TL;DR Walkthrough of the 3 rooms that make up the Command Line module in the Cyber Security 101 pathway. The rooms are
https://tryhackme.com/r/room/windowscommandline
https://tryhackme.com/r/room/windowspowershell
https://tryhackme.com/r/room/linuxshells
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I am currently in between CPE windows with all the organizations I hold certifications with, so I have been screwing around doing various lab projects and random TryHackMe rooms. TryHackMe recently launce the Cyber Security 101 pathway, so I started knocking out the rooms in it that I hadn’t already done. There is a lot of overlap between TryHackMe pathways, hence I am already halfway done with this pathway.
The rooms are all pretty short so I combined them all into one walk through.
Windows Command Line Room
I did not go through this room the way TryHackMe tells you to. I nmap scanned the VM, saw 3389 open, and figured I could just RDP into the thing.
xfreerdp /v:10.10.132.23 /u:user /p:Tryhackme123\! /dynamic-resolutionThe VM is running Windows Server 2022 DataCenter, Server Core installation type.
Most of these questions wanted the command used to run a given query, not the output itself. I put the cmd.exe command first and the PowerShell command second. In a few cases where TryHackMe just wanted the output I only used PowerShell.
I am not a fan of cmd.exe and really only use a few legacy command like ‘ipconfig /all’ in daily usage. Funny enough I realized that the cmd.exe command ‘ver’ does not work in PowerShell while doing this room. This is the first cmd.exe command that I have seen in years of using PowerShell that does not work. If you do want to use ‘ver’ you can simply run ‘cmd’.
— — Task 1 — -
What is the default command line interpreter in the Windows environment?
cmd.exe
— — Task 2 — -
What is the OS version of the Windows VM?
#Get a partial answer
systeminfo
(Get-ComputerInfo).OsVersion10.0.20348
#Get the full value
ver
($PSVersionTable).BuildVersion10.0.20348.2655
What is the hostname of the Windows VM?
hostname
(Get-ComputerInfo).CsNameWINSRV2022-CORE
— — Task 3 — -
Which command can we use to look up the server’s physical address (MAC address)?
ipconfig /all
(Get-NetAdapter).MacAddress02-D7-DA-44-A3-41
The answer THM wants is ipconfig /all.
What is the name of the process listening on port 3389?
$Process = (Get-NetTCPConnection -LocalPort 3389).OwningProcess[0] ; Get-Process -Id $Process | Select-Object Name, Idsvchost
TryHackMe doesn’t like that answer though, so let’s just use common sense as we know RDP uses port 3389 by default.
Get-Service | Where-Object {$_.DisplayName -like "*Remote Desktop Services*"}TermService
What is the IP address of your gateway?
ipconfig /all
(Get-NetIPConfiguration).IPv4DefaultGateway.NextHop10.10.0.1
— — Task 4 — -
What are the file’s contents in C:\Treasure\Hunt?
Get-ChildItem C:\Treasure\Hunt
Get-Content C:\Treasure\Hunt\flag.txtTHM{CLI_POWER}
— — Task 5 — -
What command would you use to find the running processes related to notepad.exe?
tasklist /FI "imagename eq Notepad.exe"
Get-Process | Where-Object {$_.ProcessName -like "*Notepad*"}The answer TryHackMe wants is:
tasklist /FI imagename eq Notepad.exe
What command can you use to kill the process with PID 1516?
taskkill /PID 1516
Stop-Process -Name Notepad
Stop-Process -Id 1516The answer TryHackMe wants is:
taskkill /PID 1516
— — Task 6 — -
The command shutdown /s can shut down a system. What is the command you can use to restart a system?
Shutdown /r
Restart-ComputerWhat command can you use to abort a scheduled system shutdown?
shutdown /a
Stop-Computer –Cancel
Windows PowerShell Room
xfreerdp /v:10.10.144.176 /u:captain /p:JollyR0ger# /dynamic-resolution— — Task 2 — -
What do we call the advanced approach used to develop PowerShell?
object-oriented
— — Task 3 — -
How would you retrieve a list of commands that start with the verb Remove? [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Get-Command -Name "*Remove*"The answer TryHackMe wants is:
Get-Command -Name *Remove*
What cmdlet has its traditional counterpart echo as an alias?
Get-Alias | Where-Object {$_.Name -like "*echo*"}Write-Output
What is the command to retrieve some example usage for the cmdlet New-LocalUser?
Get-Help New-LocalUser -Examples— — Task 4 — -
What cmdlet can you use instead of the traditional Windows command type?
Get-ContentWhat PowerShell command would you use to display the content of the “C:\Users” directory? [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Get-ChildItem -Path C:\UsersHow many items are displayed by the command described in the previous question?
