Introduction

In this post, we covered the first part of passive and active reconnaissance basics and tools. We covered DNS reconnaissance using tools such as dig, whois, nslookup in addition to online tools such as threat intelligence platforms. This was part of TryHackMe Red team pathway.

In a red team operation, you might start with no more than a company name, from which you need to start gathering information about the target. This is where reconnaissance comes into play. Reconnaissance (recon) can be defined as a preliminary survey or observation of your target (client) without alerting them to your activities. If your recon activities create too much noise, the other party would be alerted, which might decrease the likelihood of your success.

Reconnaissance can be broken down into two parts — passive reconnaissance and active reconnaissance. We will be focusing on passive reconnaissance, i.e., techniques that don’t alert the target or create ‘noise’. In later rooms, we will use active reconnaissance tools that tend to be noisy by nature.

Reconnaissance (recon) can be classified into two parts:

  1. Passive Recon: can be carried out by watching passively
  2. Active Recon: requires interacting with the target to provoke it in order to observe its response.

Passive recon doesn’t require interacting with the target. In other words, you aren’t sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target’s publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we’ll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.

Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected – or lack of responses – would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.

Initial Enumeration & Web Reconnaissance

I started by using an Nmap scan to identify open ports on the target machine. My initial scan revealed several open ports: 21 (FTP), 22 (SSH), 139 (NetBIOS/SMB), 445 (SMB), and 80 (HTTP). The HTTP port was the most interesting, leading me to a web server.

  • Command: nmap -sV -sC [IP_ADDRESS]

I then used Gobuster to enumerate directories on the web server, looking for hidden paths or interesting files. This revealed several directories, including /resources, /images, /css, /js, and crucially, /uploads. The /uploads directory immediately stood out as a potential vulnerability.

  • Command: gobuster dir -u http://[IP_ADDRESS] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Exploiting File Upload Vulnerability

I navigated to the /uploads directory and found that it was an empty directory, but it was writable. This suggested a file upload vulnerability. My plan was to upload a reverse shell.

I first tried to upload a simple PHP reverse shell. However, the server blocked the upload, likely due to file extension filtering. I realized I needed to bypass this filter.

I tried several common bypass techniques, such as changing the file extension to .php5, .phtml, or .phar. None of these worked.

Then, I remembered a more advanced bypass: double extensions or null byte injection. I tried uploading the shell with .php.jpg and then .php%00.jpg (using a null byte).

  • Command (conceptual for creating shell): I used a standard PHP reverse shell from Kali Linux (often found at /usr/share/webshells/php/php-reverse-shell.php). I modified it to include my attacking machine’s IP address and a listening port.

Finally, I successfully bypassed the filter by changing the filename to shell.php. (with a trailing dot). This is a common bypass for servers that strip the last extension.

Gaining Initial Foothold (Reverse Shell)

With the shell uploaded, I set up a Netcat listener on my attacking machine to catch the incoming connection:

  • Command: nc -lvnp [PORT] (e.g., nc -lvnp 4444)

I then navigated to the uploaded shell in my browser: http://[IP_ADDRESS]/uploads/shell.php.. This executed the shell, and I received a reverse shell connection on my Netcat listener!

Once I had a shell, I immediately upgraded it to a more stable TTY shell using Python. This makes it easier to interact with the system, use sudo, and run commands like Ctrl+C.

  • Command (inside the shell): python3 -c 'import pty; pty.spawn("/bin/bash")'

I then found the user flag in the home directory of the bill user.

Privilege Escalation

To escalate my privileges to root, I first checked for files with SUID bits set, which allow a program to run with the permissions of its owner (often root).

  • Command: find / -perm -u=s -type f 2>/dev/null

This command revealed that the /usr/bin/python executable had the SUID bit set. This is a significant finding because I can leverage Python to run commands as root.

I then used a common privilege escalation technique for SUID Python binaries:

  • Command: /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

This command executed a new shell (/bin/sh) with the -p flag, which preserves the effective user ID. Since Python was running as root due to the SUID bit, this new shell also ran as root.

I confirmed my root access:

  • Command: whoami (showed root)
  • Command: id (showed uid=0(root))

Finally, I navigated to the /root directory and retrieved the root flag, completing the machine.

