Investigating Windows TryHackMe Walkthrough

Rich
7 min readOct 8, 2023

--

TL;DR Walkthrough of the TryHackMe room Investigating Windows, part of the Cyber Defense pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

This was an interesting room that builds on what we have learned already in the Cyber Defense pathway, particularly regarding querying Windows logs and common persistence mechanisms. There was a few twists in there, mostly due to TryHackMe getting something wrong I believe. We will get to the specifics of that below. The VM was also not running a webserver even though the questions hinted that the initial compromise was due to a file upload misconfiguration. TryHackMe’s timeline was screwy as well.

Nevertheless, it was good practice. Let’s get to the questions.

As always, connect via:

xfreerdp /v:10.10.184.241 /u:Administrator /p:letmein123! /dynamic-resolution

Whats the version and year of the windows machine?

systeminfo | findstr /B /C:”OS Name” /B /C:”OS Version”

OS Name: Microsoft Windows Server 2016 Datacenter

OS Version: 10.0.14393 N/A Build 14393

TryHackMe is looking for:

Windows Server 2016

Which user logged in last?

I overthought this one. I went digging in the event logs looking for the last user who had logged in who wasn’t Administrator since TryHackMe’s hint said “That’s you just now. But, who logged in before you?”

However their username’s lenght didn’t fit with the ************* in the answer box.

I pulled all the accounts that had ever logged in:

$Logins = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4624"}

ForEach($Login in $Logins)
{
$Login.Properties[5]
}

And it turned out that the answer that TryHackMe wanted was:

Administrator

When did John log onto the system last?

Answer format: MM/DD/YYYY H:MM:SS AM/PM

($Logins | Where-Object {$_.Message -like “*John*”} | Select-Object -First 1).TimeCreated

Saturday, March 2, 2019 5:48:32 PM

The answer is the format that TryHackMe wants:

03/02/2019 5:48:32 PM

What IP does the system connect to when it first starts?

This one was easy, it runs C:\TMP\p.exe on startup and connects to:

10.34.2.3

What two accounts had administrative privileges (other than the Administrator user)?

Answer format: username1, username2

(Get-LocalGroupMember “Administrators”).Name

Jenny, Guest

What’s the name of the scheduled task that is malicious?

Get-ScheduledTask

Clean file system

What file was the task trying to run daily?

(Get-ScheduledTask -TaskName “Clean file system”).Actions

Id : Arguments : -l 1348

Execute : C:\TMP\nc.ps1

WorkingDirectory :

PSComputerName :

nc.ps1

What port did this file listen locally for?

We already found this above, it’s the port powercat is set to listen on via the argument:

1348

When did Jenny last logon?

$Logins2 = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4624"}

($Logins2 | Where-Object {$_.Message -like "*Jenny*"} | Select-Object -First 1).TimeCreated

It’s a trick question, she never logged in. I was pretty sure as I didn’t see Jenny in the list of usernames back on Question # 2, but I wanted to confirm. The answer TryHackMe is looking for is:

Never

At what date did the compromise take place?

Answer format: MM/DD/YYYY

I’m going to go out on a limb here. All the suspicious Scheduled Taks were created on 2 Mar 2019. Additionally we have this:

$adds = Get-WinEvent -LogName "Security" | Where-Object {($_.Id -eq "4732") -and ($_.Message -like "*S-1–5–32–544*")}

$adds.TimeCreated

Jenny & Guest were both added to the Administrators group on that same date.

Additionally we have the creation time on all the files added to a certain folder. We knew to look in that folder because of the question regarding the IP connected to at startup. The VM runs C:\TMP\p.exe at startup.

Get-ChildItem C:\TMP | Select-Object Name, CreationTime

We will be returning to the time range of 4:35 PM to midnight soon in another question.

The answer to this question is obvious though:

03/02/2019

During the compromise, at what time did Windows first assign special privileges to a new logon?

Answer format: MM/DD/YYYY HH:MM:SS AM/PM

The first scheduled task was created at 4:47:13 PM on 2Mar2019.

