https://tryhackme.com/room/enumerationpe
Task 1 Introduction
Frage 1:
What command would you use to start the PowerShell interactive command line?
Antwort 1:
powershell.exe
Task 2 Purpose
Frage 1:
In SSH key-based authentication, which key does the client need?
Antwort 1:
private key
Task 3 Linux Enumeration
Frage 1:
What is the Linux distribution used in the VM?
Nachdem wir uns per SSH mit der Machine verbunden haben setzen wir unser neues Wissen gleich um:
user@red-linux-enumeration:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Antwort 1:
Ubuntu
Frage 2:
What is its version number?
Die Antwort finden wir in der Ausgabe von Frage 1.
Antwort 2:
20.04.4
Frage 3:
What is the name of the user who last logged in to the system?
user@red-linux-enumeration:~$ last
user pts/0 10.8.1.75 Fri Sep 9 15:07 still logged in
reboot system boot 5.4.0-120-generi Fri Sep 9 14:56 still running
reboot system boot 5.4.0-120-generi Mon Jun 20 13:10 - 13:13 (00:02)
randa pts/0 10.20.30.1 Mon Jun 20 11:00 - 11:01 (00:00)
reboot system boot 5.4.0-120-generi Mon Jun 20 09:58 - 11:01 (01:03)
wtmp begins Mon Jun 20 09:58:27 2022
Antwort 3:
randa
Frage 4:
What is the highest listening TCP port number?
Hier müssen wir sudo nutzen, da wir sonst nicht alle Ergebnisse angezeigt bekommen:
user@red-linux-enumeration:~$ sudo netstat -antup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 737/slapd
tcp 0 0 127.0.0.1:6667 0.0.0.0:* LISTEN 718/inspircd
tcp 0 0 10.10.50.96:53 0.0.0.0:* LISTEN 610/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 610/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 582/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 686/sshd: /usr/sbin
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 610/named
tcp 0 340 10.10.50.96:22 10.8.1.75:42006 ESTABLISHED 1017/sshd: user [pr
tcp6 0 0 :::389 :::* LISTEN 737/slapd
tcp6 0 0 fe80::1e:c8ff:fef5:9:53 :::* LISTEN 610/named
tcp6 0 0 ::1:53 :::* LISTEN 610/named
tcp6 0 0 :::21 :::* LISTEN 633/vsftpd
tcp6 0 0 :::22 :::* LISTEN 686/sshd: /usr/sbin
tcp6 0 0 ::1:953 :::* LISTEN 610/named
udp 0 0 10.10.50.96:68 0.0.0.0:* 579/systemd-network
udp 0 0 0.0.0.0:161 0.0.0.0:* 640/snmpd
udp 0 0 0.0.0.0:53532 0.0.0.0:* 718/inspircd
udp 0 0 10.10.50.96:53 0.0.0.0:* 610/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 610/named
udp 0 0 127.0.0.53:53 0.0.0.0:* 582/systemd-resolve
udp6 0 0 ::1:161 :::* 640/snmpd
udp6 0 0 ::1:53 :::* 610/named
udp6 0 0 fe80::1e:c8ff:fef5:9:53 :::* 610/named
Antwort 4:
6667
Frage 5:
What is the program name of the service listening on it?
Die Antwort erhalten wir aus Frage 4.
Antwort 5:
inspircd
Frage 6:
There is a script running in the background. Its name starts with THM. What is the name of the script?
Den Prozess finden wir mit „ps -e“ und etwas suchen, da die Liste etwas länger ist.
Antwort 6:
THM-24765.sh
Task 4 Windows Enumeration
Frage 1:
What is the full OS Name?
