TL;DR walkthrough of two more of the rooms in the Cybersecurity 101 Pathway.
https://tryhackme.com/room/logsfundamentals
https://tryhackme.com/room/firewallfundamentals
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I am almost done with the Cybersecurity 101 pathway. Most of the rooms just involve reading up on fundamental knowledge and answering questions, but a few rooms like the two here in this walkthrough involve using a VM to find answers. I worked out some queries for logs and firewall rules so I figured I would post them here. I might be checking this myself in a year from now.
A former co-worker asked me recently how to find the username that tends to login to a given computer. They had been provided a list of computer names and were trying to locate them. I whipped up something real quick, tested it out, and shot it to them.
$Computers = Get-Content List.txt
ForEach($Computer in $Computers)
{
Write-Host "These are the last 10 logins to $Computer."
Invoke-Command -ComputerName "$Computer" {$Events = Get-WinEvent -Path "$env:SystemRoot\System32\Winevt\Logs\Security.evtx" | Where-Object {($_.Id -eq "4624")} | Select-Object -First 10 | Select-Object * ; ForEach($Event in $Events) {$Event.Properties[5].Value}}
Write-Host " "
Write-Host " "
}That query can in handy in the Logs Fundamentals room.
Logs Fundamentals Room
— — Task 1 — -
Where can we find the majority of attack traces in a digital system?
logs
— — Task 2 — -
Which type of logs contain information regarding the incoming and outgoing traffic in the network?
Network Logs
Which type of logs contain the authentication and authorization events?
Security Logs
— — Task 3 — -
What is the name of the last user account created on this system?
xfreerdp /v:10.10.99.153 /u:Administrator /p:logs\@123 /dynamic-resolutionGet-WinEvent -Path "$env:SystemRoot\System32\Winevt\Logs\Security.evtx" | Where-Object {($_.Id -eq "4720")} | Select-Object -First 1 | Select-Object *hacked
Which user account created the above account?
Administrator
On what date was this user account enabled? Format: M/D/YYYY
(Get-WinEvent -Path "$env:SystemRoot\System32\Winevt\Logs\Security.evtx" | Where-Object {($_.Id -eq "4722") -and ($_.Message -like "*hacked*")} | Select-Object -First 1 | Select-Object *).TimeCreatedFriday, June 7, 2024 12:56:27 PM
Did this account undergo a password reset as well? Format: Yes/No
Get-WinEvent -Path "$env:SystemRoot\System32\Winevt\Logs\Security.evtx" | Where-Object {($_.Id -eq "4724") -and ($_.Message -like "*hacked*")} | Select-Object *Yes
— — Task 4 — -
I was going to use PowerShell and ‘Get-Content <filename> | Select-String <what we’re looking for>’ but the log file was rather small. I simply opened it in Notepad and used Ctrl + F to find the answers.
What is the IP which made the last GET request to URL: “/contact”?
10.0.0.1
When was the last POST request made by IP: “172.16.0.1”?
06/Jun/2024:13:55:44
Based on the answer from question number 2, to which URL was the POST request made?
/contact
— — Task 5 — -
Complete the room.
No answer needed
Firewall Fundamentals Room
— — Task 1 — -
Which security solution inspects the incoming and outgoing traffic of a device or a network?
Firewall
— — Task 2 — -
Which type of firewall maintains the state of connections?
statefull firewall
Which type of firewall offers heuristic analysis for the traffic?
next-generation firewall
Which type of firewall inspects the traffic coming to an application?
proxy firewall
— — Task 3 — -
Which type of action should be defined in a rule to permit any traffic?
allow
What is the direction of the rule that is created for the traffic leaving our network?
outbound
— — Task 4 — -
What is the name of the rule that was created to block all incoming traffic on the SSH port?
xfreerdp /v:10.10.161.138 /u:Administrator /p:windows-defender\@123 /dynamic-resolutionGet-NetFirewallPortFilter | Where-Object {$_.LocalPort -eq "22"} | Get-NetFirewallRule | Where-Object {($_.Action -eq "Block") -and ($_.Direction -eq "Inbound")}Core Op
A rule was created to allow SSH from one single IP address. What is the rule name?
Get-NetFirewallPortFilter | Where-Object {$_.LocalPort -eq "22"} | Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"}Infra team
Which IP address is allowed under this rule?
Get-NetFirewallPortFilter | Where-Object {$_.LocalPort -eq "22"} | Get-NetFirewallRule | Where-Object {$_.Action -eq "Allow"} | Get-NetFirewallAddressFilter192.168.13.7
— — Task 5 — -
Which Linux firewall utility is considered to be the successor of “iptables”?
nftables
What rule would you issue with ufw to deny all outgoing traffic from your machine as a default policy? (answer without sudo)
ufw default deny outgoing
Summary
I am not sure why either Windows doesn’t have a command to pull all details of a firewall rule or CW6 Google just didn’t point it out. I had to query a rule using one command and then pipe it to another command to get the detail TryHackMe was asking for. I didn’t want to use netsh as it seems like it’s a legacy command.
If anyone knows a better way feel free to let me know in the comments! If that way is “hey hero, just use netsh and do xyz” then let me know that too.
At any rate I learned something. TryHackMe is always good for that.