$Specials = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4672"}

$Specials.TimeCreated

Hence you’d think it’d be one of these:

Saturday, March 2, 2019 5:46:03 PM
Saturday, March 2, 2019 5:43:48 PM
Saturday, March 2, 2019 5:41:07 PM
Saturday, March 2, 2019 5:41:06 PM
Saturday, March 2, 2019 5:41:06 PM
Saturday, March 2, 2019 5:41:05 PM
Saturday, March 2, 2019 5:38:03 PM
Saturday, March 2, 2019 5:27:00 PM
Saturday, March 2, 2019 5:22:00 PM
Saturday, March 2, 2019 5:17:01 PM
Saturday, March 2, 2019 5:10:22 PM
Saturday, March 2, 2019 4:45:23 PM
Saturday, March 2, 2019 4:40:01 PM
Saturday, March 2, 2019 4:37:02 PM
Saturday, March 2, 2019 4:35:52 PM

However the answer TryHackMe is looking for is none of those. It turns out they were looking for:

03/02/2019 4:04:49 PM

What tool was used to get Windows passwords?

This one is easy, it’s in C:\TMP. We also noticed a scheduled task back on #6 that ran C:\TMP\mim.exe and directed the output to C:\TMP\mim-out.txt, so we checked that file.

Get-Content C:\TMP\mim-out.txt

On a sidenote, that is neither the Administrators plaintext password nor their hash, and there is no Ion user on the VM. That’s not even the VM’s name. I believe TryHackMe manually copy/pasted this file to the VM rather than actually dumping creds on it. We will elaborate in the Summary and discuss the two other screwy things TryHackMe did on this VM regarding the questions they posed.

The answer though is obvious:

Mimikatz

What was the attackers external control and command servers IP?

I overthought this one and went digging in the logs before I realized that the answer was stupid simple.

Get-Content C:\Windows\System32\drivers\etc\hosts

76.32.97.132

This also shows the answer to the last question.

What was the extension name of the shell uploaded via the server’s website?

This one threw me initially. I thought TryHackMe meant what file the attacker downloaded from their C2 server. After all, the VM is not running a webserver.

However it turns out TryHackMe is pretending, so just check C:\inetpub\wwwroot.

Get-ChildItem C:\inetpub\wwwroot | Select-Object Name, CreationTime

.jsp

By the way, note the CreationTime on the file tests.jsp. We will return to this oddness in the Summary.

What was the last port the attacker opened?

Works in my home lab VMs just fine, but gets an error in THM’s VM:

Get-NetFirewallRule -Direction Inbound

Hence go Control Panel -> Windows Firewall -> Advanced Settings -> Inbound Rules

1337

Check for DNS poisoning, what site was targeted?

Get-Content C:\Windows\System32\drivers\etc\hosts

google.com

Summary

I have seen a few other cases where TryHackMe screwed something up, very few. For example they once mixed up the DSRM account, Domain Admin, and asked for the “local admin” which doesn’t exist on a DC. To TryHackMe’s credit these are few and far between.

I believe they made another mistake on this room. Remember the CreationTime on the tests.jsp?

I was curious so I also read through the file. I am mediocre at best at webshells, and I am not a Forensics Guy by any means, but I am pretty sure that this is meant to be a file upload vulnerability. There is even an example here.

Therefore the answer to “During the compromise, at what time did Windows first assign special privileges to a new logon?” would have to occur after 4:47 PM 2Mar2019. However the answer TryHackMe wanted was “03/02/2019 4:04:49 PM”. This does not make sense.

Additionally we also saw during the course of all this digging:

  • The VM is not listening on port 80 or 443
  • The VM is not running IIS, nor is IIS even installed
  • The file that was supposedly output by Mimikatz had the wrong Administrator hash and the wrong ComputerName
  • The file also listed a username that doesn’t exist on the VM

I was curious, so I uploaded Invoke-Mimikatz.ps1 and did an actual credential dump.

Invoke-Mimikatz -Command ‘“token::elevate” “privilege::debug” “sekurlsa::msv”’

I also dumped the mscache, which as I suspected was empty since the VM isn’t on a domain.

I also checked the hash that was in the text file because I was curious.

Overall this room was good practice. It’s just that some of the questions were rather vague and some of the stuff on the VM was really screwy.

References

File upload vulnerabilities: https://portswigger.net/web-security/file-upload

Exploiting file upload with JSP Shells: https://portswigger.net/web-security/file-upload

Mimikatz cheatsheet: https://happycamper84.medium.com/mimikatz-cheatsheet-ad2b88059b4

Querying logs cheatsheet: https://medium.com/@happycamper84/dangerous-rights-logging-cheatsheet-4b455b686e15

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet