THM | Enumeration
Red Teaming | Enumeration | Summary:
This room is designed to introduce learners to post-exploitation enumeration techniques within unknown corporate environments.
It covers both Linux and Windows systems, detailing various methods for gathering system information, identifying users, understanding networking configurations, and listing running services.
The room also explores DNS, SMB, and SNMP protocols, along with additional tools like Sysinternals Suite, Process Hacker, and GhostPack Seatbelt, specifically for Windows enumeration.
Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance. This walkthrough provides one (of the many) possible solution to the challenges, without revealing any flags or passwords directly.
Task | 1 | Introduction
This session focuses on post-exploitation enumeration, aimed at expanding access and information gathering after initial system entry. The goal is to use various tools and techniques to escalate privileges and gather data from compromised systems.
Key Points
- Assumptions | Access to a system is already gained, potentially with escalated privileges (e.g., admin or root access) | shell to the target
- PrivEsc Tools | scripts like WinPEAS for Windows and LinPEAS for Linux to facilitate privilege escalation
- Enumeration Techniques | Focuses on collecting information such as user credentials, system configurations, and network details using common tools that appear benign
Question 1: What command would you use to start the PowerShell interactive command line?
powershell.exe
Task | 2 | Purpose
The session focuses on gathering extensive information from a compromised system using enumeration techniques. After gaining access to a shell, the goal is to expand knowledge beyond the initial entry point.
Key Points
- Initial Access and Shell | Gaining access typically provides limited knowledge of the system, akin to navigating in a "dark room."
- Purpose of Enumeration | To gather information crucial for further actions, such as accessing other network systems or exfiltrating data.
- Data Collection | Targets include
- user identities | users, groups
- network configurations | hostnames, routing tables, network shares, firewall configurations, SNMP and DNS details
- services | network services, service settings and audit configurations
- applications | applications and banners
- potential credentials | SSH keys, plain text passwords, credentials saved on web browsers or client applications
This process is integral to post-exploitation activities, enabling attackers to maximize access and loot from a compromised system.
Question 1: In SSH key-based authentication, which key does the client need?
private key
Task | 3 | Linux Enumeration
System
Information about the distribution and release version
ls /etc/*-release
cat /etc/os-release
System's name/hostname
hostname
Interesting files/directories
cat /etc/passwd
cat /etc/group
# contains the hashed passwords | requires root privileges
sudo cat /etc/shadow
# mail directory
ls -lh /var/mail/
Applications
# to find the installed applications
ls -lh /usr/bin/
# or
ls -lh /sbin/
Packages
# rpm-based linux systems
# -qa: query all packets
rpm -qa
# debian-based linux systems
dpkg -l
Users
# revealing usernames > /etc/passwd
# who is logged in
# pts/<id> or 1 may mean remote logon
# tty<id> may mean direct logon
who
# print your effective user id
whoami
# check who is logged in and what they are doing
w
# get the real and effective user and group IDs
id
# check the last logons, who | when | how long
last
# check the allowed commands for the invoking user on the current system
sudo -l
Networking
# check the ip address
ip address show
# or
ip a s
# or simply
ip a
# dns servers
cat /etc/resolv.conf
"One might think that using nmap before gaining access to the target machine would have provided a comparable result. However, this is not entirely true. Nmap needs to generate a relatively large number of packets to check for open ports, which can trigger intrusion detection and prevention systems. Furthermore, firewalls across the route can drop certain packets and hinder the scan, resulting in incomplete Nmap results."
netstat | to learn about network connections, routing tables, and interface statistics
- Note | to get all the information > run it as root
-a| show both listening and non-listening sockets-l| show only listening sockets-n| show numeric output instead of resolving the IP address and port number-t| TCP-u| UDP-x| UNIX-p| Show the PID and name of the program to which the socket belongs# show programs listening on tcp sockets
netstat -plt
# to display all the pid's and program names
sudo netstat -plt
# show all tcp and udp listening and established connections and the program names with addresses and ports in numeric format
sudo netstat -atupn
Listing Open Files | lsof
- Note | run with
sudofor more detailed info about the processes
# display only internet and network connections
sudo lsof -i
# filter for a specific port | here: smtp 25
sudo lsof -i :25
Running Services
ps | report a snapshot of the current processes
-e| select all processes-f| full-format-l| long-format-j| jobs format-u| user-oriented format-a| select all processes (except session leaders and processes not associated with a terminal)-x| lift the BSD style "must have a tty" restriction# list every process on the system | various formats
ps -e
ps -ef
ps -el
# print a process tree | more visual
ps axjf
# print all the running processes
ps aux
# filter output for a specific user
ps -ef | grep peter
Q & A
| SSH | Credentials |
|---|---|
| username | user |
| password | THM6877 |
Connect to the target box with ssh: ssh user@<targetbox-ip> and input the provides password ("THM6877") when prompted.