This challenge was a great introduction to the typical steps in a web penetration test, from initial scanning and web enumeration to exploiting file upload vulnerabilities and escalating privileges. I just watched a video that kicked off a new module in the TryHackMe red teaming pathway called “Initial Access,” specifically focusing on Red Team Reconnaissance. This first part covered the initial five tasks, laying the groundwork for gathering information about a target.

Understanding Reconnaissance

I learned about two main types of reconnaissance:

  • Passive Reconnaissance: This involves gathering information without directly interacting with the target. Think of it like being a detective observing from afar. Examples include using Google searches or public databases.
  • Active Reconnaissance: This is about collecting information by directly interacting with the target, such as using tools like nmap to scan a system. This can be further broken down:
    • External Active Reconnaissance: When I’m outside the target’s network.
    • Internal Active Reconnaissance: When I’m already connected to the target’s network, perhaps physically on-site or via a VPN.

Built-in Tools for Reconnaissance (DNS Enumeration)

I started by diving into DNS enumeration to gather information about domains, subdomains, DNS records, and even email addresses.

  • nslookup: I used this tool to query DNS records. I learned how to specify the type of record to query, such as MX (mail exchange), A (IPv4 address), AAAA (IPv6 address), or TXT records. If the connected DNS server doesn’t have the information, it might return a “non-authoritative answer” or no answer at all.
    • Commands:
      • nslookup THMredteam.com
      • nslookup google.com
      • nslookup cafe.thmredteam.com
      • nslookup -type=TXT google.com
      • nslookup clinic.thmredteam.com
  • dig: This is another powerful tool for extracting DNS records from public records. I could specify “any” to get all publicly available information or query specific name servers like Cloudflare’s 1.1.1.1.
    • Commands:
      • dig thmredteam.com
      • dig cafe.thmredteam.com
      • dig cafe.thmredteam.com any
      • dig @1.1.1.1 cafe.thmredteam.com
      • dig clinic.thmredteam.com any
      • dig clinic.thmredteam.com A
  • whois: I used whois to get domain registration information, including the creation date, registrar, and sometimes even owner details. I learned that even with privacy features, premium whois services might reveal historical data.
    • Commands:
      • whois cafe.thmredteam.com
      • whois THMredteam.com

Online Reconnaissance Tools

Beyond command-line tools, I explored some useful online platforms:

  • ViewDNS.info: This site offers various DNS tools, with its “Reverse IP Lookup” being particularly prominent. This feature can show other domains hosted on the same IP address, which is a good indicator of shared hosting. I demonstrated this by looking up cafe.thmredteam.com and my own website to see the difference between shared and dedicated hosting.
  • Threat Intelligence Platforms (e.g., pulsedive.com): These platforms go beyond basic DNS and whois data. They provide richer context like trust levels, spam scores, and even quick malware scans. I showed an example with my own domain, which displayed hosting infrastructure, MX records, connected domains (like YouTube and Facebook links), URL analysis, SSL certificate details, and malware detection status.

Google Dorking

I also delved into Google Dorking, which involves using specific Google search syntaxes (called “dorks”) to find advanced, often hidden, information.

  • Examples of dorks:
    • site:google.com: Retrieves all links containing google.com in the URL.
    • site:google.com careers: Retrieves links with google.com and the word “careers.”
    • filetype:pdf: Searches specifically for PDF files.
  • Specific dorks for TryHackMe questions:
    • To search for .xlsx files indexed for thmredteam.com: filetype:xlsx site:thmredteam.com
    • To search for files with the word “passwords” for thmredteam.com: passwords site:thmredteam.com (or more specifically, site:thmredteam.com passwords)

I also briefly mentioned other search engines like Shodan, which I’ve covered in previous videos. This video provided a solid foundation in passive reconnaissance using various tools, and I’m looking forward to the next video, which will explore more comprehensive tools like Recon-NG and Maltego.

TryHackMe Red Team Recon Answers

 
When was thmredteam.com created (registered)? (YYYY-MM-DD)
 

To how many IPv4 addresses does clinic.thmredteam.com resolve?

 

To how many IPv6 addresses does clinic.thmredteam.com resolve?

How would you search using Google for xls indexed for http://clinic.thmredteam.com?

 

How would you search using Google for files with the word passwords for http://clinic.thmredteam.com?

What is the shodan command to get your Internet-facing IP address?

 
 

Video Walkthrough(s)

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles