:59:06 PM
System Boot Time:          8/21/2022, 7:55:30 AM
System Manufacturer:       Amazon EC2
System Model:              t3a.small
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz 
BIOS Version:              Amazon EC2 1.0, 10/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     2,016 MB
Available Physical Memory: 290 MB
Virtual Memory: Max Size:  2,400 MB
Virtual Memory: Available: 692 MB
Virtual Memory: In Use:    1,708 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 30 Hotfix(s) Installed.
                           [01]: KB5015731
                           [02]: KB4470502
                           [03]: KB4470788
                           [04]: KB4480056
                           [05]: KB4486153
                           [06]: KB4493510
                           [07]: KB4499728
                           [08]: KB4504369
                           [09]: KB4512577
                           [10]: KB4512937
                           [11]: KB4521862
                           [12]: KB4523204
                           [13]: KB4535680
                           [14]: KB4539571
                           [15]: KB4549947
                           [16]: KB4558997
                           [17]: KB4562562
                           [18]: KB4566424
                           [19]: KB4570332
                           [20]: KB4577586
                           [21]: KB4577667
                           [22]: KB4587735
                           [23]: KB4589208
                           [24]: KB4598480
                           [25]: KB4601393
                           [26]: KB5000859
                           [27]: KB5015811
                           [28]: KB5012675
                           [29]: KB5014031
                           [30]: KB5014797
Network Card(s):           1 NIC(s) Installed.
                           [01]: Amazon Elastic Network Adapter
                                 Connection Name: Ethernet 3
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.30.90
                                 [02]: fe80::f8e1:5707:ebfb:4783
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed. 

Answer : Microsoft Windows Server 2019 Datacenter

What is the OS Version?

From the systeminfo command above.

Answer : 10.0.17763

How many hotfixes are installed on this MS Windows Server?

From the systeminfo command too. Answer : 30

What is the lowest TCP port number listening on the system?

We can use the same command as for linux to print out the listening connection :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PS C:\Users\user> netstat -ano -p TCP

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       2148
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       856
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       972
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       496
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       340
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       964
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1932
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       2104
  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       608
  TCP    0.0.0.0:49675          0.0.0.0:0              LISTENING       628
  TCP    10.10.30.90:22         10.10.120.247:57640    ESTABLISHED     2148
  TCP    10.10.30.90:53         0.0.0.0:0              LISTENING       2104
  TCP    10.10.30.90:139        0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2104

Answer : 22

What is the name of the program listening on that port?

From the netstat command we got the PID associated with this connection.

We can thus look at the PID 2148 :

1
2
PS C:\Users\user> ps | findstr "2148"
    121      12     1636       7628       0.03   2148   0 sshd

This can aslo be found by checking the tasklit running :

1
2
PS C:\Users\user> tasklist | findstr "2148"
sshd.exe                      2148 Services                   0      7,628 K

Answer : sshd.exe

TASK 5 : DNS, SMB, and SNMP

Knowing that the domain name on the MS Windows Server of IP 10.10.30.90 is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?

To answer this question, we need to request a domain transfer using the “dig” command :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ip-10-10-120-247:~# dig -t AXFR redteam.thm @10.10.30.90

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> -t AXFR redteam.thm @10.10.30.90
;; global options: +cmd
redteam.thm.		3600	IN	SOA	red-win-enum. hostmaster. 5 900 600 86400 3600
redteam.thm.		3600	IN	NS	red-win-enum.
first.redteam.thm.	3600	IN	A	10.10.254.1
flag.redteam.thm.	3600	IN	TXT	"THM{DNS_ZONE}"
second.redteam.thm.	3600	IN	A	10.10.254.2
tryhackme.redteam.thm.	3600	IN	CNAME	tryhackme.com.
redteam.thm.		3600	IN	SOA	red-win-enum. hostmaster. 5 900 600 86400 3600
;; Query time: 9 msec
;; SERVER: 10.10.30.90#53(10.10.30.90)
;; WHEN: Sun Aug 21 09:31:17 BST 2022
;; XFR size: 7 records (messages 1, bytes 295)

Answer : THM{DNS_ZONE}

What is the name of the share available over SMB protocol and starts with THM?

We can list the share with the “net share” command :

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\Users\user> net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
Internal     C:\Internal Files               Internal Documents
THM{829738}  C:\Users\user\Private           Enjoy SMB shares
Users        C:\Users
The command completed successfully.

Answer : THM{829738}

Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.30.90. What is the location specified?

We can query the SNM with the snmpcheck.rb script as follows and then open the file generated :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@ip-10-10-120-247:/opt/snmpcheck# ./snmpcheck.rb 10.10.30.90 -c public > res.txt
root@ip-10-10-120-247:/opt/snmpcheck# nano res.txt 

snmpcheck.rb v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.30.90:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.30.90
  Hostname                      : RED-WIN-ENUM
  Description                   : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows $
  Contact                       : TryHackMe
  Location                      : THM{SNMP_SERVICE}
  Uptime snmp                   : 00:44:53.68
  Uptime system                 : 00:44:39.20
  System date                   : 2022-8-21 08:40:23.8
  Domain                        : WORKGROUP

[*] User accounts:
[...]

Answer : THM{SNMP_SERVICE}

TASK 6 : More Tools for Windows

What utility from Sysinternals Suite shows the logged-in users?

Answer : PsLoggedOn

TASK 7 : Conclusion

Congratulations on finishing this room. It is time to continue your journey with the next room in this module.

No Answer.

This post is licensed under CC BY 4.0 by the author.