Hacking with PowerShell TryHackMe Walkthrough

Rich
5 min readNov 30, 2023

TL;DR walkthrough of the Hacking with PowerShell TryHackMe room.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets are here.

Background

Hacking with PowerShell is a good general practice room that will get one familiar with querying, piping, attributes, and basic loops along with if/else statements.

Let’s get to the questions. As always start with:

xfreerdp /v:10.10.65.43 /u:Administrator /p:BHN2UVw0Q /dynamic-resolution

— — Task 2 — -

What is the command to get a new object?

Get-New

— — Task 3 — -

What is the location of the file “interesting-file.txt”

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue

C:\Program Files

Specify the contents of this file

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content

notsointerestingcontent

How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

(Get-Command | Where-Object {$_.CommandType -eq “Cmdlet”}).Count

6638

Get the MD5 hash of interesting-file.txt

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5

49A586A2A9456226F8A1B4CEC6FAB329

What is the command to get the current working directory?

Get-Location

Does the path “C:\Users\Administrator\Documents\Passwords” Exist (Y/N)?

if(Set-Location C:\Users\Administrator\Documents\Passwords)
{Write-Host "It exists!"}
Else{Write-Host "The path doesn't exist bro."}

N

What command would you use to make a request to a web server?

Invoke-WebRequest

Base64 decode the file b64.txt on Windows.

Get-ChildItem "b64.txt" -Path C:\ -Recurse -ErrorAction SilentlyContinue
$MyBase64 = Get-Content C:\Users\Administrator\Desktop\b64.txt
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$MyBase64"))

桴獩椠⁳桴⁥汦条ⴠ椠潨数潹摵摩桴獩湯楷摮睯ੳ桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条੥桴⁥敲瑳椠⁳慧扲条�

However if one does ‘Get-Content C:\Users\Administrator\Desktop\b64.txt’ and copy/pastes it to https://www.base64decode.org then we get plain English.

“this is the flag — ihopeyoudidthisonwindows”

“the rest is garbage …”

The method I used initially is for decoding the types of Bas64 attackers use for obfuscated PowerShell commands.

— — Task 4 — -

How many users are there on the machine?

(Get-LocalUser).Name.Count

5

Which local user does this SID(S-1–5–21–1394777289–3961777894–1791813945–501) belong to?

(Get-LocalUser | Select-Object * | Where-Object {$_.SID -eq “S-1–5–21–1394777289–3961777894–1791813945–501”}).Name

Guest

How many users have their password required values set to False?

(Get-LocalUser | Select-Object * | Where-Object {$_.PasswordRequired -eq “$Fales”}).Count

4

How many local groups exist?

(Get-LocalGroup).Name.Count

24

What command did you use to get the IP address info?

Get-NetIPAddress

How many ports are listed as listening?

(Get-NetTCPConnection | Where-Object {$_.State -eq “Listen”}).Count

20

What is the remote address of the local port listening on port 445?

Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -eq “445”)}

::

How many patches have been applied?

(Get-HotFix).Count

20

When was the patch with ID KB4023834 installed?

We only get the format specified by THM if we do:

Get-HotFix | Where-Object {$_.HotFixID -eq “KB4023834”} | Select-Object * | Select-Object InstalledOn

6/15/2017 12:00:00 AM

Find the contents of a backup file.

Get-ChildItem “*.bak*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content

backpassflag

Search for all files containing API_KEY

Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String “API_KEY”

C:\Users\Public\Music\config.xml:1:API_KEY=fakekey123

The specific answer THM wants is:

fakekey123

What command do you do to list all the running processes?

Get-Process

What is the path of the scheduled task called new-sched-task?

(Get-ScheduledTask | Where-Object {$_.TaskName -eq “new-sched-task”}).TaskPath

\

Who is the owner of the C:\

(Get-Acl -Path “C:\”).Owner

NT SERVICE\TrustedInstaller

Please note that you have to be very specific with the syntax of that query, otherwise you get NT AUTHORITY\SYSTEM like I did initially.

— — Task 5 — -

What file contains the password?

Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “password”

Desktop\emails\john\Doc3.txt:6:I got some errors trying to access my passwords file — is there any way you can help? Here is the output I got

Desktop\emails\martha\Doc3M.txt:6:I managed to fix the corrupted file to get the output, but the password is buried somewhere in these logs:

Desktop\emails\martha\Doc3M.txt:106:password is johnisalegend99

Nice, 2 answers in one query. The filename for the answer is:

Doc3M.txt

What is the password?

johnisalegend99

What files contains an HTTPS link?

Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “HTTPS”

Desktop\emails\mary\Doc2Mary.txt:5:https://www.howtoworkwell.rand/

The answer is of course:

Doc2Mary.txt

— — Task 6 — -

How many open ports did you find between 130 and 140(inclusive of those two)?

$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "localhost"
$LowEnd = 130
$HighEnd = 140
$X = 0

Do
{
$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).PingSucceeded -or (Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
}
While($CurrentPort -lt 140)

(Get-Content .\OpenPorts.txt).Count

After assuming that THM meant TcpTestSucceeded, only gettings ports 135 and 139 open, and THM telling me that I was wrong I went with ports that responded to either ping or TCP.

Once I did that I got all 11, which THM liked as an answer.

Summary

Task 6 was really odd. If I query with Get-NetRCPConnection I only get ports 135 and 139 listed as open.

Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -ge 130) -and ($_.LocalPort -le 140)}

Other than that oddity it was a good room and good practice. Task 5 didn’t require any scripting, just pipe Get-ChildItem to Select-String, which is basically the PowerShell method of grep.

We wrapped up the Cyber Defense pathway recently which also wrapped up the CPEs I need for now, hence we’re just doing general practice for now.

References

Find text in a file: https://devblogs.microsoft.com/scripting/use-an-easy-powershell-command-to-search-files-for-information/

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.