Post-Exploitation Explained | TryHackMe Enumeration | Red Team Track

We covered enumerating Windows and Linux during the post-exploitation phase of a penetration test. Enumeration post-exploitation can have many objectives including credential harvesting, privilege escalation, persistence and/or data exfiltration. Enumeration includes gathering information about users, groups, applications installed, installed updates, OS and kernel version, privileges of the current user, services, running procsses, scheduled tasks, network connections,etc.. This was part of TryHackMe Enumeration | Red Team track.

Get OSCP Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

This room is an introduction to enumeration when approaching an unknown corporate environment.

Video Highlights

Enumeration in the post-exploitation phase assumes that we have successfully gained some form of access to a system. Moreover, we may have carried out privilege escalation; in other words, we might have administrator or root privileges on the target system. Some of the techniques and tools discussed in this room would still provide helpful output even with an unprivileged account, i.e., not root or administrator.

Our purpose is to collect more information that will aid us in gaining more access to the target network. For example, we might find the login credentials to grant access to another system. We focus on tools commonly available on standard systems to collect more information about the target. Being part of the system, such tools look innocuous and cause the least amount of “noise”.

We assume you have access to a command-line interface on the target, such as bash on a Linux system or cmd.exe on an MS Windows system. Starting with one type of shell on a Linux system, it is usually easy to switch to another one. Similarly, starting from cmd.exe, you can switch to PowerShell if available.

When you gain a “shell” on the target system, you usually have very basic knowledge of the system. If it is a server, you already know which service you have exploited; however, you don’t necessarily know other details, such as usernames or network shares. Consequently, the shell will look like a “dark room” where you have an incomplete and vague knowledge of what’s around you. In this sense, enumeration helps you build a more complete and accurate picture.

The purpose behind post-exploitation enumeration is to gather as much information about the system and its network. The exploited system might be a company desktop/laptop or a server. We aim to collect the information that would allow us to pivot to other systems on the network or to loot the current system. Some of the information we are interested in gathering include:

• Users and groups
• Hostnames
• Routing tables
• Network shares
• Network services
• Applications and banners
• Firewall configurations
• Service settings and audit configurations
• SNMP and DNS details
• Hunting for credentials (saved on web browsers or client applications)

There is no way to list everything we might stumble upon. For instance, we might find SSH keys that might grant us access to other systems. In SSH key-based authentication, we generate an SSH key pair (public and private keys); the public key is installed on a server. Consequently, the server would trust any system that can prove knowledge of the related private key.

Furthermore, we might stumble upon sensitive data saved among the user’s documents or desktop directories. Think that someone might keep a passwords.txt or passwords.xlsx instead of a proper password manager. Source code might also contain keys and passwords left lurking around, especially if the source code is not intended to be made public.

Room Answers

Video Walkthrough