TryHackMe Writeup - The Lay of the Land

Title	The Lay of the Land
Description	Learn about and get hands-on with common technologies and security products used in corporate environments; both host and network-based security solutions are covered.
Difficulty	Easy
Maker	tryhackme

Task 1: Introduction

This room introduces commonly-used concepts, technologies, and security products that we need to be aware of.
In this room, the assumption is that we have already gained access to the machine, and we are ready to expand our knowledge more about the environment by performing enumerating for the following:

Network infrastrucutre
Active Directory Environment
Users and Groups
Host-based security solutions
Network-based security solutions
Applications and services

Task 2: Deploy the VM

Deploy the machine and access with xfreerdp /v:10.10.184.154 /u:kkidd

Task 3: Network Infrastructure

Upon accessing an unknown network, the goal is to identify the network layout and potential targets. Enumeration of the compromised machine is key for understanding the system, services, and network.

Network Segmentation:

Divides a network into multiple subnets for better security and management.
Helps prevent unauthorized access to sensitive assets like customer data.

VLANs:

Used in network segmentation to address issues like network broadcasting and enhance security.
Devices within the same VLAN can only communicate with each other.

Internal Networks:

Segmented based on the importance of devices and data accessibility.
Used to control traffic, improve performance, and enhance security.
Internal networks facilitate internal communication, collaboration, and operational tools.

DMZ (Demilitarized Zone):

Adds a security layer by placing a subnetwork between the public internet and internal networks.
Used to handle public services like web, DNS, FTP, and VPN while isolating untrusted traffic.

Network Enumeration:

Involves discovering networking aspects such as TCP/UDP ports, routing tables, and ARP tables.
Use commands like netstat -na to list active connections and arp -a to reveal ARP tables.
Helps identify internal services like DNS, web servers, and custom apps for further exploitation.

Internal Network Services:

These services, such as internal DNS or web servers, are only accessible within the network. After gaining access, these services become available for further actions, such as lateral movement or privilege escalation.

Answer

No Answer Needed!

Task 4: Active Directory (AD) Environment

Active Directory (AD) Environment Overview:

AD is a Windows-based directory service for centralized management of authentication and authorization in internal networks. It stores essential data on users, computers, printers, etc.
AD Data includes user details (job title, phone number, passwords, permissions) and network resources.

Key Components:

Domain Controllers (DC):
- Windows servers that manage AD services, control domains, and handle user/group policies.
- DCs store valuable information, making them prime targets for attackers.
Organizational Units (OUs):
- Containers in the AD domain with hierarchical structures for organizing objects.
AD Objects:
- Users: Security principals allowed to authenticate.
- Computers: Treated as special user accounts.
- GPOs (Group Policy Objects): Policies applied to other AD objects.
AD Domains:
- Collections of AD components within the network.
AD Forest:
- A collection of AD domains that trust each other.
AD Service Accounts:
- Built-in local users, domain users, and managed service accounts.
Domain Administrators:
- Manage access, users, and resources across the domain.

AD Enumeration:

After gaining initial access, discovering an AD environment is critical for red teamers.
AD environments provide vast amounts of information useful for lateral movement.

Checking AD Environment:

Use the systeminfo command in the Command Prompt to check if a machine is part of an AD environment.
systeminfo | findstr Domain
- If the output shows a domain name, the machine is part of AD (e.g., Domain: thmdomain.com).
- If “WORKGROUP” appears, it indicates a local workgroup, not AD.

Answers

Before going any further, ensure the attached machine is deployed and try what we discussed. Is the attached machine part of the AD environment? (Y|N)
- Y
If it is part of an AD environment, what is the domain name of the AD?
- thmredteam.com

Task 5: Users and Group Management

Active Directory Users and Groups Overview:

When gaining initial access to a compromised machine in an AD environment, understanding the user accounts and groups is crucial. These accounts have different roles, permissions, and access levels.

