• Let's start learning! 

No Answer

• Let's discuss the common network infrastructure in the next task! 

No Answer

• Read the above!

Open ports (not full image) :

And the ARP table :

No Answer.

• Before going any further, ensure the attached machine is deployed and try what we discussed. Is the attached machine part of the AD environment? (Y|N)

Systeminfo command gives us many informations :

The info we are looking for can be filtered by piping the output with the "findstr" command :

Answer : Y

• If it is part of an AD environment, what is the domain name of the AD?

Answer : thmredteam.com

• Use the Get-ADUser -Filter * -SearchBase command to list the available user accounts within THM OU in the thmredteam.com domain. How many users are available?

We can use the following crafted query in powershell :

Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"

Answer : 6

• Once you run the previous command, what is the UserPrincipalName (email) of the admin account?

Answer : [email protected]

• Enumerate the attached Windows machine and check whether the host-based firewall is enabled or not! (Y|N)

We can verify if host-based firewall is enabled by the comand :

Get-NetFirewallProfile | Format-Table Name, Enabled

Answer : N

• Using PowerShell cmdlets such Get-MpThreat can provide us with threats details that have been detected using MS Defender. Run it and answer the following: What is the file name that causes this alert to record?

Executing the command Get-MpThreat, we have in this case :

Answer : powerview.ps1

• Enumerate the firewall rules of the attached Windows machine. What is the port that is allowed under the THM-Connection rule?

We can checked the firewall rules with this command :

Get-NetFirewallRule | select DisplayName, Enabled, Description

Unfortunetely, this return lots of results :

To get a quick response we can pipe the output by searching the information we have : THM-Connection

Get-NetFirewallRule | select DisplayName, Enabled, Description | findstr "THM-Connection"

Answer : lsaiso

• In the next task, we will keep discussing the host security solution. I'm ready!

No Answer.

• We covered some of the common security endpoints we may encounter during the red team engagement. Let's discuss the network-based security solutions in the next task!

Verify if sysmon is installed and which events are log on the compromised endpoint :

No Answer

• Read the above!

No Answer.

• Finally, we can see it is listening on port 8080. Now try to apply what we discussed and find the port number for THM Service. What is the port number?

I started with the command wmic to search in the installed applications with the keyword "THM" but it failed so just searched for service with "THM" filter in findstr.  Then i looked for the id or the process and finally the port on which it's listening :

Answer : 13337

• Visit the localhost on the port you found in Question #1. What is the flag?

Just curl the localhost :

curl 127.0.0.1:13337

Answer : THM{S3rv1cs_1s_3numerat37ed}

• Now enumerate the domain name of the domain controller, thmredteam.com, using the nslookup.exe, and perform a DNS zone transfer. What is the flag for one of the records?

Let's look on dns record with nslookup :

Answer : THM{DNS-15-Enumerated!}