TL;DR walkthrough of the PowerShell for Pentesters TryHackMe room.
A full list of our TryHackMe walkthroughs and cheatsheets are here.
Sidenote; this is our 101st writeup
As this was our 101st writeup, Mishka kept making jokes about that old Disney movie.
Meanwhile I was laughing to myself at memes like this one.
Background
This room was meant to simulate an environment where once cannot run Powerview due to antimalware or other constraints. The room wants you to connect via SSH. I assumed I’d have to use some of the below tricks to get a nice PowerShell_ISE CLI on the VM:
#Enable WinRM
winrm quickconfig -force
#Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 ; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#disable UAC
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
#Connect via WinRM from Kali
evil-winrm -i 10.10.134.49 -u walter -p Kowacs123!
However it turns out that none of that was necessary. I was able to connect via RDP immediately
xfreerdp /v:10.10.209.11 /u:walter /p:Kowacs123! /dynamic-resolution
Now that we have a nice CLI to work with let’s get to the questions.
— — Task 1 — -
What useful PowerShell script did you find on Walter’s desktop?
Get-ChildItem “*.ps1” -Path C:\Users\Walter\Desktop
Powerview.ps1
— — Task 2 — -
What is the MD5 hash value of the file on Walter’s desktop?
(Get-FileHash .\powerview.ps1 -Algorithm MD5).hash
501570FFBA7FACE69D61DA1A0843E89A
— — Task 4 — -
What Windows Security Update was installed on 5/15/2019?
(Get-HotFix | Where-Object {$_.InstalledOn -like “*5/15/2019*”}).HotFixID
KB4499728
— — Task 6 — -
One of the accounts has a special description; what is it?
Get-ADUser -Filter {Description -ne “$null”} -Properties * | Select-Object SamAccountName, Description
IDF-17828290
How many accounts are disabled?
(Get-ADUser -Filter {Enabled -eq $false}).Count
2
THM however wants 5 as the answer. This is quite odd, conflicts with what we see in the VM, and doesn’t even agree with their last question.
How many users are in the “domain admins” group?
(Get-ADGroupMember “Domain Admins”).Count
3
Which users are in the “domain admins” group? (Listed alphabetically, small, comma-separated, using space)
(Get-ADGroupMember “Domain Admins”).SamAccountName
ServerAdmin
ssilk
usand
List shares; what is the name of the “interesting” share?
Get-SMBShare
operationfiles
#Alt method to find non-default shares:
(Get-SmbShare | Where-Object {($_.Name -notlike “*$*”) -and ($_.Name -notlike “*SYSVOL*”) -and ($_.Name -notlike “*NETLOGON*”)}).Name
What is the name of the user-created Group Policy?
$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Select-Object DisplayName, Name
Alt, get just the non-defualt GPOs:
$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Where-Object {$_.DisplayName -notlike “*Default*”} | Select-Object DisplayName
Disable WinDef
What are the first names of users’ whose accounts were disabled? (Sorted alphabetically, small, comma-separated, using space)
(Get-ADUser -Filter {Enabled -eq $false} -Properties *).CN
krbtgt
Ursula Sand
This however was not the answer THM wanted. They are looking for:
Daniel, Ursula
Summary
THM does some weird, funky things in their VMs sometimes. One just has to roll with it and figure out what they want based on the *s in the answer box.
Overall this was good practice. I probably would have included some more enumeration like looking for users that are ASREPRoastable, Kerberoastable, and things like how to find who owns the domain.
On a sidenote, we were curious what that ‘Disable WinDef’ GPO did so we went poking around in RSOP.msc.
References
Enumerate GPOs, including who can create & link them: https://happycamper84.medium.com/who-can-push-ransomware-domain-wide-f504e6d6409e