Common Active Directory Account Types:

Built-in Local User Accounts:
- Manage systems locally, not part of the AD environment.
Domain User Accounts:
- Have access to AD services and resources managed by AD.
Managed Service Accounts:
- Limited domain user accounts with higher privileges to manage AD services.
Domain Administrators:
- High-privilege user accounts with control over AD configurations, users, permissions, and more.

Important AD Administrator Accounts:

BUILTIN\Administrator: Local admin access on a domain controller.
Domain Admins: Admin access to all resources in the domain.
Enterprise Admins: Only available in the AD forest root, powerful in multi-domain environments.
Schema Admins: Can modify AD schema/domain/forest (useful for attackers).
Server Operators: Can manage domain servers.
Account Operators: Can manage non-privileged user accounts.

AD Enumeration:

Once inside the AD environment, use PowerShell to enumerate users and groups.

PowerShell Commands for AD Enumeration:

List All AD Users: Get-ADUser -Filter *
List Users in a Specific Organizational Unit (OU): Use the -SearchBase option to search within a specific Common Name (CN): Get-ADUser -Filter * -SearchBase "CN=Users,DC=THMREDTEAM,DC=COM"

Answers:

Use the Get-ADUser -Filter * -SearchBase command to list the available user accounts within THM OU in the thmredteam.com domain. How many users are available?
- Use this command
- Answer: 6

Once you run the previous command, what is the UserPrincipalName (email) of the admin account?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


	DistinguishedName : CN=THM Admin,OU=THM,DC=thmredteam,DC=com
	Enabled           : True
	GivenName         : THM
	Name              : THM Admin
	ObjectClass       : user
	ObjectGUID        : 8974cd3d-9bf0-4c43-ac7d-068413fb462c
	SamAccountName    : thmadmin
	SID               : S-1-5-21-1966530601-3185510712-10604624-1124
	Surname           : Admin
	UserPrincipalName : thmadmin@thmredteam.com

Answer: thmadmin@thmredteam.com

Task 6: Host Security Solution #1

Host Security Solutions in Corporate Networks:

When conducting red team engagements, it’s essential to enumerate and understand the security measures in place on the host, such as antivirus software, firewalls, and intrusion detection systems. Staying aware of these tools helps minimize detection during the engagement.

Key Host Security Solutions:

Antivirus Software (AV):
- Antivirus is used to detect and prevent malicious software from executing on the host. Detection methods include: - Signature-based detection: Matches files against a database of known malware signatures. - Heuristic-based detection: Analyzes files for suspicious properties using machine learning. - Behavior-based detection: Monitors real-time execution behavior, such as unusual registry changes or processes.
  PowerShell command to enumerate antivirus software:
  Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
Microsoft Windows Defender:
- A built-in security tool that leverages machine learning and big data analysis. It operates in three modes: - Active mode: Primary antivirus. - Passive mode: Secondary antivirus when 3rd party AV is present. - Disable mode: Disabled or uninstalled.
  Check Windows Defender status:
  Get-Service WinDefend Get-MpComputerStatus | select RealTimeProtectionEnabled
Host-based Firewall:
- Firewalls control inbound and outbound traffic, protecting the host from unauthorized access. Modern firewalls use packet analysis and can block traffic based on application-layer data.
  Check firewall status:
  Get-NetFirewallProfile | Format-Table Name, Enabled
  Disable firewall profiles (if admin privileges are available):
  Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
  Test network connection through the firewall:
  Test-NetConnection -ComputerName 127.0.0.1 -Port 80
Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS):
- These monitor and respond to suspicious activities on the host. HIDS detects and logs potential attacks, while HIPS attempts to block or prevent malicious behavior.
Endpoint Detection and Response (EDR): - EDR solutions continuously monitor and collect data from endpoints to detect and respond to advanced threats. They provide enhanced visibility and allow rapid detection and response to security incidents.
By understanding these host security solutions, red teamers can identify potential obstacles during their engagement. Each security feature can block or detect malicious activity, and knowledge of their presence allows attackers to better evade detection or disable defenses when needed.

