TL;DR walkthrough of the PowerShell for Pentesters TryHackMe room.
A full list of our TryHackMe walkthroughs and cheatsheets are here.
Sidenote; this is our 101st writeup
As this was our 101st writeup, Mishka kept making jokes about that old Disney movie.
Meanwhile I was laughing to myself at memes like this one.
Background
This room was meant to simulate an environment where once cannot run Powerview due to antimalware or other constraints. The room wants you to connect via SSH. I assumed I’d have to use some of the below tricks to get a nice PowerShell_ISE CLI on the VM:
#Enable WinRM
winrm quickconfig -force
#Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 ; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#disable UAC
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -force
#Connect via WinRM from Kali
evil-winrm -i 10.10.134.49 -u walter -p Kowacs123!However it turns out that none of that was necessary. I was able to connect via RDP immediately
xfreerdp /v:10.10.209.11 /u:walter /p:Kowacs123! /dynamic-resolutionNow that we have a nice CLI to work with let’s get to the questions.
— — Task 1 — -
What useful PowerShell script did you find on Walter’s desktop?
Get-ChildItem “*.ps1” -Path C:\Users\Walter\DesktopPowerview.ps1
— — Task 2 — -
What is the MD5 hash value of the file on Walter’s desktop?
(Get-FileHash .\powerview.ps1 -Algorithm MD5).hash501570FFBA7FACE69D61DA1A0843E89A
— — Task 4 — -
What Windows Security Update was installed on 5/15/2019?
(Get-HotFix | Where-Object {$_.InstalledOn -like “*5/15/2019*”}).HotFixIDKB4499728
— — Task 6 — -
One of the accounts has a special description; what is it?
Get-ADUser -Filter {Description -ne “$null”} -Properties * | Select-Object SamAccountName, DescriptionIDF-17828290
How many accounts are disabled?
(Get-ADUser -Filter {Enabled -eq $false}).Count2
THM however wants 5 as the answer. This is quite odd, conflicts with what we see in the VM, and doesn’t even agree with their last question.
How many users are in the “domain admins” group?
(Get-ADGroupMember “Domain Admins”).Count3
Which users are in the “domain admins” group? (Listed alphabetically, small, comma-separated, using space)
(Get-ADGroupMember “Domain Admins”).SamAccountNameServerAdmin
ssilk
usand
List shares; what is the name of the “interesting” share?
Get-SMBShareoperationfiles
#Alt method to find non-default shares:
(Get-SmbShare | Where-Object {($_.Name -notlike “*$*”) -and ($_.Name -notlike “*SYSVOL*”) -and ($_.Name -notlike “*NETLOGON*”)}).NameWhat is the name of the user-created Group Policy?
$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Select-Object DisplayName, NameAlt, get just the non-defualt GPOs:
$root = (Get-ADDomain).DistinguishedName ; Get-ADObject -Filter * -SearchBase “cn=policies,cn=system,$root” -Properties * | Where-Object {$_.DisplayName -notlike “*Default*”} | Select-Object DisplayNameDisable WinDef
What are the first names of users’ whose accounts were disabled? (Sorted alphabetically, small, comma-separated, using space)
(Get-ADUser -Filter {Enabled -eq $false} -Properties *).CNkrbtgt
Ursula Sand
This however was not the answer THM wanted. They are looking for:
Daniel, Ursula
Summary
THM does some weird, funky things in their VMs sometimes. One just has to roll with it and figure out what they want based on the *s in the answer box.
Overall this was good practice. I probably would have included some more enumeration like looking for users that are ASREPRoastable, Kerberoastable, and things like how to find who owns the domain.
On a sidenote, we were curious what that ‘Disable WinDef’ GPO did so we went poking around in RSOP.msc.
References
Enumerate GPOs, including who can create & link them: https://happycamper84.medium.com/who-can-push-ransomware-domain-wide-f504e6d6409e