4
— — Task 5 — -
How would you retrieve the items in the current directory with size greater than 100? [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Get-ChildItem | Where-Object {$_.Length -gt 100}THM is really picky on these questions though, and demands that you use a specific syntax. They want:
Get-ChildItem | Where-Object -Property Length -gt 100— — Task 6 — -
Other than your current user and the default “Administrator” account, what other user is enabled on the target machine?
Get-LocalUser | Where-Object {($_.Enabled -eq $True) -and (($_.Name -ne "Administrator") -and ($_.Name -ne "captain"))}p1r4t3
This lad has hidden his account among the others with no regard for our beloved captain! What is the motto he has so bluntly put as his account’s description?
A merry life and a short one.
Now a small challenge to put it all together. This shady lad that we just found hidden among the local users has his own home folder in the “C:\Users” directory.
Can you navigate the filesystem and find the hidden treasure inside this pirate’s home?
Get-ChildItem C:\Users\p1r4t3 -Recurse | Where-Object {$_.Name -like "*.txt"} | Get-ContentFLAG: THM{p34rlInAsh3ll}
— — Task 7 — -
In the previous task, you found a marvelous treasure carefully hidden in the target machine. What is the hash of the file that contains it?
Get-ChildItem C:\Users\p1r4t3 -Recurse | Where-Object {$_.Name -like "*.txt"} | Get-FileHash71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08
What property retrieved by default by Get-NetTCPConnection contains information about the process that has started the connection?
OwningProcess
It’s time for another small challenge. Some vital service has been installed on this pirate ship to guarantee that the captain can always navigate safely. But something isn’t working as expected, and the captain wonders why. Investigating, they find out the truth, at last: the service has been tampered with! The shady lad from before has modified the service DisplayName to reflect his very own motto, the same that he put in his user description.
With this information and the PowerShell knowledge you have built so far, can you find the service name?
Get-Service | Where-Object {$_.DisplayName -like "*merry*"}p1r4t3-s-compass
— — Task 8 — -
What is the syntax to execute the command Get-Service on a remote computer named “RoyalFortune”? Assume you don’t need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Invoke-Command -ComputerName RoyalFortune {Get-Service}Again, THM is really picky on these and won’t accept syntax that works fine but isn’t exactly what they want. They want:
Invoke-Command -ComputerName RoyalFortune -ScriptBlock {Get-Service}
Linux Shells Room
Much like the two Windows rooms, I passed on using the Attack Box and doing it TryHackMe’s stated way. I simply connected from my Kali VM using ssh.
ssh user@10.10.158.242
user@Tryhackme— — Task 1 — -
Who is the facilitator between the user and the OS?
shells
— — Task 2 — -
What is the default shell in most Linux distributions?
BASH
Which command utility is used to list down the contents of a directory?
lsWhich command utility can help you search for anything in a file?
grep— — Task 3 — -
Which shell comes with syntax highlighting as an out-of-the-box feature?
fish
Which shell does not have auto spell correction?
bash
Which command displays all the previously executed commands of the current session?
history
— — Task 4 — -
What is the shebang used in a Bash script?
#!/bin/bashWhich command gives executable permissions to a script?
chmod +xWhich scripting functionality helps us configure iterative tasks?
loops
— — Task 5 — -
What would be the correct PIN to authenticate in the locker script?
7385
— — Task 6 — -
Which file has the keyword?
ssh user@10.10.158.242
user@Tryhackme
grep thm-flag01-script /var/log/*authentication.log
Where is the cat sleeping?
cat /var/log/authentication.logthe cat is sleeping under the table
Summary
Overall this module was a good refresher and I learned a few things, for example that ‘ver’ is the first cmd.exe command I have seen that won’t work in PowerShell. Like much of TryHackMe this room did suffer from an insistence on a certain syntax for some commands, when other options work fine. There was a typo in one question.
My biggest issue with this module was the very first question:
“What is the default command line interpreter in Windows?”
CW6 Google and I both disagree with THM here. The default today is Windows Terminal. It runs cmd.exe, PowerShell, WSL, and Azure Cloud Shell. It replaced Windows Console as the default.
I actually heard a co-worker once state that “since Windows has a GUI there’s no reason for them to learn the CLI”. One is unlikely to learn with that mentality, and certainly won’t automate anything.
JMHO, but what makes PowerShell so good is that it is a scripting language and a CLI all in one. This means that automating something in PowerShell is a very short step beyond simply doing it once. Its other great feature is that its object oriented and hence writing in it is like building with Legos.
I used to have a co-worker who insisted that BASH is more user friendly than PowerShell. Everyone has their opinion, but grab 100 random, new to IT, folks who are studying for A+ and ask them what ‘ls’ and ‘Get-ChildItem’ do, ‘cat’ vs ‘Get-Content’, etc.