Answers:

Enumerate the attached Windows machine and check whether the host-based firewall is enabled or not! (Y|N)
- N
Using PowerShell cmdlets such Get-MpThreat can provide us with threats details that have been detected using MS Defender. Run it and answer the following: What is the file name that causes this alert to record?
- PowerView.ps1
Enumerate the firewall rules of the attached Windows machine. What is the port that is allowed under the THM-Connection rule?
- 17337
In the next task, we will keep discussing the host security solution. I’m ready!
- no answer needed

Task 7: Host Security Solution #2

Host Security Solutions Overview

Security Event Logging and Monitoring:
- Operating systems log events that can be monitored by administrators. Logs cover applications, system, security, and services.
- Use PowerShell to list available logs:
  Get-EventLog -List
- In corporate environments, log agents gather data from sensors for security analysis.
System Monitor (Sysmon):
- Sysmon logs events like process creation, network connections, and file modifications, useful for detecting malicious activity.
- Check for Sysmon:
  Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
  Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"
  Get-Service | Where-Object { $_.DisplayName -like "*sysm*" }
- Check registry for Sysmon:
  reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
- Check Sysmon config:
  findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*
Host-based Intrusion Detection/Prevention Systems (HIDS/HIPS):
- HIDS detects suspicious activities but doesn’t prevent them. Uses signature-based or anomaly-based methods.
- HIPS prevents attacks by monitoring logs, processes, and system resources. It integrates antivirus, firewalls, and behavior analysis.
Endpoint Detection and Response (EDR):
- EDR detects threats like malware, ransomware, and exploit chains in real-time, providing advanced protection.
- Common EDR software: Cylance, Crowdstrike, Symantec, SentinelOne.
- Check for security products:
  - Tools like Invoke-EDRChecker or SharpEDRChecker can enumerate antivirus, EDR, and logging products by analyzing file metadata, services, and drivers.

Task 8: Network Security Solutions

Network security solutions protect clients and devices in a network from malicious activities using both software and hardware. Key components include:

Network Firewall:
- Filters untrusted traffic based on rules and policies before allowing access to the network.
- Types of firewalls include packet-filtering, proxy, NAT, and web application firewalls.
Security Information and Event Management (SIEM):
- SIEM aggregates log data, monitors events, and analyzes them in real-time to detect threats.
- Key SIEM functions: log management, event analytics, incident monitoring, security alerts, and compliance reporting.
- Common SIEM products: Splunk, LogRhythm, SolarWinds, Datadog.
Intrusion Detection/Prevention Systems (IDS/IPS): - IDS: Monitors network traffic and alerts for abnormal behaviors or known threats, requiring human or software action. - IPS: Automatically accepts or rejects network packets based on predefined rules. - Common IDS/IPS products: Palo Alto Networks, Cisco, McAfee NSP, Trend Micro, Suricata.
These solutions help secure internal systems, detect advanced threats, and mitigate attacks such as DDoS, phishing, and data exfiltration.

Task 9: Applications and Services

This task covers system enumeration, focusing on:

Installed Applications
Services and Processes
Sharing Files and Printers
Internal Services (DNS, Local Web Applications)

1. Installed Applications

To enumerate installed applications, use the wmic command:
wmic product get name,version
Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop\

2. Services and Processes

To list running services, use:
net start
To get detailed information about a specific service:
wmic service where "name like 'THM Demo'" get Name,PathName
To check the process details:
Get-Process -Name thm-demo
To list listening ports:
netstat -noa | findstr "LISTENING" | findstr "3212"

Key Questions and Answers

Port Number for THM Service:
- Answer: 13337
Visit localhost on that port:
- Flag: THM{S3rv1cs_1s_3numerat37ed}

3. Internal Services: DNS

To perform a DNS zone transfer using nslookup.exe
> server 10.10.184.154
To perform a zone transfer:
> ls -d thmredteam.com

Key Question

Flag for one of the DNS records:
- Answer: THM{DNS-15-Enumerated!}

Task 10: Conclusion

This room is an introduction to client systems in corporate environments. The student should have a better understanding of how clients are used in a corporate network including:

Network Infrastructure
AD environment
security measures (HIPS, AV, etc.)
Internal applications and services

Answer:

No Answer Needed!