PowerShell for Pentesters TryHackMe Walkthrough

Rich
4 min readDec 1, 2023

--

TL;DR walkthrough of the PowerShell for Pentesters TryHackMe room.

A full list of our TryHackMe walkthroughs and cheatsheets are here.

Sidenote; this is our 101st writeup

As this was our 101st writeup, Mishka kept making jokes about that old Disney movie.

Meanwhile I was laughing to myself at memes like this one.

Background

This room was meant to simulate an environment where once cannot run Powerview due to antimalware or other constraints. The room wants you to connect via SSH. I assumed I’d have to use some of the below tricks to get a nice PowerShell_ISE CLI on the VM:

#Enable WinRM
winrm quickconfig -force

#Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 ; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

#disable UAC
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0

#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force

#Connect via WinRM from Kali
evil-winrm -i 10.10.134.49 -u walter -p Kowacs123!

However it turns out that none of that was necessary. I was able to connect via RDP immediately

xfreerdp /v:10.10.209.11 /u:walter /p:Kowacs123! /dynamic-resolution

Now that we have a nice CLI to work with let’s get to the questions.

— — Task 1 — -

What useful PowerShell script did you find on Walter’s desktop?

Get-ChildItem “*.ps1” -Path C:\Users\Walter\Desktop

Powerview.ps1

— — Task 2 — -

What is the MD5 hash value of the file on Walter’s desktop?

(Get-FileHash .\powerview.ps1 -Algorithm MD5).hash

501570FFBA7FACE69D61DA1A0843E89A

— — Task 4 — -

What Windows Security Update was installed on 5/15/2019?

(Get-HotFix | Where-Object {$_.InstalledOn -like “*5/15/2019*”}).HotFixID

KB4499728

— — Task 6 — -

One of the accounts has a special description; what is it?

Get-ADUser -Filter {Description -ne “$null”} -Properties * | Select-Object SamAccountName, Description

IDF-17828290

How many accounts are disabled?

(Get-ADUser -Filter {Enabled -eq $false}).Count

2

THM however wants 5 as the answer. This is quite odd, conflicts with what we see in the VM, and doesn’t even agree with their last question.

How many users are in the “domain admins” group?

(Get-ADGroupMember “Domain Admins”).Count

3

Which users are in the “domain admins” group? (Listed alphabetically, small, comma-separated, using space)

(Get-ADGroupMember “Domain Admins”).SamAccountName

ServerAdmin

ssilk

usand

List shares; what is the name of the “interesting” share?

Get-SMBShare

operationfiles

#Alt method to find non-default shares:

(Get-SmbShare | Where-Object {($_.Name -notlike “*$*”) -and ($_.Name -notlike “*SYSVOL*”) -and ($_.Name -notlike “*NETLOGON*”)}).Name

What is the name of the user-created Group Policy?

$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Select-Object DisplayName, Name

Alt, get just the non-defualt GPOs:

$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Where-Object {$_.DisplayName -notlike “*Default*”} | Select-Object DisplayName

Disable WinDef

What are the first names of users’ whose accounts were disabled? (Sorted alphabetically, small, comma-separated, using space)

(Get-ADUser -Filter {Enabled -eq $false} -Properties *).CN

krbtgt

Ursula Sand

This however was not the answer THM wanted. They are looking for:

Daniel, Ursula

Summary

THM does some weird, funky things in their VMs sometimes. One just has to roll with it and figure out what they want based on the *s in the answer box.

Overall this was good practice. I probably would have included some more enumeration like looking for users that are ASREPRoastable, Kerberoastable, and things like how to find who owns the domain.

On a sidenote, we were curious what that ‘Disable WinDef’ GPO did so we went poking around in RSOP.msc.

References

Enumerate GPOs, including who can create & link them: https://happycamper84.medium.com/who-can-push-ransomware-domain-wide-f504e6d6409e

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet