TryHackMe Walkthrough: ICE
Hello, and welcome.
This is the first in a series of write-ups where I plan to take you through various rooms from TryHackMe.
How will my write-ups differ from the rest?
Well, although many of the write-ups I’ve seen are very good, I find that most of them lack important information and they don’t provide a thorough enough explanation about why or how they did what they did, in my opinion.
If you’re like me, I like to ask questions, such as — “how did you know where to go next?” or “why did you use that specific command?”.
Sure, you could just blindly copy and paste the commands into the command line, blitz through the box, and collect your cool badge. But how much do you actually learn from doing that? Don’t get me wrong, I’ve been guilty of doing that from time to time, and I’ve found myself googling looking for a write up looking for a quick win, but I don’t think that is a useful learning experience.
I have two simple intentions for my write-ups — First, provide the reader with an easy to follow walk through of each box, and second, provide the reader with the explanations as to why you are doing what you are doing. Hopefully, I can not only help you through some boxes, but also help you connect some dots in the process.
Enjoy — ML
Task 2 — Recon
“Launch a scan against our target machine, I recommend using a SYN scan set to scan all ports on the machine. The scan command will be provided as a hint, however, it’s recommended to complete the room ‘Nmap’ prior to this room. ”
~# nmap -sS -p- 10.10.118.1Command Output:
Lets break this command down so that we can understand what’s going on:
- “nmap” — Invokes nmap, the “Network Mapper”.
- “-sS” — TCP SYN Scan (Stealth Scan).
A TCP SYN scan, also known as a half-open scan, is one of the more popular types of scans because it can be performed quickly, scanning thousands of ports per second whilst being relatively unobtrusive and stealthy.
It’s known as a half-open scan because the TCP connection is never fully established, as shown in the image below:
- “-p-” — Scan TCP ports 1–65535
Plain English Command: I want NMAP to perform a TCP SYN SCAN on TCP ports 1–65535 against 10.10.118.1
“Once the scan completes, we’ll see a number of interesting ports open on this machine. As you might have guessed, the firewall has been disabled (with the service completely shutdown), leaving very little to protect this machine. One of the more interesting ports that is open is Microsoft Remote Desktop (MSRDP). What port is this open on?”
Answer — Port 3389
Let’s dig into this a little further to see why this would peak our interest.
ms-wbt-server is a common name for a protocol that is used by Windows Remote Desktop (RDP) that operates on TCP port 3389.
RDP is interesting to us because we can utilize it to connect to other computers over the internet.
To be continued…
