The Lay of the land

Room Link: https://tryhackme.com/room/thelayoftheland

Active Directory (AD) environment

The output of the systeminfo provides information about the machine, including the operating system name and version, hostname, and other hardware information as well as the AD domain.

Victim(cmd)

systeminfo | findstr Domain

Users and Groups Management

Use the Get-ADUser -Filter * -SearchBase command to list the available user accounts within THM OU in the thmredteam.com domain. How many users are available?

Victim(powershell)

 Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"

Once you run the previous command, what is the UserPrincipalName (email) of the admin account?

Host Security Solution #1

Enumerate the attached Windows machine and check whether the host-based firewall is enabled or not! (Y|N)

Victim(powershell)

Get-NetFirewallProfile | Format-Table Name, Enabled

Using PowerShell cmdlets such Get-MpThreat can provide us with threats details that have been detected using MS Defender. Run it and answer the following: What is the file name that causes this alert to record?

Victim(powershell)

Get-MpThreat

Enumerate the firewall rules of the attached Windows machine. What is the port that is allowed under the THM-Connection rule?

Victim(powershell)

Get-NetFirewallRule | select DisplayName, Enabled, Description

Host Security Solution #2

Victim(powershell)

net start

Victim(powershell)

wmic service where "name like 'THM Service'" get Name,PathName

Victim(powershell)

Get-Process -Name thm-service

Victim(powershell)

netstat -noa |findstr "LISTENING" |findstr "2784"

Visit the localhost on the port you found in Question #1. What is the flag?

Now enumerate the domain name of the domain controller, thmredteam.com, using the nslookup.exe, and perform a DNS zone transfer. What is the flag for one of the records?

Victim(powershell)

nslookup.exe
> server 10.10.119.90
> ls -d thmredteam.com