Question 1: What is the name of the Linux distribution used in the VM?
Ubuntu
Check for "NAME" in the output.
cat /etc/*-release
Question 2: What is its version number?
20.04.4
Check for "DISTRIB_DESCRIPTION" in the output.
cat /etc/*-release
Question 3: What is the name of the user who last logged in to the system?
randa
Use the only one besides you and the user "reboot".
last
Question 4: What is the highest listening TCP port number?
6667
Make sure to use -n to display the ports in numerical values.
netstat -ltn
Question 5: What is the program name of the service listening on it?
inspircd
You need elevated privileges (i.e. "root") for this. Use the same password as the one that was provided ("THM6877").
sudo netstat -ltnp
Question 6: There is a script running in the background. Its name starts with THM. What is the name of the script?
THM-24765.sh
List all the current processes and filter for the string "THM".
ps aux | grep "THM"
Task | 4 | Windows Enumeration
System
: get detailed information about the system
: build number | installed patches
systeminfo
: check installed updates | can give you an idea how quickly systems are being patched and updated
wmic qfe get Caption,Description
: check installed and started windows services
net start
: check only on installed apps
wmic product get name,version,vendor
Users
: check who you are logged in as
whoami
: check your privileges
whoami /priv
: check which groups you belong to
whoami /groups
: check users on the system
net user
: check groups on the system
: if the system is a Windows Domain Controller > net group
net group
: if only a local machine > net localgroup
net localgroup
: list users belonging to the local administrator's group
net localgroup administrators
: check local setting on the machine
: min/max pwd age/length | lockout policy | computer role | etc...
net accounts
: if the machine belongs to a domain
net accounts /domain
Networking
: check the systems network configuration
ipconfig
: check all network-related settings
ipconfig /all
"You might think that you can get an identical result by port scanning the target system; however, this is inaccurate for two reasons. A firewall might be blocking the scanning host from reaching specific network ports. Moreover, port scanning a system generates a considerable amount of traffic, unlike netstat, which makes zero noise."
netstat | network connections, routing tables, interface statistics, etc...
-a| all listening ports-b| display binary involved in the connection-n| avoid resolving ip addresses-o| display process IDs (PID): all listening with involved binary and pid | do not resolve ips
netstat -abno
arp | discover other systems on the local network
-a| show current ARP entries# check for systems on the same LAN
arp -a
Q & A
| SSH | Credentials |
|---|---|
| username | user |
| password | THM33$$88 |
Connect to the target box with ssh: ssh user@<targetbox-ip> and input the provides password ("THM33$$88") when prompted.
Question 1: What is the full OS Name?
Microsoft Windows Server 2019 Datacenter
Use systeminfo and look for "OS Name".
Question 2: What is the OS Version?
10.0.17763
Use systeminfo and look for "OS Version".
Question 3: How many hotfixes are installed on this MS Windows Server?
30
Use systeminfo and look for "Hotfix(s)".
Question 4: What is the lowest TCP port number listening on the system?
22
Use netstat and filter for TCP connections.
netstat -an -p tcp
Question 5: What is the name of the program listening on that port?
sshd.exe
Simply add the -b flag to the previous query.
netstat -anb -p tcp
Task | 5 | DNS, SMB, and SNMP
" A DNS zone transfer is a mechanism that allows a secondary DNS server to replicate the DNS database from a primary DNS server. This process ensures that the secondary server has an identical copy of the DNS database, enabling it to take over DNS resolution if the primary server fails. Zone transfers are typically performed using the DNS protocol (UDP or TCP on port 53) and involve the transfer of DNS zone files, which contain mappings between domain names and IP addresses, as well as other DNS record types. It's important to note that zone transfers should be restricted to authorized secondary servers to prevent unauthorized access and potential DNS spoofing attacks."
