TL;DR Walkthrough of the TryHackMe Windows Hardening room.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I have been slow rolling my way through the Security Engineer pathway, one of TryHackMe’s newer learning paths. I didn’t win anything back when THM was doing a raffle when the pathway was brand new circa Sep 2023. Hopefully one of you did.
I just finished up my college program at WGU and am coming into my renewal window for a couple certifications, so it’s a great time to get back into TryHackMe, learn something, get some good practice, and get some CPEs.
TryHackMe showed how to perform Windows hardening and querying in the GUI, but I’m partial to PowerShell, hence why almost everything in here is in the CLI.
As always connect via
xfreerdp /v:10.10.37.20 /u:Harden /p:harden /dynamic-resolution
Questions
— — Task 2 — -
What is the startup type of App Readiness service in the services panel?
(Get-Service | Where-Object {$_.DisplayName -like “*App Readiness*”}).Status
Stopped
The answer THM is looking for is Manual.
Open Registry Editor and find the key “tryhackme”. What is the default value of the key?
Get-ChildItem -Path HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like “*tryhackme*”}
Hive: HKEY_CURRENT_USER\SOFTWARE\Microsoft\F12
Name Property
- - - - - -
tryhackme (default) : {THM_REG_FLAG}
The answer THM is looking for is of course {THM_REG_FLAG}
Open the Diagnosis folder and go through the various log files. Can you find the flag?
Get-Content “C:\ProgramData\Microsoft\Diagnosis\flag.txt.txt”
{THM_1000710}
Open the Event Viewer and play with various event viewer filters like Information, Error, Warning etc. Which error type has the maximum number of logs?
No answer needed.
However I was curious, so I queried the list of logs and number of events per log. The answer is the security log.
$Logs = (Get-EventLog -List).Log
ForEach($Log in $Logs)
{
$Log
(Get-EventLog -LogName $Log).Count
Write-Host " "
}
Application
1497
EC2ConfigService
36
HardwareEvents
0
Internet Explorer
0
Key Management Service
0
Security
5140
System
2057
Windows PowerShell
757
— — Task 3 — -
Find the name of the Administrator Account of the attached VM.
(Get-LocalGroupMember -Group Administrators).Name
DESKTOP-EG8TCS4\Administrator
DESKTOP-EG8TCS4\Harden
The answer that THM is looking for is Harden.
Go to the User Account Control Setting Panel (Control Panel > All Control Panel Items > User Accounts). What is the default level of Notification?
Always Notify
How many standard accounts are created in the VM?
(Get-LocalUser).Count
5
0 is the answer THM wants.
— — Task 4 — -
Open Windows Firewall and click on Monitoring in the left pane — which of the following profiles is active? Domain, Private, Public?
Get-NetFirewallSetting -PolicyStore ActiveStore | Select-Object -ExpandProperty ActiveProfile
Private
Find the IP address resolved for the website tryhack.me in the Virtual Machine as per the local hosts file.
Get-Content C:\Windows\System32\drivers\etc\hosts | Select-String “tryhack.me”
192.168.1.140 tryhack.me
The answer THM is looking for is of course 192.168.1.140
Open the command prompt and enter arp -a. What is the Physical address for the IP address 255.255.255.255?
arp -a | Select-String “255.255.255.255”
255.255.255.255 ff-ff-ff-ff-ff-ff static
Alt:
Get-NetNeighbor | Where-Object {$_.IPAddress -eq “255.255.255.255”}
The answer THM wants is FF-FF-FF-FF-FF-FF, which of course is always the broadcast address.
— — Task 5 — -
Windows Defender Antivirus is configured to exclude a particular extension from scanning. What is the extension?
(Get-MpPreference).ExclusionExtension
.ps
A Word document is received from an unknown email address. It is best practice to open it immediately on your personal computer (yay/nay).
nay
What is the flag you received after executing the Office Hardening Batch file?
Get-Content C:\Users\Harden\Desktop\office.bat | Select-String “Flag”
echo "Microsoft Office Hardened Successfully - Here is your Flag {THM_1101110}"
{THM_1101110}
— — Task 6 — -
A security engineer has misconfigured the attached VM and stored a BitLocker recovery key in the same computer. Can you read the last six digits of the recovery key?
Get-ChildItem -Path “C:\Users” -Include “*BitLocker Recovery Key*” -Recurse -ErrorAction SilentlyContinue | Get-Content
132858–327525–689172–680790–354607–080454–642268–377564
How many characters does the BitLocker recovery key have in the attached VM?
$MyKey = "132858–327525–689172–680790–354607–080454–642268–377564"
$MyKey.Length
55
Alt:
(“132858–327525–689172–680790–354607–080454–642268–377564”).Length
55
The answer THM is looking for is 48. They aren’t counting the dashes.
A backup file is placed on the Desktop of the attached VM. What is the extension of that file?
Get-ChildItem C:\Users\Harden\Desktop
Directory: C:\Users\Harden\Desktop
Mode LastWriteTime Length Name
- - - - - - - - - - - - - -
-a---- 6/28/2022 8:00 AM 22 MyWindowsBackup.bkf
-a---- 6/27/2022 4:09 AM 10446 office.bat
— — Task 7 — -
What is the CVE score for the vulnerability CVE ID CVE-2022–32230?
THM wants 7.8
— — Task 8 — -
I have completed the room.
No answer needed
Summary
TryHackMe has a habit of being a bit wonky and odd when it comes to questions regarding the name of the administrator account or the number of administrator accounts. They often don’t count the builtin Administrator, as seen in this room, so just FYSA if you’re every having trouble getting THM to accept your answer.
I have seen TryHackMe mix up the Administrator, aka SID 500 in every AD by default, and call it “the DC’s local admin”.
Overall though this is a small gripe and just something to be aware of. TryHackMe is always good for cheap, hands on training. This room was no different.
References
UAC slider is a combination of these registry keys: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1
CVEs: https://nvd.nist.gov/vuln/detail/CVE-2022-32230
Get Windows FW profile: https://superuser.com/questions/1591375/how-to-retrieve-windows-defender-exclusions-by-powershell-without-truncation-out