Red Team Capstone Challenge

This room is the capstone challenge for the red team learning pathway. - by am03bam4n

TryHackMe | Cyber Security TrainingTryHackMe

This is a writeup to the Red Team Capstone Challenge

Shoutout to Tyler Ramsbey for his awesome streams https://hacksmarter.live and VOD on YouTube https://www.youtube.com/@TylerRamsbey, without him, I would still be stuck. This writeup is highly influenced by his approach! https://www.youtube.com/watch?v=xrh3g5VjY6Y&list=PLMoaZm9nyKaOrmj6SQH2b8lP6VN7Z4OD-

Thank you very much am03bam4n for this awesome experience and all the content you have created on TryHackMe. You got me highly motivated to continue my open learning paths!

TryHackMe User: 0xb0b

Initial Recon

In the first initial reconnaissance the three public-facing servers were scanned using Nmap.

All three servers running a webserver which will be kind of interesting.

Running with the flags sT (TCP connect scan), sV (version detection and sC (running default Scripts)

WEB 10.200.XXX.13

┌──(0xb0b㉿kali)-[~]
└─$ nmap -sT -sV -sC 10.200.103.13               
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 05:37 EDT
Nmap scan report for 10.200.103.13
Host is up (0.061s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 30ef2e2674c471405ef72e354b91b814 (RSA)
|   256 370dcaf79c78d47ed1cac2c5275cb553 (ECDSA)
|_  256 dd6ea494852ce7ab19acdbce54689d7a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.89 seconds

VPN 10.200.XXX.12

┌──(0xb0b㉿kali)-[~]
└─$ nmap -sT -sV -sC 10.200.103.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 05:38 EDT
Nmap scan report for 10.200.103.12
Host is up (0.070s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e275e6b20f4ba886dccddd911f12b161 (RSA)
|   256 e01568d4735cd6de7d9f9b4cbe9584b3 (ECDSA)
|_  256 35c9f1745f021bbdefe8c8d252f2fe12 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: VPN Request Portal
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.43 seconds

Mail 10.200.XXX.11

──(0xb0b㉿kali)-[~]
└─$ nmap -sT -sC 10.200.103.11 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 05:40 EDT
Nmap scan report for 10.200.103.11
Host is up (0.063s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 
|   2048 f36c52d27fe90e1cc1c7ac962cd1ec2d (RSA)
|   256 c2563cedc4b069a8e7ad3c310505e985 (ECDSA)
|_  256 d3e5f07375d520d9c0bb4199e7afa000 (ED25519)
25/tcp   open  smtp
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
110/tcp  open  pop3
|_pop3-capabilities: USER TOP UIDL
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
143/tcp  open  imap
|_imap-capabilities: CAPABILITY QUOTA IMAP4 ACL CHILDREN completed RIGHTS=texkA0001 OK SORT NAMESPACE IDLE IMAP4rev1
445/tcp  open  microsoft-ds
587/tcp  open  submission
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp open  mysql
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.31
|   Thread ID: 18
|   Capabilities flags: 65535
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, ODBCClient, InteractiveClient, ConnectWithDatabase, Support41Auth, Speaks41ProtocolOld, LongPassword, SwitchToSSLAfterHandshake, FoundRows, SupportsTransactions, IgnoreSigpipes, SupportsLoadDataLocal, Speaks41ProtocolNew, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: 0\*\x01Q\x0EH\x05\x12N8Lt~<Awv\x12\x05
|_  Auth Plugin Name: caching_sha2_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate
| Not valid before: 2023-01-10T07:46:11
|_Not valid after:  2033-01-07T07:46:11
3389/tcp open  ms-wbt-server
|_ssl-date: 2023-05-27T09:40:06+00:00; -4s from scanner time.
| ssl-cert: Subject: commonName=MAIL.thereserve.loc
| Not valid before: 2023-01-09T06:02:42
|_Not valid after:  2023-07-11T06:02:42
| rdp-ntlm-info: 
|   Target_Name: THERESERVE
|   NetBIOS_Domain_Name: THERESERVE
|   NetBIOS_Computer_Name: MAIL
|   DNS_Domain_Name: thereserve.loc
|   DNS_Computer_Name: MAIL.thereserve.loc
|   DNS_Tree_Name: thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2023-05-27T09:40:07+00:00

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| smb2-time: 
|   date: 2023-05-27T09:40:11
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 32.93 seconds