TryHackMe – Passive Reconnaissance Solution

Last Updated : 02 Jun, 2022

Passive reconnaissance is a way of gaining information about targeted computers and networks without actively engaging with that particular system. We mainly gather information based on publicly available information In this article, we are going to solve the Passive Reconnaissance CTF at TryHackMe’s website.

Steps to solve Passive Reconnaissance Solution Lab

In this step of passive recon, we will look at the information that will be publicly available without interacting directly with the target. So here are some of the tools helping while passive recon.

Step 1: Whois

Whois uses the query and response protocol that is used to search for an object in an RFC 3912 database. It helps us to gather information such as contact information (but can often be “incorrect” when a privacy service is used), registrar, registration date, registration updates and registration expiration dates, and contact emails, among others.

If we run whois for tryhackme website, we will get the following result:

whois tryhackme.com

Using Whois we were able to answer the following question asked on the challenge:

Question 1: When was TryHackMe.com registered?

Answer: 20180705

Question 2: What is the registrar of TryHackMe.com?

Answer: Namecheap.com

Question 3: Which company is TryHackMe.com using for name servers?

Answer: Cloudflare.com

Step 2: Nslookup And dig

nslookup (Name Server LookUp) is used to query Domain Name System (DNS) servers to map a domain name to an IP as well as other DNS records. We can use it non-interactively and pass arguments.
We can use the -type flag, to specify the query type.

nslookup -type=A tryhackme.com 1.1.1.1

We can get all the IPv4 addresses used by tryhackme.com. We can gather a lot more information with nslookup such as email servers and configurations for a particular domain. We can use “nslookup -type=MX tryhackme.com” and see that tryhackme.com’s current email configuration uses Google

Google Will obviously not give vulnerable server versions but for other cases, we might find mail servers that are not secured or patched.

Question 1: Check the TXT records of thmlabs.com. What is the flag there?

Answer: THM{a5b83929888ed36acb0272971e438d78}

We have solved this question just by repeating similar queries as we saw above for the domain names “thmlabs.com.” and used -type=txt and got the flag successfully.

nslookup -type=txt thmlabs.com

If we want more advanced DNS queries and additional functionality, we can use dig(“Domain Information Groper”).dig will return more information, such as the TTL (Time To Live) by default.

Step 3: DNSDumpster

A lot of useful information can be gathered from the tools above but they are not designed for the enumeration of subdomains. Subdomains can have useful information and servers that can be vulnerable.
DNSDumpster.com can be used to discover subdomains, and their IP addresses and attempt to geolocate them.

From the above graphical view, we found a domain called remote.tryhackme.com which help me to answer the following question:

Question 1: Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that we would discover in addition to www and blog?

Answer: remote

Step 4: Shodan

Shodan.io is used to learn more about our target network. Shodan is like a search engine for devices online, and just because we are not directly connecting to the devices, it will give us a lot of information during the passive research.
If we search for tryhackme.com on shodan we will get the following result.