Windows Hardening TryHackMe Walkthrough

Rich
5 min readApr 22, 2024

--

TL;DR Walkthrough of the TryHackMe Windows Hardening room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I have been slow rolling my way through the Security Engineer pathway, one of TryHackMe’s newer learning paths. I didn’t win anything back when THM was doing a raffle when the pathway was brand new circa Sep 2023. Hopefully one of you did.

I just finished up my college program at WGU and am coming into my renewal window for a couple certifications, so it’s a great time to get back into TryHackMe, learn something, get some good practice, and get some CPEs.

TryHackMe showed how to perform Windows hardening and querying in the GUI, but I’m partial to PowerShell, hence why almost everything in here is in the CLI.

As always connect via

xfreerdp /v:10.10.37.20 /u:Harden /p:harden /dynamic-resolution

Questions

— — Task 2 — -

What is the startup type of App Readiness service in the services panel?

(Get-Service | Where-Object {$_.DisplayName -like “*App Readiness*”}).Status

Stopped

The answer THM is looking for is Manual.

Open Registry Editor and find the key “tryhackme”. What is the default value of the key?

Get-ChildItem -Path HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like “*tryhackme*”}
Hive: HKEY_CURRENT_USER\SOFTWARE\Microsoft\F12

Name Property
- - - - - -
tryhackme (default) : {THM_REG_FLAG}

The answer THM is looking for is of course {THM_REG_FLAG}

Open the Diagnosis folder and go through the various log files. Can you find the flag?

Get-Content “C:\ProgramData\Microsoft\Diagnosis\flag.txt.txt”

{THM_1000710}

Open the Event Viewer and play with various event viewer filters like Information, Error, Warning etc. Which error type has the maximum number of logs?

No answer needed.

However I was curious, so I queried the list of logs and number of events per log. The answer is the security log.

$Logs = (Get-EventLog -List).Log
ForEach($Log in $Logs)
{
$Log
(Get-EventLog -LogName $Log).Count
Write-Host " "
}
Application
1497

EC2ConfigService
36

HardwareEvents
0

Internet Explorer
0

Key Management Service
0

Security
5140

System
2057

Windows PowerShell
757

— — Task 3 — -

Find the name of the Administrator Account of the attached VM.

(Get-LocalGroupMember -Group Administrators).Name

DESKTOP-EG8TCS4\Administrator
DESKTOP-EG8TCS4\Harden

The answer that THM is looking for is Harden.

Go to the User Account Control Setting Panel (Control Panel > All Control Panel Items > User Accounts). What is the default level of Notification?

Always Notify

How many standard accounts are created in the VM?

(Get-LocalUser).Count

5

0 is the answer THM wants.

— — Task 4 — -

Open Windows Firewall and click on Monitoring in the left pane — which of the following profiles is active? Domain, Private, Public?

Get-NetFirewallSetting -PolicyStore ActiveStore | Select-Object -ExpandProperty ActiveProfile

Private

Find the IP address resolved for the website tryhack.me in the Virtual Machine as per the local hosts file.

Get-Content C:\Windows\System32\drivers\etc\hosts | Select-String “tryhack.me”

192.168.1.140 tryhack.me

The answer THM is looking for is of course 192.168.1.140

Open the command prompt and enter arp -a. What is the Physical address for the IP address 255.255.255.255?

arp -a | Select-String “255.255.255.255”

255.255.255.255 ff-ff-ff-ff-ff-ff static

Alt:

Get-NetNeighbor | Where-Object {$_.IPAddress -eq “255.255.255.255”}

The answer THM wants is FF-FF-FF-FF-FF-FF, which of course is always the broadcast address.

— — Task 5 — -

Windows Defender Antivirus is configured to exclude a particular extension from scanning. What is the extension?

(Get-MpPreference).ExclusionExtension

.ps

A Word document is received from an unknown email address. It is best practice to open it immediately on your personal computer (yay/nay).

nay

What is the flag you received after executing the Office Hardening Batch file?

Get-Content C:\Users\Harden\Desktop\office.bat | Select-String “Flag”

echo "Microsoft Office Hardened Successfully - Here is your Flag {THM_1101110}"

{THM_1101110}

— — Task 6 — -

A security engineer has misconfigured the attached VM and stored a BitLocker recovery key in the same computer. Can you read the last six digits of the recovery key?

Get-ChildItem -Path “C:\Users” -Include “*BitLocker Recovery Key*” -Recurse -ErrorAction SilentlyContinue | Get-Content

132858–327525–689172–680790–354607–080454–642268–377564

How many characters does the BitLocker recovery key have in the attached VM?

$MyKey = "132858–327525–689172–680790–354607–080454–642268–377564"
$MyKey.Length

55

Alt:

(“132858–327525–689172–680790–354607–080454–642268–377564”).Length

55

The answer THM is looking for is 48. They aren’t counting the dashes.

A backup file is placed on the Desktop of the attached VM. What is the extension of that file?

Get-ChildItem C:\Users\Harden\Desktop

Directory: C:\Users\Harden\Desktop

Mode LastWriteTime Length Name
- - - - - - - - - - - - - -
-a---- 6/28/2022 8:00 AM 22 MyWindowsBackup.bkf
-a---- 6/27/2022 4:09 AM 10446 office.bat

— — Task 7 — -

What is the CVE score for the vulnerability CVE ID CVE-2022–32230?

THM wants 7.8

— — Task 8 — -

I have completed the room.

No answer needed

Summary

TryHackMe has a habit of being a bit wonky and odd when it comes to questions regarding the name of the administrator account or the number of administrator accounts. They often don’t count the builtin Administrator, as seen in this room, so just FYSA if you’re every having trouble getting THM to accept your answer.

I have seen TryHackMe mix up the Administrator, aka SID 500 in every AD by default, and call it “the DC’s local admin”.

Overall though this is a small gripe and just something to be aware of. TryHackMe is always good for cheap, hands on training. This room was no different.

References

UAC slider is a combination of these registry keys: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/7c705718-f58e-4886-8057-37c8fd9aede1

CVEs: https://nvd.nist.gov/vuln/detail/CVE-2022-32230

Get Windows FW profile: https://superuser.com/questions/1591375/how-to-retrieve-windows-defender-exclusions-by-powershell-without-truncation-out

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.