TryHackMe - Hacking with Powershell - Walkthrough

Introduction

Today we're going to be doing a walkthrough for the Hacking with Powershell room hosted at https://tryhackme.com/room/powershell . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the target machine.

Task 1 - Objectives

Questions

Read the above and deploy the machine!

No answer needed

Task 2 - What is Powershell

Questions

What is the command to get help about a particular cmdlet(without any parameters)?

Answer can be found inside of question.

Task 3 - Basic Powershell Commands

Questions

What is the location of the file "interesting-file.txt"

Get-ChildItem -Path C:\ -Filter “interesting-file.txt” -Recurse -ErrorAction SilentlyContinue -Force 

Specify the contents of this file

get-content “c:\program files\interesting-file.txt.txt”

How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

get-command | where-object -property commandtype -eq Cmdlet | measure

Get the MD5 hash of interesting-file.txt

get-filehash -algorithm md5 -path “c:\program files\interesting-file.txt.txt”

What is the command to get the current working directory?

pwd alias

Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?

test-path -path “c:\users\administrator\documents\passwords”

What command would you use to make a request to a web server?

get-command | where-object -property name -like “*web*” | where-object -property name -like “*request*”

Base64 decode the file b64.txt on Windows.

get-childitem -recurse -force -erroraction silentlycontinue c:\ *b64.txt*
[system.text.encoding]::utf8.getstring([system.convert]::frombase64string((get-content “c:\users\administrator\desktop\b64.txt”)))

Task 4 - Enumeration

Questions

How many users are there on the machine?

get-localuser | measure

Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?

$objSID = new-object system.security.principal.securityidentifier ("S-1-5-21-1394777289-3961777894-1791813945-501"); $objUser = $objSID.Translate([system.security.principal.ntaccount]) ; $objUser.value

How many users have their password required values set to False?

get-localuser | where-object {$_.PasswordRequired -like '*false*'} | measure

How many local groups exist?

get-localgroup | measure

What command did you use to get the IP address info?

get-command | where-object -property name -like "*ip*" | where-object -property name -like "*address*"

How many ports are listed as listening?

get-nettcpconnection | where-object -property State -eq Listen | measure

What is the remote address of the local port listening on port 445?

get-nettcpconnection | select-object -property LocalPort,RemoteAddress | where-object -property LocalPort -eq "445"

How many patches have been applied?

get-wmiobject -class win32_quickfixengineering | measure

When was the patch with ID KB4023834 installed?

get-wmiobject -class win32_quickfixengineering | select-object -property HotFixID,InstalledOn | where-object -property HotFixID -eq "KB4023834"

Find the contents of a backup file.

get-childitem -file -recurse -force -erroraction silentlycontinue -path c:\ "*.bak*"
get-content "c:\program files (x86)\internet explorer\passwords.bak.txt"

Search for all files containing API_KEY

get-childitem -file -recurse -force -erroraction silentlycontinue -path c:\ | select-string -pattern API_KEY | select path
get-content C:\******************

What command do you do to list all the running processes?

get-command | where-object -property name -like “*get*” | where-object -property name -like “*process*”

What is the path of the scheduled task called new-sched-task?

get-scheduledtask | where-object -property TaskName -like “*new-sched-task*”

Who is the owner of the C:\

get-acl c:\

Task 5 - Basic Scripting Challenge

Questions

What file contains the password?

What is the password?

What file contains an HTTPS link?

To answer the questions above, we'll run this script on the system:

$emails = "C:\users\Administrator\Desktop\emails\*"
$word_search1 = "password"
$word_search2 = "https"
$find_password = get-childitem -recurse $emails | select-string -pattern $word_search1
$find_https_link = get-childitem -recurse $emails | select-string -pattern $word_search2
echo ""
echo "Instances of 'Password'"
echo ""
echo $find_password
echo ""
echo "Instances of 'Https'"
echo ""
echo $find_https_link
echo ""
echo "Done!"

Task 6 - Intermediate Scripting

Questions

How many open ports did you find between 130 and 140(inclusive of those two)?

We'll use the following script to answer the question:

$localhost = "127.0.0.1"
$Start_Port = "130"
$End_Port = "140"
$ErrorActionPreference= ‘silentlycontinue’
Foreach($port in $Start_Port..$End_Port){
If(Test-Connection –BufferSize 32 –Count 1 –quiet –ComputerName "localhost")
{ $socket = new-object System.Net.Sockets.TcpClient($localhost,$port)
If($socket.Connected) { “Port $port open!” } else
{ “Port $port not open!” }
}
}

Finish