Hacking with PowerShell TryHackMe Walkthrough

5 min readNov 30, 2023

TL;DR walkthrough of the Hacking with PowerShell TryHackMe room.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets are here.


Hacking with PowerShell is a good general practice room that will get one familiar with querying, piping, attributes, and basic loops along with if/else statements.

Let’s get to the questions. As always start with:

xfreerdp /v: /u:Administrator /p:BHN2UVw0Q /dynamic-resolution

— — Task 2 — -

What is the command to get a new object?


— — Task 3 — -

What is the location of the file “interesting-file.txt”

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue

C:\Program Files

Specify the contents of this file

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content


How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

(Get-Command | Where-Object {$_.CommandType -eq “Cmdlet”}).Count


Get the MD5 hash of interesting-file.txt

Get-ChildItem “*interesting-file*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5


What is the command to get the current working directory?


Does the path “C:\Users\Administrator\Documents\Passwords” Exist (Y/N)?

if(Set-Location C:\Users\Administrator\Documents\Passwords)
{Write-Host "It exists!"}
Else{Write-Host "The path doesn't exist bro."}


What command would you use to make a request to a web server?


Base64 decode the file b64.txt on Windows.

Get-ChildItem "b64.txt" -Path C:\ -Recurse -ErrorAction SilentlyContinue
$MyBase64 = Get-Content C:\Users\Administrator\Desktop\b64.txt


However if one does ‘Get-Content C:\Users\Administrator\Desktop\b64.txt’ and copy/pastes it to https://www.base64decode.org then we get plain English.

“this is the flag — ihopeyoudidthisonwindows”

“the rest is garbage …”

The method I used initially is for decoding the types of Bas64 attackers use for obfuscated PowerShell commands.

— — Task 4 — -

How many users are there on the machine?



Which local user does this SID(S-1–5–21–1394777289–3961777894–1791813945–501) belong to?

(Get-LocalUser | Select-Object * | Where-Object {$_.SID -eq “S-1–5–21–1394777289–3961777894–1791813945–501”}).Name


How many users have their password required values set to False?

(Get-LocalUser | Select-Object * | Where-Object {$_.PasswordRequired -eq “$Fales”}).Count


How many local groups exist?



What command did you use to get the IP address info?


How many ports are listed as listening?

(Get-NetTCPConnection | Where-Object {$_.State -eq “Listen”}).Count


What is the remote address of the local port listening on port 445?

Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -eq “445”)}


How many patches have been applied?



When was the patch with ID KB4023834 installed?

We only get the format specified by THM if we do:

Get-HotFix | Where-Object {$_.HotFixID -eq “KB4023834”} | Select-Object * | Select-Object InstalledOn

6/15/2017 12:00:00 AM

Find the contents of a backup file.

Get-ChildItem “*.bak*” -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-Content


Search for all files containing API_KEY

Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String “API_KEY”


The specific answer THM wants is:


What command do you do to list all the running processes?


What is the path of the scheduled task called new-sched-task?

(Get-ScheduledTask | Where-Object {$_.TaskName -eq “new-sched-task”}).TaskPath


Who is the owner of the C:\

(Get-Acl -Path “C:\”).Owner

NT SERVICE\TrustedInstaller

Please note that you have to be very specific with the syntax of that query, otherwise you get NT AUTHORITY\SYSTEM like I did initially.

— — Task 5 — -

What file contains the password?

Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “password”

Desktop\emails\john\Doc3.txt:6:I got some errors trying to access my passwords file — is there any way you can help? Here is the output I got

Desktop\emails\martha\Doc3M.txt:6:I managed to fix the corrupted file to get the output, but the password is buried somewhere in these logs:

Desktop\emails\martha\Doc3M.txt:106:password is johnisalegend99

Nice, 2 answers in one query. The filename for the answer is:


What is the password?


What files contains an HTTPS link?

Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “HTTPS”


The answer is of course:


— — Task 6 — -

How many open ports did you find between 130 and 140(inclusive of those two)?

$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "localhost"
$LowEnd = 130
$HighEnd = 140
$X = 0

$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).PingSucceeded -or (Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
While($CurrentPort -lt 140)

(Get-Content .\OpenPorts.txt).Count

After assuming that THM meant TcpTestSucceeded, only gettings ports 135 and 139 open, and THM telling me that I was wrong I went with ports that responded to either ping or TCP.

Once I did that I got all 11, which THM liked as an answer.


Task 6 was really odd. If I query with Get-NetRCPConnection I only get ports 135 and 139 listed as open.

Get-NetTCPConnection | Where-Object {($_.State -eq “Listen”) -and ($_.LocalPort -ge 130) -and ($_.LocalPort -le 140)}

Other than that oddity it was a good room and good practice. Task 5 didn’t require any scripting, just pipe Get-ChildItem to Select-String, which is basically the PowerShell method of grep.

We wrapped up the Cyber Defense pathway recently which also wrapped up the CPEs I need for now, hence we’re just doing general practice for now.


Find text in a file: https://devblogs.microsoft.com/scripting/use-an-easy-powershell-command-to-search-files-for-information/




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.