Enumeration

This guide contains the answer and steps necessary to get to them for the Enumeration room.

Table of contents

• Introduction
• Purpose
• Linux Enumeration
• Windows Enumeration
• DNS, SMB, and SNMP
• More Tools for Windows

Introduction

1. What command would you use to start the PowerShell interactive command line?

   The answer can be found in the text.

   Click for answer

   powershell.exe

Purpose

1. In SSH key-based authentication, which key does the client need?

   The answer can be found in the text.

   Click for answer

Linux Enumeration

1. What is the name of the Linux distribution used in the VM?

   Checking for release files gives us a file we should read.

   console

   Copy

   ls -lh /etc/*-release
   
   cat /etc/os-release
   

   

   Click for answer

   Ubuntu

2. What is its version number?

   This can be found with the previous command.

   Click for answer

   20.04.4

3. What is the name of the user who last logged in to the system?

   To get the last user logged into the system we run last.

   

   Click for answer

   randa

4. What is the highest listening TCP port number?

   To get this we should use netstat together with 'ltn'. Otherwise it will resolve the ip and ports. Now we should get the numerical value.

   console

   Copy

   netstat -lnt
   

   

   Click for answer

   6667

5. What is the program name of the service listening on it?

   To get the program associated with the port, we nust add '-p' and run netstat with sudo.

   console

   Copy

   sudo netstat -lntp
   

   

   Click for answer

   inspircd

6. There is a script running in the background. Its name starts with THM. What is the name of the script?

   To list running programs and filter on the script we can use:

   console

   Copy

   ps -aux | grep THM
   

   

   Click for answer

   THM-24765.sh

Windows Enumeration

1. What is the full OS Name?

   Use systeminfo to find this information.

   

   Click for answer

   Microsoft Windows Server 2019 Datacenter

2. What is the OS Version?

   This can be found with the previous command.

   Click for answer

   10.0.17763

3. How many hotfixes are installed on this MS Windows Server?

   We can use wmic for this.

   console

   Copy

   wmic qfe get Caption,Description
   
   wmic qfe get Caption,Description | Measure-Object -Line
   

   The second command should give us the amount of updates applied. We must however subtract one from this number as it will include the column header.

   

   Click for answer

4. What is the lowest TCP port number listening on the system?

   For this we should use netstat. Use -n to list the numerical values.

   

   Click for answer

   22

5. What is the name of the program listening on that port?

   In the previous image we can see the binary that is associated with that port.

   Click for answer

   sshd.exe

DNS, SMB, and SNMP

1. Knowing that the domain name on the MS Windows Server of IP 10.10.150.82 is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?

   The dig command must be executed on the attackbox itself.

   console

   Copy

   dig -t AXFR redteam.thm @10.10.223.16
   

   

   Click for answer

   THM{DNS_ZONE}

2. What is the name of the share available over SMB protocol and starts with THM?

   To see the available shares, we can use net share.

   

   Click for answer

   THM{829738}

3. Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.150.82. What is the location specified?

   Again, this command will be run on our attackbox.

   console

   Copy

   snmpcheck 10.10.223.16 -c public
   

   

   Click for answer

   THM{SNMP_SERVICE}

More Tools for Windows

1. What utility from Sysinternals Suite shows the logged-in users?

   The answers can be found in the text.

   Click for answer

   PsLoggedOn