Home The Lay of the Land
Post
Cancel

The Lay of the Land

Learn about and get hands-on with common technologies and security products used in corporate environments; both host and network-based security solutions are covered.

THM Room https://tryhackme.com/room/thelayoftheland

TASK 1 : Introduction

Let’s start learning!

No Answer

TASK 2 : Deploy the VM

Let’s discuss the common network infrastructure in the next task!

No Answer

TASK 3 : Network Infrastructure

Read the above!

Open ports (not full image) :

Open ports Open ports

And the ARP table :

ARP table ARP table

No Answer.

TASK 4 : Active Directory (AD) environment

Before going any further, ensure the attached machine is deployed and try what we discussed. Is the attached machine part of the AD environment? (Y|N)

Systeminfo command gives us many informations :

Systeminfo Systeminfo

Systeminfo Systeminfo

The info we are looking for can be filtered by piping the output with the “findstr” command :

Domain Domain

Answer : Y

If it is part of an AD environment, what is the domain name of the AD?

Answer : thmredteam.com

TASK 5 : Users and Groups Management

Use the Get-ADUser -Filter * -SearchBase command to list the available user accounts within THM OU in the thmredteam.com domain. How many users are available?

We can use the following crafted query in powershell :

1
Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"

Get-ADUser Get-ADUser

Answer : 6

Once you run the previous command, what is the UserPrincipalName (email) of the admin account?

Answer : thmadmin@thmredteam.com

TASK 6 : Host Security Solution #1

Enumerate the attached Windows machine and check whether the host-based firewall is enabled or not! (Y|N)

We can verify if host-based firewall is enabled by the comand :

1
Get-NetFirewallProfile | Format-Table Name, Enabled

Get-NetFirewallProfile Get-NetFirewallProfile

Answer : N

Using PowerShell cmdlets such Get-MpThreat can provide us with threats details that have been detected using MS Defender. Run it and answer the following: What is the file name that causes this alert to record?

Executing the command Get-MpThreat, we have in this case :

Get-MpThreat Get-MpThreat

Answer : powerview.ps1

Enumerate the firewall rules of the attached Windows machine. What is the port that is allowed under the THM-Connection rule?

We can checked the firewall rules with this command :

1
Get-NetFirewallRule | select DisplayName, Enabled, Description

Unfortunetely, this return lots of results :

Get-NetFirewallRule Get-NetFirewallRule

To get a quick response we can pipe the output by searching the information we have : THM-Connection

1
Get-NetFirewallRule | select DisplayName, Enabled, Description | findstr "THM-Connection"

THM-Connection THM-Connection

Answer : lsaiso

In the next task, we will keep discussing the host security solution. I’m ready!

No Answer.

TASK 7 : Host Security Solution #2

We covered some of the common security endpoints we may encounter during the red team engagement. Let’s discuss the network-based security solutions in the next task!

Verify if sysmon is installed and which events are log on the compromised endpoint :

Host Security Solution Host Security Solution

No Answer

TASK 8 : Network Security Solutions

Read the above!

No Answer.

TASK 9 : Applications and Services

Finally, we can see it is listening on port 8080. Now try to apply what we discussed and find the port number for THM Service. What is the port number?

I started with the command wmic to search in the installed applications with the keyword “THM” but it failed so just searched for service with “THM” filter in findstr. Then i looked for the id or the process and finally the port on which it’s listening :

THM Service port number THM Service port number

Answer : 13337

Visit the localhost on the port you found in Question #1. What is the flag?

Just curl the localhost :

1
curl 127.0.0.1:13337

Flag 1 Flag 1

Answer : THM{S3rv1cs_1s_3numerat37ed}

Now enumerate the domain name of the domain controller, thmredteam.com, using the nslookup.exe, and perform a DNS zone transfer. What is the flag for one of the records?

Let’s look on dns record with nslookup :

Flag 2 Flag 2

Answer : THM{DNS-15-Enumerated!}

TASK 10 : Conclusion

Hope you enjoyed the room and keep learning!

No Answer.

This post is licensed under CC BY 4.0 by the author.