TL;DR Walkthrough of the TryHackMe room Investigating Windows, part of the Cyber Defense pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
This was an interesting room that builds on what we have learned already in the Cyber Defense pathway, particularly regarding querying Windows logs and common persistence mechanisms. There was a few twists in there, mostly due to TryHackMe getting something wrong I believe. We will get to the specifics of that below. The VM was also not running a webserver even though the questions hinted that the initial compromise was due to a file upload misconfiguration. TryHackMe’s timeline was screwy as well.
Nevertheless, it was good practice. Let’s get to the questions.
As always, connect via:
xfreerdp /v:10.10.184.241 /u:Administrator /p:letmein123! /dynamic-resolution
Whats the version and year of the windows machine?
systeminfo | findstr /B /C:”OS Name” /B /C:”OS Version”
OS Name: Microsoft Windows Server 2016 Datacenter
OS Version: 10.0.14393 N/A Build 14393
TryHackMe is looking for:
Windows Server 2016
Which user logged in last?
I overthought this one. I went digging in the event logs looking for the last user who had logged in who wasn’t Administrator since TryHackMe’s hint said “That’s you just now. But, who logged in before you?”
However their username’s lenght didn’t fit with the ************* in the answer box.
I pulled all the accounts that had ever logged in:
$Logins = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4624"}
ForEach($Login in $Logins)
{
$Login.Properties[5]
}
And it turned out that the answer that TryHackMe wanted was:
Administrator
When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM
($Logins | Where-Object {$_.Message -like “*John*”} | Select-Object -First 1).TimeCreated
Saturday, March 2, 2019 5:48:32 PM
The answer is the format that TryHackMe wants:
03/02/2019 5:48:32 PM
What IP does the system connect to when it first starts?
This one was easy, it runs C:\TMP\p.exe on startup and connects to:
10.34.2.3
What two accounts had administrative privileges (other than the Administrator user)?
Answer format: username1, username2
(Get-LocalGroupMember “Administrators”).Name
Jenny, Guest
What’s the name of the scheduled task that is malicious?
Get-ScheduledTask
Clean file system
What file was the task trying to run daily?
(Get-ScheduledTask -TaskName “Clean file system”).Actions
Id : Arguments : -l 1348
Execute : C:\TMP\nc.ps1
WorkingDirectory :
PSComputerName :
nc.ps1
What port did this file listen locally for?
We already found this above, it’s the port powercat is set to listen on via the argument:
1348
When did Jenny last logon?
$Logins2 = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4624"}
($Logins2 | Where-Object {$_.Message -like "*Jenny*"} | Select-Object -First 1).TimeCreated
It’s a trick question, she never logged in. I was pretty sure as I didn’t see Jenny in the list of usernames back on Question # 2, but I wanted to confirm. The answer TryHackMe is looking for is:
Never
At what date did the compromise take place?
Answer format: MM/DD/YYYY
I’m going to go out on a limb here. All the suspicious Scheduled Taks were created on 2 Mar 2019. Additionally we have this:
$adds = Get-WinEvent -LogName "Security" | Where-Object {($_.Id -eq "4732") -and ($_.Message -like "*S-1–5–32–544*")}
$adds.TimeCreated
Jenny & Guest were both added to the Administrators group on that same date.
Additionally we have the creation time on all the files added to a certain folder. We knew to look in that folder because of the question regarding the IP connected to at startup. The VM runs C:\TMP\p.exe at startup.
Get-ChildItem C:\TMP | Select-Object Name, CreationTime
We will be returning to the time range of 4:35 PM to midnight soon in another question.
The answer to this question is obvious though:
03/02/2019
During the compromise, at what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
The first scheduled task was created at 4:47:13 PM on 2Mar2019.
