Post

[THM] Hacking with PowerShell

This is a full walkthrough with answers and explanations for the TryHackMe room "Hacking with PowerShell".

Posted Updated
Preview Image
By Hubert Krauze
4 min read
[THM] Hacking with PowerShell

Link to the room: https://tryhackme.com/room/powershell.

[Task 2] What is Powershell?

Powershell is the Windows Scripting Language and shell environment built using the .NET framework.

Approved Verbs for PowerShell Commands

What is the command to get a new object?

The normal format of a cmdlet is represented using Verb-Noun.

1

Get-New

[Task 3] Basic Powershell Commands

1

Get-Help Get-Command -Examples

1

Get-Command New-*

1

Get-Command | Get-Member -MemberType Method

1

Get-ChildItem | Select-Object -Property Mode, Name

1

Get-Service | Where-Object -Property Status -eq Stopped

1

Get-ChildItem | Sort-Object

What is the location of the file “interesting-file.txt”

Get-ChildItem -Path C:\ -Include interesting-file.txt -File -Recurse -ErrorAction SilentlyContinue

1

C:\Program Files

Specify the contents of this file

Get-Content -Path “C:\Program Files\interesting-file.txt””

1

notsointerestingcontent

How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

(Get-Command -CommandType cmdlet).Count

1

6638

Get the MD5 hash of interesting-file.txt

Get-FileHash -Path “C:\Program Files\interesting-file.txt” -Algorithm MD5

1

49A586A2A9456226F8A1B4CEC6FAB329

What is the command to get the current working directory?

1

Get-Location

Does the path “C:\Users\Administrator\Documents\Passwords” Exist (Y/N)?

Test-Path -Path “C:\Users\Administrator\Documents\Passwords”

1

N

What command would you use to make a request to a web server?

1

Invoke-WebRequest

Base64 decode the file b64.txt on Windows.

[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String((Get-Content -Path "C:\Users\Administrator\Desktop\b64.txt" -Raw)))

1

ihopeyoudidthisonwindows

[Task 4] Enumeration

The first step when you have gained initial access to any machine would be to enumerate. We’ll be enumerating the following:

  • users
  • basic networking information
  • file permissions
  • registry permissions
  • scheduled and running tasks
  • insecure files

How many users are there on the machine?

(Get-LocalUser).Count

1

5

Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?

Get-LocalUser | Where-Object { $_.SID -eq "S-1-5-21-1394777289-3961777894-1791813945-501" } | Select-Object -ExpandProperty Name

1

Guest

How many users have their password required values set to False?

(Get-LocalUser | Where-Object { $_.PasswordRequired -eq $false }).Count

1

4

How many local groups exist?

(Get-LocalGroup).Count

1

24

What command did you use to get the IP address info?

1

Get-NetIPAddress

How many ports are listed as listening?

(Get-NetTCPConnection -State Listen).Count

1

20

What is the remote address of the local port listening on port 445?

Get-NetTCPConnection -LocalPort 445 -State Listen

1

::

How many patches have been applied?

(Get-WmiObject -Class Win32_QuickFixEngineering).Count

1

20

When was the patch with ID KB4023834 installed?

Get-Hotfix -Id KB4023834 | Select-Object -Property InstalledOn

1

6/15/2017 12:00:00 AM

Find the contents of a backup file.

Get-ChildItem -Path C:\ -Include .bak -File -Recurse -ErrorAction SilentlyContinue

Get-Content “C:\Program Files (x86)\Internet Explorer\passwords.bak.txt”

1

backpassflag

Search for all files containing API_KEY

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

1

fakekey123

What command do you do to list all the running processes?

1

Get-Process

What is the path of the scheduled task called new-sched-task?

Get-ScheduleTask -TaskName new-sched-task

1

/

Who is the owner of the C:\

Get-Acl c:/

1

NT SERVICE\TrustedInstaller

[Task 5] Basic Scripting Challenge

Scripting may be a bit difficult, but here is a good resource to use: Learn X in Y minutes

What file contains the password?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Define the path to the folder and the text to search for
$folderPath = "C:\Users\Administrator\Desktop\emails\*"
$searchText = "password"

# Get all files in the folder and subfolders
$files = Get-ChildItem -Path $folderPath -Recurse -File
$answer = $files | Select-String -Pattern $searchText

# Loop through each file
foreach ($file in $files) {
    try {
        # Read file content
        $content = Get-Content -Path $file.FullName -ErrorAction Stop

        # Search for the text
        if ($content -match $searchText) {
            Write-Host "Found '$searchText' in file: $($file.FullName)" -ForegroundColor Green
            Write-Host $answer
        }
    } catch {
        Write-Warning "Failed to read file: $($file.FullName). Error: $_"
    }
}

1

Doc3M

What file contains the password?

1

johnisalegend99

search for “https://”

1

Doc2Mary

Intermediate Scripting

How many open ports did you find between 130 and 140(inclusive of those two)?

1
2
3
4
5
6
7
8
9
10
11
12

$target = "localhost"   # Change this to the IP or hostname if scanning remote system
$startPort = 130
$endPort = 140

for ($port = $startPort; $port -le $endPort; $port++) {
    $result = Test-NetConnection -ComputerName $target -Port $port -WarningAction SilentlyContinue
    if ($result.TcpTestSucceeded) {
        Write-Host "Port $port is OPEN on $target" -ForegroundColor Green
    } else {
        Write-Host "Port $port is CLOSED on $target" -ForegroundColor Red
    }
}

1

11
THM, Windows
TryHackMe Walkthrough PowerShell Windows
This post is licensed under CC BY 4.0 by the author.