TL;DR walkthrough of the Hacking with PowerShell TryHackMe room.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets are here.
Background
Hacking with PowerShell is a good general practice room that will get one familiar with querying, piping, attributes, and basic loops along with if/else statements.
Let’s get to the questions. As always start with:
xfreerdp /v:10.10.65.43 /u:Administrator /p:BHN2UVw0Q /dynamic-resolution
— — Task 2 — -
What is the command to get a new object?
Get-New
— — Task 3 — -
What is the location of the file “interesting-file.txt”
Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue
C:\Program Files
Specify the contents of this file
Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content
notsointerestingcontent
How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?
(Get-Command | Where-Object {$_.CommandType -eq “Cmdlet”}).Count
6638
Get the MD5 hash of interesting-file.txt
Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5
49A586A2A9456226F8A1B4CEC6FAB329
What is the command to get the current working directory?
Get-Location
Does the path “C:\Users\Administrator\Documents\Passwords” Exist (Y/N)?
if(Set-Location C:\Users\Administrator\Documents\Passwords)
{Write-Host "It exists!"}
Else{Write-Host "The path doesn't exist bro."}
N
What command would you use to make a request to a web server?
Invoke-WebRequest
Base64 decode the file b64.txt on Windows.
Get-ChildItem "b64.txt" -Path C:\ -Recurse -ErrorAction SilentlyContinue
$MyBase64 = Get-Content C:\Users\Administrator\Desktop\b64.txt
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$MyBase64"))
桴獩椠桴汦条ⴠ椠潨数潹摵摩桴獩湯楷摮睯ੳ桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条桴敲瑳椠慧扲条�
However if one does ‘Get-Content C:\Users\Administrator\Desktop\b64.txt’ and copy/pastes it to https://www.base64decode.org then we get plain English.
“this is the flag — ihopeyoudidthisonwindows”
“the rest is garbage …”
— — Task 4 — -
How many users are there on the machine?
(Get-LocalUser).Name.Count
5
Which local user does this SID(S-1–5–21–1394777289–3961777894–1791813945–501) belong to?
(Get-LocalUser | Select-Object * | Where-Object {$_.SID -eq “S-1–5–21–1394777289–3961777894–1791813945–501”}).Name
Guest
How many users have their password required values set to False?
(Get-LocalUser | Select-Object * | Where-Object {$_.PasswordRequired -eq “$Fales”}).Count
4
How many local groups exist?
(Get-LocalGroup).Name.Count
24
What command did you use to get the IP address info?
Get-NetIPAddress
How many ports are listed as listening?
(Get-NetTCPConnection | Where-Object {$_.State -eq “Listen”}).Count
20
What is the remote address of the local port listening on port 445?
Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -eq “445”)}
::
How many patches have been applied?
(Get-HotFix).Count
20
When was the patch with ID KB4023834 installed?
We only get the format specified by THM if we do:
Get-HotFix | Where-Object {$_.HotFixID -eq “KB4023834”} | Select-Object * | Select-Object InstalledOn
6/15/2017 12:00:00 AM
Find the contents of a backup file.
Get-ChildItem “*.bak*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content
backpassflag
Search for all files containing API_KEY
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String “API_KEY”
C:\Users\Public\Music\config.xml:1:API_KEY=fakekey123
The specific answer THM wants is:
fakekey123
What command do you do to list all the running processes?
Get-Process
What is the path of the scheduled task called new-sched-task?
(Get-ScheduledTask | Where-Object {$_.TaskName -eq “new-sched-task”}).TaskPath
\
Who is the owner of the C:\
(Get-Acl -Path “C:\”).Owner
NT SERVICE\TrustedInstaller
Please note that you have to be very specific with the syntax of that query, otherwise you get NT AUTHORITY\SYSTEM like I did initially.
— — Task 5 — -
What file contains the password?
Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “password”
Desktop\emails\john\Doc3.txt:6:I got some errors trying to access my passwords file — is there any way you can help? Here is the output I got
Desktop\emails\martha\Doc3M.txt:6:I managed to fix the corrupted file to get the output, but the password is buried somewhere in these logs:
Desktop\emails\martha\Doc3M.txt:106:password is johnisalegend99
Nice, 2 answers in one query. The filename for the answer is:
Doc3M.txt
What is the password?
johnisalegend99
What files contains an HTTPS link?
Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “HTTPS”
Desktop\emails\mary\Doc2Mary.txt:5:https://www.howtoworkwell.rand/
The answer is of course:
Doc2Mary.txt
— — Task 6 — -
How many open ports did you find between 130 and 140(inclusive of those two)?
$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "localhost"
$LowEnd = 130
$HighEnd = 140
$X = 0
Do
{
$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).PingSucceeded -or (Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
}
While($CurrentPort -lt 140)
(Get-Content .\OpenPorts.txt).Count
After assuming that THM meant TcpTestSucceeded, only gettings ports 135 and 139 open, and THM telling me that I was wrong I went with ports that responded to either ping or TCP.
Once I did that I got all 11, which THM liked as an answer.
Summary
Task 6 was really odd. If I query with Get-NetRCPConnection I only get ports 135 and 139 listed as open.
Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -ge 130) -and ($_.LocalPort -le 140)}
Other than that oddity it was a good room and good practice. Task 5 didn’t require any scripting, just pipe Get-ChildItem to Select-String, which is basically the PowerShell method of grep.
We wrapped up the Cyber Defense pathway recently which also wrapped up the CPEs I need for now, hence we’re just doing general practice for now.
References
Find text in a file: https://devblogs.microsoft.com/scripting/use-an-easy-powershell-command-to-search-files-for-information/