$Specials = Get-WinEvent -LogName "Security" | Where-Object {$_.Id -eq "4672"}
$Specials.TimeCreated
Hence you’d think it’d be one of these:
Saturday, March 2, 2019 5:46:03 PM
Saturday, March 2, 2019 5:43:48 PM
Saturday, March 2, 2019 5:41:07 PM
Saturday, March 2, 2019 5:41:06 PM
Saturday, March 2, 2019 5:41:06 PM
Saturday, March 2, 2019 5:41:05 PM
Saturday, March 2, 2019 5:38:03 PM
Saturday, March 2, 2019 5:27:00 PM
Saturday, March 2, 2019 5:22:00 PM
Saturday, March 2, 2019 5:17:01 PM
Saturday, March 2, 2019 5:10:22 PM
Saturday, March 2, 2019 4:45:23 PM
Saturday, March 2, 2019 4:40:01 PM
Saturday, March 2, 2019 4:37:02 PM
Saturday, March 2, 2019 4:35:52 PM
However the answer TryHackMe is looking for is none of those. It turns out they were looking for:
03/02/2019 4:04:49 PM
What tool was used to get Windows passwords?
This one is easy, it’s in C:\TMP. We also noticed a scheduled task back on #6 that ran C:\TMP\mim.exe and directed the output to C:\TMP\mim-out.txt, so we checked that file.
Get-Content C:\TMP\mim-out.txt
On a sidenote, that is neither the Administrators plaintext password nor their hash, and there is no Ion user on the VM. That’s not even the VM’s name. I believe TryHackMe manually copy/pasted this file to the VM rather than actually dumping creds on it. We will elaborate in the Summary and discuss the two other screwy things TryHackMe did on this VM regarding the questions they posed.
The answer though is obvious:
Mimikatz
What was the attackers external control and command servers IP?
I overthought this one and went digging in the logs before I realized that the answer was stupid simple.
Get-Content C:\Windows\System32\drivers\etc\hosts
76.32.97.132
This also shows the answer to the last question.
What was the extension name of the shell uploaded via the server’s website?
This one threw me initially. I thought TryHackMe meant what file the attacker downloaded from their C2 server. After all, the VM is not running a webserver.
However it turns out TryHackMe is pretending, so just check C:\inetpub\wwwroot.
Get-ChildItem C:\inetpub\wwwroot | Select-Object Name, CreationTime
.jsp
By the way, note the CreationTime on the file tests.jsp. We will return to this oddness in the Summary.
What was the last port the attacker opened?
Works in my home lab VMs just fine, but gets an error in THM’s VM:
Get-NetFirewallRule -Direction Inbound
Hence go Control Panel -> Windows Firewall -> Advanced Settings -> Inbound Rules
1337
Check for DNS poisoning, what site was targeted?
Get-Content C:\Windows\System32\drivers\etc\hosts
google.com
Summary
I have seen a few other cases where TryHackMe screwed something up, very few. For example they once mixed up the DSRM account, Domain Admin, and asked for the “local admin” which doesn’t exist on a DC. To TryHackMe’s credit these are few and far between.
I believe they made another mistake on this room. Remember the CreationTime on the tests.jsp?
I was curious so I also read through the file. I am mediocre at best at webshells, and I am not a Forensics Guy by any means, but I am pretty sure that this is meant to be a file upload vulnerability. There is even an example here.
Therefore the answer to “During the compromise, at what time did Windows first assign special privileges to a new logon?” would have to occur after 4:47 PM 2Mar2019. However the answer TryHackMe wanted was “03/02/2019 4:04:49 PM”. This does not make sense.
Additionally we also saw during the course of all this digging:
- The VM is not listening on port 80 or 443
- The VM is not running IIS, nor is IIS even installed
- The file that was supposedly output by Mimikatz had the wrong Administrator hash and the wrong ComputerName
- The file also listed a username that doesn’t exist on the VM
I was curious, so I uploaded Invoke-Mimikatz.ps1 and did an actual credential dump.
Invoke-Mimikatz -Command ‘“token::elevate” “privilege::debug” “sekurlsa::msv”’
I also dumped the mscache, which as I suspected was empty since the VM isn’t on a domain.
I also checked the hash that was in the text file because I was curious.
Overall this room was good practice. It’s just that some of the questions were rather vague and some of the stuff on the VM was really screwy.
References
File upload vulnerabilities: https://portswigger.net/web-security/file-upload
Exploiting file upload with JSP Shells: https://portswigger.net/web-security/file-upload
Mimikatz cheatsheet: https://happycamper84.medium.com/mimikatz-cheatsheet-ad2b88059b4
Querying logs cheatsheet: https://medium.com/@happycamper84/dangerous-rights-logging-cheatsheet-4b455b686e15