Wir loggen uns ein und legen direkt los:
PS C:\Users\user> systeminfo
Host Name: RED-WIN-ENUM
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00430-00000-00000-AA155
Original Install Date: 3/17/2021, 2:59:06 PM
System Boot Time: 9/9/2022, 3:28:26 PM
System Manufacturer: Amazon EC2
System Model: t3a.small
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version: Amazon EC2 1.0, 10/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 2,016 MB
Available Physical Memory: 1,068 MB
Virtual Memory: Max Size: 2,400 MB
Virtual Memory: Available: 1,470 MB
Virtual Memory: In Use: 930 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 30 Hotfix(s) Installed.
--snip--
Antwort 1:
Microsoft Windows Server 2019 Datacenter
Frage 2:
What is the OS Version?
Die Antwort erhalten wir aus Frage 1.
Antwort 2:
10.0.17763
Frage 3:
How many hotfixes are installed on this MS Windows Server?
Die Antwort erhalten wir aus Frage 1.
Antwort 3:
30
Frage 4:
What is the lowest TCP port number listening on the system?
PS C:\Users\user> netstat -abno
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 1652
[sshd.exe]
--snip--
Antwort 4:
22
Frage 5:
What is the name of the program listening on that port?
Die Antwort erhalten wir aus Frage 4.
Antwort 5:
sshd.exe
Task 5 DNS, SMB, and SNMP
Frage 1:
Knowing that the domain name on the MS Windows Server of IP MACHINE_IP is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?
└─$ dig -t AXFR redteam.thm @MACHINE_IP
; <<>> DiG 9.18.6-2-Debian <<>> -t AXFR redteam.thm @10.10.28.86
;; global options: +cmd
redteam.thm. 3600 IN SOA red-win-enum. hostmaster. 5 900 600 86400 3600
redteam.thm. 3600 IN NS red-win-enum.
first.redteam.thm. 3600 IN A 10.10.254.1
flag.redteam.thm. 3600 IN TXT "THM{DNS_ZONE}"
second.redteam.thm. 3600 IN A 10.10.254.2
tryhackme.redteam.thm. 3600 IN CNAME tryhackme.com.
redteam.thm. 3600 IN SOA red-win-enum. hostmaster. 5 900 600 86400 3600
;; Query time: 48 msec
;; SERVER: 10.10.28.86#53(10.10.28.86) (TCP)
;; WHEN: Fri Sep 09 17:46:42 CEST 2022
;; XFR size: 7 records (messages 1, bytes 295)
Antwort 1:
THM{DNS_ZONE}
Frage 2:
What is the name of the share available over SMB protocol and starts with THM?
Wir verbinden uns wieder per SSH mit der Machine.
PS C:\Users\user> net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
Internal C:\Internal Files Internal Documents
THM{829738} C:\Users\user\Private Enjoy SMB shares
Users C:\Users
The command completed successfully.
Antwort 2:
THM{829738}
Frage 3:
Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.28.86. What is the location specified?
Wir sind wieder auf unserem Kali Rechner und starten snmpcheck. Sollte es bei euch nicht funktionieren (wie zuerst bei mir), stellt sicher, dass ihr perl-tk installiert habt: sudo apt install perl-tk
snmpcheck MACHINE_IP -c public
Jetzt öffnet sich ein kleines GUI und snmpcheck legt los. Also in der Theorie. Die GUI Version funktioniert bei mir absolut nicht. Zum Glück gibt es auch eine Command-Line Version:
snmp-check MACHINE_IP -c public
Warnung, es dauer SEHR lange!
└─$ snmp-check 10.10.28.86 -c public
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.28.86:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.28.86
Hostname : RED-WIN-ENUM
Description : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : TryHackMe
Location : THM{SNMP_SERVICE}
Uptime snmp : 00:21:50.68
Uptime system : 00:21:30.21
System date : 2022-9-9 16:03:56.1
Domain : WORKGROUP
--snip--
Antwort 3:
THM{SNMP_SERVICE}
Task 6 More Tools for Windows
Frage 1:
What utility from Sysinternals Suite shows the logged-in users?
Antwort 1:
PsLoggedOn
Task 7 Conclusion
Keine Fragen in diesem Task.