DNS
DNS zone transfer | get a 'copy' fo all the records a DNS server is responsible for answerging
- Note | depending on the DNS server configuration, DNS zone transfer might be restricted
# dns zone transfer attempt
# -t AXFR: requesting a zone transfer
# @DNS_SERVER:the server we want to query regarding the records related to the specified DOMAIN-NAME
dig -t AXFR DOMAIN_NAME @DNS_SERVER
# example
dig -t AXFR redteam.thm @<targetbox-ip>
SMB
: check for shared folders
net share
SNMP
- General | Simple Network Management Protocol (SNMP)
- designed to help collect information about different devices on the network
- holds information about various network events
- snmpcheck | simple tool to query servers related to SNMP
- Note | on kali > snmpcheck (GUI) | snmp-check (CLI)
# example usage on the attackbox | located at /opt/snmpcheck/
/opt/snmpcheck/snmpcheck.rb 10.10.121.106 -c COMMUNITY_STRING
# install instructions
git clone https://gitlab.com/kalilinux/packages/snmpcheck.git
cd snmpcheck/
gem install snmp
chmod +x snmpcheck-1.9.rb
Q & A
| SSH | Credentials |
|---|---|
| username | user |
| password | THM33$$88 |
Connect to the target box with ssh: ssh user@<targetbox-ip> and input the provides password ("THM33$$88") when prompted.
Question 1: Knowing that the domain name on the MS Windows Server of IP <targetbox-ip> is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?
<flag>
Try carrying out a domain transfer (on your attackbox). The flag can be found in the "TXT" records related to "flag.redteam.thm.".
dig -t AXFR redteam.thm @<targetbox-ip>
Question 2: What is the name of the share available over SMB protocol and starts with THM?
<flag>
Use net share on the targetbox you are connected to via SSH. The share we are interested here maps to "c:\users\user\private" and the "Remark" reads "Enjoy SMB shares".
Question 3: Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP <targetbox-ip>. What is the location specified?
<flag>
Let's first verify it by scanning both the TCP and UDP port related to SNMP. The TCP port seems to be filtered, while the UDP port is wide open.
┌──(kali㉿kali)-[~]
└─$ nmap -sS -sU -p 161 10.10.121.106
...<OMITTED-FOR-BREVITY>...
PORT STATE SERVICE
161/tcp filtered snmp
161/udp open snmp
...<OMITTED-FOR-BREVITY>...
Since TCP seems to be filtered, let's try disabling TCP enumeration (-d flag) in our first try.
snmp-check -c public -d <targetbox-ip>
The flag appears right at the beginning in the "System information" Section mapped to the "Location" record.
[+] Try to connect to 10.10.121.106:161 using SNMPv1 and community 'public'
[+] TCP connections enumeration disabled
[*] System information:
...<OMITTED-FOR-BREVITY>...
Description : Hardware: AMD64 Family 23 Model 1 Stepping 2 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)
Contact : TryHackMe
Location : THM{<flag>}
...<OMITTED-FOR-BREVITY>...
Task | 6 | More Tools for Windows
Sysinternals Suite
- complete list of utilities
- a group of command-line and GUI utilities and tools
- freely available
- Process Explorer | shows the processes along with the open files and registry keys
- Process Monitor | monitor the file system, processes, and registry
- PsList | information about processes
- PsLoggedOn | logged-in users
Process Hacker
- efficient and reliable MS Windows GUI tool
- information about running processes and related active network connections
- info about system resource utilization (cpu, memory, disk, network)
- freely available
GhostPack Seatbelt
- part of the GhostPack collection
- written in C#
- not officially released in binary > compile it yourself using MS Visual Studio
Question 1: What utility from Sysinternals Suite shows the logged-in users?
PsLoggedOn
Task | 7 | Conclusion
Question 1: Congratulations on finishing this room. It is time to continue your journey with the next room in this module.
No answer needed